According to the State of Email Security 2020 report, businesses have seen a 56% increase in email phishing incidents in recent months. 60% of organisations believe there is no foreseeable decrease in email attacks, suggesting they will be the inevitable target of compromised email security at some point this year.
These statistics point to the wider context and cause of the increasing effectivity and accessibility of email attacks. With the pandemic disrupting workforces across the globe, and forcing individuals to work from home, compromising email security has been easier than ever. Users are operating within less controlled environments and are not inclined to uphold good security practices from the comfort of their own home. Users are also operating on multiple, less controlled devices. Neglecting to behave in a responsible and security-forward manner exposes users and their entire organisation to email compromise and potentially severe loss and damages.
Top 4 Threats for Email Security
When users are lax with their email security practices, email becomes an even more accessible point of entry for malicious cyber-actors. Top threats include:
These attacks are popular because they are easy and cheap to deploy. Email phishing requires that the cyber-actor disguises the sending address as a trustworthy individual or entity. Phishing is enacted in hopes of obtaining credentials and other sensitive data such as banking or account details. These emails can also contain links to fraudulent sites, encouraging users to type in usernames and passwords or make payments.
Spear phishing is a more customised and researched approach. A cybercriminal may collect information from a colleague’s social media profile or past emails to craft a seemingly legitimate email sent from what appears to be a dependable source. The victim assumes the email is coming from a reputable sender and is more likely to click on attachments or provide credentials.
Business Email Compromise (BEC)
Like spear phishing, BEC involves more effort and research to compose an outwardly legitimate email. Financial managers are often the target victim, as cybercriminals compromise the email account of executive managers to request the transfer of funds to the attackers account. Japanese media enterprise, Nikkei, was victim to BEC just last September. An employee from Nikkei America transferred a whopping sum of $29 million to an attacker posing as the parent company’s executive manager.
Cyber-actors will insert malicious malware into emails via downloadable attachments and links. Ransomware attacks are also commonly deployed, as cyber criminals encrypt a victim’s files and negotiate a monetary transfer in return for this critical data.
Security Best Practices to Reduce Email Attacks
Implement Security Awareness Training.
As we discussed in a recent blog post, security awareness training (SAT) is a great way to strengthen your security defences. We can assist you with implementing SAT as a managed service. This involves running blind phishing campaigns that will assist in identifying your baseline and work towards uplifting your security through continuous reporting and testing.
We can assist you in deciding a suitable security awareness training solution for your organisation. If you are interested in learning more, please contact one of our cybersecurity specialists.
Enforce a strong password policy.
A good password policy has complexity requirements that users should be encouraged to meet. Having good password hygiene practices will assist in securing emails and the general security of an organisation.
Invest in an email gateway solution.
Safeguard your environment with an email gateway solution. Email gateways monitor both inbound and outbound emails for spam, malware, viruses and other fraudulent matter. They work to prevent the transmission of malicious content and allow security teams, as well as individuals, to review traffic prior to the release of emails.
Proceed with caution.
Take time to manually scan emails before you act on an email. Look out for incorrect spelling or if the sender is using language out of the ordinary. If a colleague typically refers to you by a nickname and instead greets you using your full name, act cautiously and query their request in person. In addition, check that the email is sent from a trusted domain and question the urgency behind specific requests.
Do not click links in emails, especially from unknown sender.
If a strange email does happen to bypass your email gateway solution, scan the email preview and only hover over links to get an idea of their verity and the site destination.
Double-check requests with employees.
Verify email subject matter and demands with the sender via another means of communication. If you are suspicious of an email’s intentions, make sure to call or speak with the employee, supplier or manager to confirm in person.
Avoid disclosing critical information via email.
It is good to be wary, but do not let security impede productivity. Scrutinise emails in accordance with your email security policy and the above practices in mind, and check what communication channels are more suitable for sharing different types of information.
As we have previously mentioned, there is no one-size fits all solution for every business. All business should consider a multi-layered approach. This entails implementing the appropriate controls at an enterprise level, and ensuring individual users are acting judiciously in accordance with security policies and procedures.
We can assist you in implementing email security solutions. For more information, please click below to contact us.