The Info Sec Factory

View Original

Email Safety

Email Security

Email has become a necessity in everyday life.  Take just a moment and think about the ways we use it:

  • As a communication tool with friends, colleagues, business partners

  • As a user identity for online services like retail, banking, health care

Because it is so prominent in our lives, it’s no wonder that fraudsters, identity thieves and hackers focus so much of their energy on email.  They know everyone has at least one email account.  They know it’s a gateway to other systems. They know most of us get more email than we know what to do with and that in our haste to get through unread items we are more likely to fall for their tricks.

Motivation and Tactics

Let’s look at a couple ways bad actors target email.

1.      Deploying Malware to Computer Networks:  Cyber Security started hitting the public consciousness about 10 years ago following high-profile data breaches targeting retailers.  Bad actors were motivated by the financial gains made by stealing and selling credit card numbers.   More recently attackers have shifted to Ransomware.   In both cases email is the favored delivery mechanism.  Malicious attachments and links within emails can trigger the installation of Malware on your system, from there Malware has the potential to spread throughout a network.

2.      Capturing User Account Information:  Think about all the services you have linked to your email account.  Amazon, Netflix, maybe your Retirement Account?  Most services allow you to reset a forgotten password via email.  Thinking like a Hacker, once I have access to your Email, I can quickly ascertain the services you are subscribed to and initiate password resets to gain access.  I can also choose to auto forward your emails to another inbox and you’d be none the wiser I’m spying on your correspondence.  Lastly, I could use your stolen email credentials to impersonate you from inside your organization thus avoiding suspicion and many of your corporation’s security tools.

3.      Business Email Compromise and Fraud:  Bad actors are extremely creative.  They can very accurately spoof email addresses and recreate the look and feel of a corporation’s digital properties.  Leveraging this capability, fraudsters forward payment notices to the unsuspecting.  If you do business with the emulated entity, you may be inclined to initiate a payment, particularly if the payment notice is marked as “Urgent” or “Suspension Notice”.

What can you do to protect yourself?

There is a long list of thinks you can do, but let’s focus on just a few easy ones.

1.      Hover over the From/Sender field to reveal the sending email address.  If the domain does not match the expected sender, it’s almost always spoofed.  Do the same with embedded links, if the URL is not what you expect, it’s best not to trust it.

2.      Assume you are being scammed with anything asking you to login or to urgently take action.  For example, it’s best to open a new browser window and log in to your bank account directly, rather than clicking a link within an email. Similarly, validate odd requests through established channels rather than trusting the contact info in an email.

3.      Be suspicious of file attachments in emails, particularly if you are not expecting them.  Older versions of Office Documents are particularly dangerous if you allow for Macros.  Never trust executable files with .exe, .js, .vbs , or .ps extensions

4.      Enable Multi-Factor for your email (and all your services to be honest). MFA is an added level of security that involves combining your password with either a one-time use code, push notification, or biometric. The additional factors are difficult for a would-be attacker to defeat even when they have your password.   

 

Others:

 1.      Education. Good News, you’ve already taken the first step!

2.      Be suspicious of file attachments in emails, particularly if you are not expecting them.  Older versions of Office Documents are particularly dangerous if you allow for Macros.  Never trust an executable file with .exe, .js, .vbs , or .ps extensions

3.      Hover over the From/Sender field to reveal the email address.  If the domain does not match the expected sender, it’s almost always spoofed.  While some organizations allow business partners to send spoofed emails on their behalf, it’s best not to trust it.

4.      Similarly, hovering over embedded links will give you an indication of the URL.  If it’s not the website you are expecting, don’t click the link.

5.      Be on the look out for scams asking you to login or to Urgently take some action.  It’s best to open a browser window and log in to your bank account directly, rather than clicking a link within an email.

6.      Validate suspicious requests through existing channels.  If a request seems odd, contact the business partner using a known phone number, email or web address. 

7.      Protect against account compromise by setting up Multi-Factor Authentication.  Most email services offer this option for free.  Depending on the implementation, MFA will require you to provide a one-time code or acknowledge a notification in conjunction with your password.  While not 100% foolproof, this is one of the most effective ways to protect your digital identity.

8.      Practice good hygiene.  Keep your devices and software up to date.  Most malicious links and attachments are dependent on a pre-existing vulnerability. 

9.      For PC users, maintain an up to date Anti-Virus.  They are generally good at detecting  pre-existing threats.