Email security has become a paradox, because while email is often seen as a trusted way of sending messages, it is not really 100 percent secure. And the last few years are a testimony to this paradox. Last year alone saw many kinds of email attacks ranging from phishing to email impersonation, and everything in between. The staggering number of email attacks that happened in 2017 brings the spotlight back to email, its security, and maybe even its very existence as a reliable form of communication.
Here are some numbers to understand the magnitude of the problem.
- According to Symantec, the global spam rate increased multifold and accounted for 54.3 percent of emails in 2017.
- 100 new families of malware entered the market in 2017, and this is about three times more than what was seen in 2016.
- A review by IBM security shows that the number of ransomware messages went up by a whopping 6,000 percent.
- Email phishing is the No. 1 vehicle for ransomware and malware attack. Vade Secure estimates that 91 percent of all malware is delivered through emails.
These numbers should give you an idea of what’s happening in the email world. And hold your breath, because it’s only going to get worse in 2018.
So what can you do to improve email security? First off, let’s look at why email is a potential tool for hacking, before moving on to protection.
Email security issues
Failure of traditional email security
Traditional email security measures will have little to no role in 2018, as hackers are getting more sophisticated by the day. Business Email Compromise (BEC) scams that include email impersonation, phishing, and whaling are likely to reach record levels this year.
A quick analysis of these email attacks show that hackers rely on advanced techniques like content scanning and signatures to analyze messages, and to discern patterns from it. Sometimes, hackers even pose as someone from your contact list, like a family member or a co-worker, so the chances that you will open the email is high.
Unfortunately, most existing email security tools cannot detect this behavior and this is definitely a cause of worry for us.
Use of automation
If you thought robots and artificial intelligence are used only for productive purposes, think again! Hackers extensively use AI tools to try to stay ahead of anti-malware and anti-ransomware solutions.
A report by Imperva shows that automated email phishing campaigns are lowering the cost of implementing an attack, and are increasing the profits for hackers. These automated tools use advanced algorithms to identify compromised servers, so the attacks can be effective and inexpensive.
For example, hackers can get a list of valid email addresses by automating a directory harvest attack. Essentially in this attack, an automated tool tests thousands of email address combinations within minutes using VRFY command. What would take hours and even possibly days can now be done within just a few minutes, thanks to automation tools. As a result, the success rates of attacks increase drastically.
Phishing as a Service campaigns
Yes, read the heading again — it is not a typo.
Phishing as a Service, or PhaaS in short, is making it easier than ever for hackers to steal your data. Many organized criminal groups, often Russia-based, offer this service in the Dark Web world to lower the cost of entry for hackers.
Danny Palmer of ZDnet.com explains how a PhaaS service allows beginner hackers to choose a scam from a personalized dashboard. For example, hackers can choose banking, retail, social media, or any other field and based on their preference, a link is generated and sent to victims’ emails. All the personal information collected from this campaign is stored directly in the users’ dashboard and is accessible only to the user.
Some of these scams are limited only to VIP hackers who pay a subscription fee for this service. But the maximum charge is only 270 rubles or $4.23. Any hacker would be able to recover this money in no time, and this is making PhaaS an attractive option for anyone who wants to make some quick money.
Compromised SMTP servers
When SMTP servers first emerged, they were meant to be functional. Nobody worried about security at that time.
Fast forward to 2018, and we’re still staring at SMTP servers that can be easily compromised to send spam emails.
Understanding these vulnerabilities in email security is only one side of the coin. The other and the more important side is to do whatever is necessary to secure our emails. Such measures are vital not only for individuals but also for organizations because email attacks are often the first step to compromise a network.
Let’s now look at some strategies to improve your email security.
Email security strategies
The most important and often overlooked strategy is educating your employees about email security. Conduct workshops and training sessions once every few months to teach them about the dangers of sharing passwords, sending confidential data over email, and any other practice that could potentially create a security problem. Also, answer any questions or concerns that employees have in this regard.
Experts recommend teaching employees to identify fraudulent or dangerous emails in the following ways.
- Encourage employees to use email stationery and other unique identifiers.
- Train employees to check the sender’s domain to ensure that it matches the real domain name.
- Consider using technological tools to spot potential whaling, malware, and phishing attacks through language analysis.
- Request employees to hover their mouse over any URL in emails to check for fraudulent sites. It’s even better to ask employees to never click a link from an email.
Use encryption for sensitive emails
Consider using encryption tools to protect your content from being read by others. For the best security, encrypt the connection from your email provider, the actual email messages, and your cached or archived messages.
To secure the connection from your email provider, set up secure socket layer (SSL) and transport layer security (TLS). If you’re using web-based email, check if the URL starts with HTTPS://. For some reason, if you see just HTTP://, add the letter “S” at the end of it to create a secure connection.
On the other hand, if you’re using Outlook or a mobile device, navigate to the settings menu and look for an option that will activate encryption.
You can use public key encryption to secure the content of your email. Tools such as OpenPGP or web-based services like JumbleMe are good options.
To encrypt archived messages, secure the device on which it is stored because your emails are at risk if they can be accessed by anyone. Also, it can be a problem when your device is lost or stolen. So, it’s a good idea to archive email messages in the cloud. Alternately, navigate to the archived folder, right-click on “properties,” and select “encrypt contents to secure data.”
These measures should secure your email.
Discourage sending sensitive data through emails
Despite all the security measures, there’s always a possibility for your email to get hacked. So avoid sending any sensitive or private data in email. If you have to share company documents, consider using a cloud-sharing service like Dropbox or Google Drive.
Avoid public WiFi
Have you ever used public WiFi on airports and coffee shops to access your email? Well, that’s the perfect opportunity hackers are looking for to steal your information.
Many times, hackers set up a WiFi network to capture your browsing pattern, emails, chats, and any other activity you do on the Internet. So it’s best you avoid public WiFi, especially when you want to send sensitive emails.
But if you really have to use it, check for “HTTPS” at the beginning of the URL. Also, if you get a warning from your device about the security certificate, stop using the network right away.
Never click links from emails
As a rule of thumb, never click links from your emails. Though this suggestion may sound overrated, it’s really necessary to protect you from giving hackers a free entry into your system or an easy way to steal your personal information.
Many times, hackers spoof big brand names to entice you to click on a link that will, in fact, turn out to be a malicious link. So, it’s best to avoid this practice at all costs.
Performance metrics for email security
Since email security is still vital for most companies, create a process that monitors security for you. Appoint a security leader to spearhead security initiatives and integrate technology, people, and processes for a safe environment. Make security your top priority and ensure that all board members including C-suite executives offer complete support for these security initiatives.
Along with processes, set up performance metrics so you can measure the success of your security initiatives at frequent intervals.
Separate the SMTP
It’s best to keep a separate SMTP for each computer if you can afford it. This way, even if one computer is hacked or is infected by malware, it won’t spread to the rest of the organization.
We hope these measures improve your email security. If you’ve tried any other solutions, please share it with us in the comments section.
Photo credit: Shutterstock