10 Steps to Mitigate Email Security Risks
With the number of public email security risks, hacks, and misfires, you’re not the only person wondering “Is it time to reduce reliance on email?”
There is no doubt that there are more collaborative options on the market. And it’s common for frequent users of tools like Microsoft Teams to preach the productivity benefits. But, the most pressing concern for IT Managers remains security.
Are these alternative tools more, less, or just as secure as email? And if email security is such a problem, how do you address them without ripping out the communication hub of your company?
In this post, we’ll provide detail on the following:
- Are emails secure?
- What are the top 10 risks of email?
- What is phishing?
- What are examples of phishing?
- Why phishing is dangerous
- Types of email security
Are emails secure?
Most emails are encrypted in transit. This means the process of sending an email is safe during transmission. Technically, nobody can view your email during the send/receive process.
Because of this, we tend to think of emails as the most secure method of written communication.
Andra Zaharia, cybersecurity expert and marketer explains why we view email as a fundamental layer not just because it's old and reliable.
“There are tons of security layers designed to protect email, but it's also a major component of our digital identity. Sharing passwords, data, and collaborating on sensitive stuff on free Slack tiers (and some other platforms) is much more dangerous because it lacks the robustness and risk mitigation layers email has.”
But, when emails are static - i.e. not being sent from one account to another - they are stored as text. This means that the sender, receiver, and even third parties like the email provider themselves can read your emails.
While this may sound intrusive, when you sign up to any email account, you’re accepting terms and conditions that stipulate the reasons why third parties may need to read your email. These are for your security too.
So, with the only people needing access to your emails doing so for good reasons, you might think emails are secure, right?
Well, not so much according to the Federation Bureau of Investigation (FBI).
According to the FBI, phishing is the most common route that criminals use to infiltrate an organisation. There were 1,100% more complaints about it in 2021 compared to 2016, and over $2 billion lost in US businesses alone.
Often, users of services like Microsoft 365 assume email security is baked into the package. And it is - but only to an extent.
Is email secure?
Tom Arbuthnot, a Microsoft MVP, explains how email is not as secure as we think and that there are still things to look out for:
“If the specific question is “is email secure?” then this question is usually inferring can people outside the intended audience access or change the content?
By default, email is encrypted in transit between users within the same provider. So if all users are on Gmail or Microsoft 365, it is encrypted in transit.”
Here’s a simplified diagram showing Microsoft 365 email encryption:
Tom continues: “With a group of users over different providers, email is not secure in transit so it will travel across the internet unencrypted as if it was written on a postcard.
Anyone can read it or the contents, including files, en route. By default, it is easy for the receiver to take the content, share it again or forward it, either accidentally or intentionally. This is often the bigger security concern.
Email systems like Microsoft 365 do allow you to use Information Rights Management (IRM) to both encrypt and also apply usage restrictions to email messages.
For example, users can receive a message but not forward it or screenshot it (of course they can always get out their camera phone, a challenge for all types of communication really).
If using email to collaborate on a document, it would always be best to share a link to content, for example to OneDrive, where you can choose exactly who can see and contribute to the content and even, if it is a Microsoft Office Document, if the user can download it or not. You can also later revoke access.
Finally, it's important to protect the way your users access email.
Like any online tool, they should be using multi-factor authentication. It's no good encrypting email in transit or at rest if someone is able to login with a valid user identity and access the contents.”
So, if the risks don’t necessarily lie in who is reading your email once it’s finished sending and receiving, what are the biggest email security risks we face today?
What are the top 10 risks of email?
1 - False sense of security
Andra Zaharia, cybersecurity expert and marketer, highlights how gaps in email security lead to overtrust in inboxes and a lapse in protection of our email accounts.
"As email users, we all have a false sense of safety about our inboxes, which ethical hacker James Linton dubs Inbox Hypnotism™. So glaring gaps in email security make it even easier for cybercriminals to exploit our inherent trust in our inboxes through misleading elements that manipulate our perception and actions. The biggest risk subpar email protection creates is that it exposes one of the most trusted layers in the organization which always unlocks access to the most valuable assets attackers target (data or $$$).
