EXECUTIVE SUMMARY:
Email security risks are increasing at an alarming pace. Inadequate email security is one of the greatest dangers for organizations worldwide.
How can you prepare your organization for the email security risks of 2023? In this article, we review email security snafus, tips and strategies that you can apply right away.
15 email security risks and mitigation
1. Phishing. Nearly 50% of CISOs and CIOs rank phishing as their #1 cyber security concern. In one survey, 77% of businesses stated that they expected to be
the victim of email fraud within the next year. Ensure that your organization deploys top-tier anti-phishing solutions. Such solutions can zero in on red flags that indicate phishing emails and can block malicious content from reaching recipients’ inboxes. The deployment of anti-phishing solutions helps minimize the risk of employees accidentally clicking on phishing scams and letting hackers into your perimeter.
2. Business email compromise. As you know, business email compromise scams (BECs), are a specific type of phishing email. In BEC scams, a cyber criminal will impersonate an executive in the organization, and instruct an employee to transfer funds to an attacker-controlled account. In 2022, organizations lost $2.4 billion due to BEC scams. Unless organizations take action, 2023 could be the same or yield even worse outcomes.
To prevent employees from falling for BEC scams, enable multi-factor authentication for business email accounts. In addition, create a standard operating procedure where employees must confirm an email request for a wire transfer either face-to-face or with a phone call. If the latter, the employees must use previously known phone numbers; not the phone numbers provided in the potentially malicious email.
Employees should also be advised to look out for sudden alterations in vendor practices. For instance, a request from a vendor to suddenly defer to a personal email account instead of a business email account could indicate a possible fraud attempt by a cyber criminal.
In the event that your organization is targeted with a BEC attack, connect with the correct colleagues, ensure that your organization alerts its financial institution, and file a complaint with IC3 (US only).
3. Social engineering. Cyber attackers deploy psychological manipulation techniques via email in order to coerce victims into revealing sensitive information, or into downloading malware. Because psychological manipulation (social engineering) exploits human thinking and nothing else, it’s a challenge to thwart.
Security products commonly focus on identifying and stopping emails containing known ‘red flags’. However, a subsection of email filtering tools can prevent these types of malicious emails from landing in inboxes via email filters that can catch spam and graymail.
Organizations are also advised to keep anti-virus and anti-malware tools updated. You may want to incorporate downloading the latest signatures into your daily security routine. Further, regularly inspect systems to ensure that updates have been applied. Also, scan systems for corresponding issues.
4. Even more phishing. Email security risks come in all shapes and sizes. As the phishing landscape continues to evolve, precisely what a phishing attack looks like will change over time – possibly to the point of being nearly unrecognizable as phishing.
The breadth and severity of phishing attacks is intense. Is phishing turning into its own type of computer-based pandemic?
Ensure that your employees receive phishing awareness training throughout the calendar year. Enable your employees to maintain the highest levels of phishing awareness possible.
5. Social media. Ahead of launching cyber attacks (particularly phishing attacks), cyber criminals tend to gather information about targeted persons via social media. One of the reasons as to why cyber criminals are often successful in their attacks has to do with the volume of personal information about employees that’s freely available on social media.
Because unintentional oversharing of info on social media is rampant (particularly if employees joined Facebook in the early days of its existence), consider creating a best practice document around what employees should and shouldn’t post on social media. This can help reduce the probability of successful phishing attempts. Learn more here.
6. Domain squatting. This refers to a cyber criminal’s registration of a domain name that resembles a domain name belonging to a reputable organization. In these types of cases, the cyber criminal intends to profit from a well-known trademark.
Some criminals who engage in this type of trickery incorporate phishing into their schemes. They leverage the acquired domains in phishing emails to obtain the personal and/or corporate data of select individuals and/or other organizations.
With domain squatting, your organization could be impersonated. Prevent domain squatting by registering your domain as a trademark. Further, you might consider registering all possible versions of your domain name. This includes singular and plural versions. Also, be sure to purchase domain ownership protection.
7. Malware. As you know, the term ‘malware’ represents a broad array of email threats that are designed to disrupt business operations. The best way to combat existing and emerging email-based malware threats consists of adopting a multi-layered security approach. Consider investing in complete protection for all email workspaces, collaboration and file-sharing apps.
8. Ransomware. One of the most daunting email security risks is ransomware, which can freeze access to a company’s internal assets, and push companies to spend millions in order to regain access to data.
Prevention is the best defense. An email security solution should analyze attachments in a sandboxed environment to isolate never-before-seen malware (including ransomware) that may be embedded into a malicious email.