2 - Potential forgery
Unlike with “wet” signatures, providing an email signature on a document is a quick task that saves on postage, effort, and time.
Tools like EchoSign and DocuSign exist to make the process of sending and signing professional documents and contracts a slick process.
While these tools are efficient and secure (to a point), there’s the potential for your documentation to fall into the wrong hands.
Even the simplest typo in an email address or the wrong address copied and pasted can send your document to a random party. This element of human error proves a security risk for businesses entering into online agreements. Incorrect recipients can easily agree to documents on behalf of other companies or individuals they aren’t affiliated with.
3 - Sending of private information
Email was designed to make written communications quicker and easier. And it’s achieved that goal to no end.
But, in some cases, it’s become too easy to share information that shouldn’t be shared with absolutely anyone.
In a few clicks, and sometimes a few seconds, information that is stored in company file management systems can be downloaded and emailed to any third-party.
On a day-to-day basis, this is common practice. We share files we’ve been working on with contractors, suppliers, and customers.
But on more occasions than you think, employees have simple access to share private information you’d rather not be sharing with competitors, former employees, or any other third-party.
How long do you think this took to retrieve and compile?
4 - Ransomware
Ransomware is another form of malicious software that’s used to encrypt a victim’s files. The data is held hostage until the victim pays a ransom for it, typically in the form of cryptocurrency.
Ransomware remains one of the most serious email security threats. Cybercriminals send files or links that look legitimate, but once the victim interacts, the malware spreads quickly and locks you out. Ransomware attacks are usually well-coordinated and designed to affect entire networks instead of a single terminal.
The best defence against ransomware is a good data leak prevention strategy, including the regular patching and upgrading of all operating systems.
5 - Easy to click inappropriate links
Think back to any email you have classified as junk or spam.
How many of those were encouraging you to click a link of some kind?
If the answer is less than “most” then we’d be surprised.
This is the most basic level of email phishing. The simple act of sending an email (often to an entire organisation) is the easiest way in the door for cybercriminals.
Even the most savvy IT professional can be fooled by a carefully worded email and a well-spoofed email address.
We’ve seen phishing emails change from this:
To well-constructed emails impersonating large and trusted organizations like Amazon, Apple, and even Google.
Take a look at the example below to see how easy it is to create a Google-like email to entice unsuspecting email users.
6 - Browser exploit kits
Browser exploit kits are abused pieces of code that can often be found as links in emails. These web applications detect a victim's browser and then launch a web-based exploit to infect someone’s computer with malware.
Identity theft, data leakage, and access issues are all caused by emails that contain Internet browser vulnerabilities. Ethical hackers are working hard to plug these exploits.
7 - File format exploits
Attackers have also been exploiting unpatched vulnerabilities in different file formats. When the documents used in this attack are opened, they ping an external server and download an application file that contains malicious code. The file is automatically executed.
File format vulnerabilities are one of the most serious and damaging email security risks facing businesses. These vulnerabilities are especially dangerous because they can affect several platforms. For example, a file format vulnerability in Adobe Acrobat might allow an attacker to create a PDF file that compromises Macintosh, Linux, and Windows systems.
8 - Business Email Compromise (BEC) or Spear phishing
BEC or spear phishing (scams targeted toward specific individuals or organisations) is a sophisticated effort to utilise social engineering. It involves attackers gaining access to the email account of a high-ranking company executive or forging their way in.
When carried out well, these emails are indistinguishable from genuine internal emails which is why so many people fall for these kinds of attacks.
Make sure that employees are checking the sender’s information, and never download files or follow links coming from an unfamiliar personal account. If they are unsure, they should contact IT support.
9 - Domain squatting
This is the act of registering a domain name that resembles that of a reputable organisation, with the intent of profiting from a well-known trademark.
Some squatters go even further and incorporate phishing in their schemes. They use the acquired domains in phishing emails to obtain the personal and sensitive data of users and other organisations.
Prevent domain squatting by registering your domain as a trademark and purchasing domain ownership protection.
10 - Email phishing
One of the biggest threats to email security in recent years is phishing.
Let’s dig into what has become a rather complex issue for IT Managers to mitigate and manage.
What is phishing?
Phishing is when cybercriminals try to impersonate organisations and individuals with the goal of providing private, sensitive, or valuable data and information.
Wikipedia defines phishing as a type of social engineering. It’s easier to explain phishing as setting an online trap for prey (email users) to fall into. The trap is often set as a form, link, or request for information.
Phishing can take many forms (email, SMS, voice, page hijacking). The most common example of phishing in business is email phishing.
Email phishing has been rife for well over a decade and is becoming harder to spot. To the naked eye, an email may appear legitimate.
Sometimes, only small discrepancies like G00gle instead of Google or Daviid@yourcompany.com instead of David@yourcompany.com.
If you had to read that twice, or missed that these were different spellings, that’s precisely how email phishing works.
Often, email signatures include genuine logos that can be downloaded from the internet - and even real employee names sourced from sites like LinkedIn.
The more convincing the email, the easier it is to fall under the radar.
As email phishing has become harder to spot and control, it’s not just small businesses that are being (successfully) preyed on.
What are examples of phishing?
There have been some high-profile examples of businesses falling foul of email phishing.
Look no further than two of the most powerful companies online: Facebook and Google.
Between 2013 and 2015, Facebook and Google were tricked out of $100 million due to an email phishing campaign. In this scenario, the scammer learned of a supplier that regularly invoices both companies.
By creating and sending fake invoices, over $100 million was lost to an illegitimate company for pretend services. Proof that even the largest companies can be prey to a savvy email phisher.
This is one of the biggest-reported losses attributed to email phishing but the examples don’t stop here.
On a per company basis, well-established organisations (and some in IT themselves) have suffered from email phishing scams:
- Crelan Bank ($75m)
- Fischer Advanced Composite Components ($61m)
- Ubiquiti Networks ($46m)
- Upsher-Smith Laboratories ($39m)
The first major documented email phishing attack was as early as 2001 when E-Gold appeared to be asking email recipients to verify their accounts. A simple request that could be carried out with the click of a button.
Even if recipients were not E-Gold subscribers, the process made the task simple to complete and file your email as done. Only, in this case, the link redirected you to provide your bank details - and thousands of pounds soon followed.
Aside from the clear monetary risks associated with email phishing, you must consider further risks of not fully protecting your email estate.
Why phishing is dangerous
If a business becomes a victim of phishing, there are several repercussions you must be aware of:
- If you’ve been the victim of a phishing attack, you’re likely to be targeted again.
- The COVID-19 pandemic has normalised receiving emails from unexpected addresses.
- Email phishing continues to become more sophisticated.
- Different generations entering the workplace are less wary of email security.
- Security policies lapse over time and aren’t renewed on a regular basis.
Any of these can lead to negative press, reduced credibility, and an impact on your bottom line. So the dangers have a knock-on effect outside of IT security.
With an understanding of why phishing is dangerous, your immediate next step is to identify the right type of email security your business needs.
Types of email security
To mitigate the risks of email security, it’s important to find the right option for your specific business.
There are tons of email security software available and some do a great job out of the box.
For businesses, rather than individuals, a tailored approach ensures your business gets protected from risks you are most vulnerable to - rather than what email security providers say you are.
At Nasstar, we provide cybersecurity and fully managed IT services to keep your business protected from phishing attacks and any other email intrusions.
John Stention, IT Manager at Thrive Homes, uses Nasstar to keep his email systems secure:
“With the increase of digital and cyber-security threats, it has never been more important for effective security monitoring and response. As our trusted partner, and not just a supplier, I feel safe in the knowledge that Nasstar is the best-fit to assist Thrive on our digital transformation journey.”
If you’re a Microsoft 365 customer, find out more about our security hardening service here.