In addition, leverage strong spam filters and implement email authentication protocols, such as DMARC (Domain Message Authentication Reporting and Conformance), SPF, (Sender Policy Framework), and DKIM (DomainKeys Identified Mail) in order to prevent email spoofing that may contain ransomware.
9. Configuration errors. Email security risks can stem from failures to configure email servers or email services properly. A configuration error can lead to miscommunications with clients and business partners, and can also leave several backdoors wide open for cyber criminals. In turn, cyber criminals can potentially hijack your organization’s domain, and engage in other serious, nefarious activities.
The best way to prevent email server misconfigurations is to work with a third-party service or cyber security vendor in setting up your configuration. Sometimes, hiring a cyber security company is the most reliable way to go.
10. An agitated or double-employed employee. Someone who is upset about an aspect of the work environment, who is being paid by a competitor, or who is otherwise engaged in corporate espionage may pose a threat to your organization. In some instances, such employees have sent confidential information to outside email addresses.
These types of email security risks are tough to flag and even more challenging to stop. While not the most elegant solution, egregious and concerning violations of corporate confidentiality policies can be stopped by HR teams, who can temporarily suspend an employee’s access to business email services.
11. Vulnerabilities in email software. On occasion, vulnerabilities are baked into email software. The good news is that as soon as these vulnerabilities are identified, email service providers typically develop fixes and roll out patches. Be sure to install software patches as needed, which will strengthen your overall security posture.
12. Supply chain hijacking techniques. A 2021 survey found that 97% of organizations have previously been impacted by a breach in the supply chain. Beyond that, 93% stated that they suffered a breach due to suppliers’ security weaknesses. Your cyber security is only as good as your supply chain partners’ security.
To mitigate risk of supply chain attacks, including supply chain attacks through inbound emails, invest in email security that uses advanced AI to catch what other services might miss. For instance, Avanan’s technology automatically learns your organization’s list of suppliers and partners, auto-discovers the importance of individual partners to organizations, monitors traffic patterns, and dynamically assesses, updates and secures emails without any action required from cyber security professionals.
Not only does the Avanan technology show the risk of a potential supply chain attack, but it also stops these attacks from reaching employee inboxes. That’s due to inline protection. With a network of a million inboxes, Avanan can pick up on the earliest signals of a downstream supply chain attack. Learn more here.
13. Password security. One of the biggest email security risks pertains to password security. According to current NIST recommendations, password length, not password complexity is key to password strength. Take the easy route and ensure longer passwords by asking employees to cobble together a series of words that create a ‘passphrase’. Such phrases are usually simple to remember and highly effective as security mechanisms. Passphrases help defend against hackers who leverage dictionary attacks in order to exploit weak passwords.
Another email security risk related to passwords consists of password reuse. As you well know, password reuse is particularly concerning when employees use the same passwords for both business and personal accounts. Gently remind employees of the need to use separate passwords for each account. To cut down on password problems, consider implementing single sign-on (SSO) where possible.
14. Public wi-fi. Cyber criminals are able to monitor all traffic sent between the user and the server on a public wi-fi network. A determined cyber attacker can easily track the users connected to the router of an unsecured public network and can parse information, inject malicious code into devices, or reset all passwords through an email inbox.
For your traveling employees who will occasionally have no choice but to use public wi-fi, ensure that they have a virtual private network (VPN). Tell employees to refrain from accessing sites that lack HTTPS encryption. In addition, encourage such employees to turn off sharing in public wi-fi locations. You might consider publishing an employee guide to public wi-fi and storing it in an easily accessible internal-only location for employees.
15. Brand impersonation. Last, but not least, one of the most frightening email security risks consists of brand impersonation. Either your brand could be impersonated, or your employees could receive malicious messaging from a brand that is being impersonated.
In Q3 of last year, Check Point ranked brands by their overall appearance in brand phishing attempts. The most commonly impersonated brands are: DHL, Microsoft, LinkedIn, Google, Netflix, WeTransfer, Walmart, WhatsApp, HSBC and Instagram.
Encourage your employees to be particularly cautious when engaging with emails that are purportedly from the aforementioned companies. The emails could be fake, and the email security risks could jeopardize the stability of your organization.
Mitigating email security risks
Email security risks are dynamic and daunting. Protecting inboxes is absolutely essential for the continued business success of any organization.
To secure your employee inboxes and limit email security risks, start with the tips above. For more insights into email security, please see CyberTalk.org’s past coverage.
Are you all about email security? If you are looking for a Sales Development role with a growing email security team, please click here. #hiring #emailsecurity #Checkpoint #Avanan #salesdevelopmentrepresentative #salesdevelopment
Lastly, don’t miss registration for the most important cyber security event of the year; CPX 360 2023. Register here.
