Email Security Requires a Multi-Front Approach
“It was a dark and stormy night, on a lonely stretch of road …”
Thus begins your stereotypical crime novel. But let’s discuss an entirely different crime – fact, not fiction – that most commonly transpires in broad daylight, in a familiar setting.
Let’s discuss a cybercrime: infiltration of an organization’s email accounts.
Why is email so vulnerable? First of all, it offers easy entrée.
“It’s usually easy enough to work out someone’s email address and, bingo, once you have it you can try different techniques and approaches time after time until you snare someone,” says Bradley Maule-ffinch, head of content for Cyber Security Chicago.
Business email is also a relatively simple way to reach a great many people at once.
“It’s a numbers game,” Maule-ffinch says, “and someone will fall foul.”
That’s because it’s so easy to let your guard down. In the course of a day, you receive so many emails that you may well not look closely enough to confirm the identity of the sender or notice an irregularity. So with one click from you, the infiltrator has entered.
You can better protect yourself with a few corporate email best practices.
When in Doubt, Pick up the Phone!
According to The Free Dictionary, to “phish” is to request confidential information over the internet under false pretenses in order to fraudulently obtain credit card numbers, passwords or other personal data.
There are lots of ways to spot a phishing email, Maule-ffinch explains. While they aren’t “all from Nigerian princes offering to deposit billions of dollars into your bank account,” they do often display common traits.
Poor grammar, spelling mistakes or odd salutations (e.g., “Dear Valued Customer”) are among those traits.
Jessica Robinson, CEO of PurePoint International, a New York-based business-security firm, lists some additional phish hooks:
- Does the email ask for personally identifiable information? (“Can you send a W-2 or W-9?”)
- Are they asking for information about the company?
- Is a sense of urgency conveyed? (“Your account will be suspended if you don’t act now!”)
An attachment to an unsolicited email also shouts danger. Don’t click it – even if you believe it to be from a reliable source.
“I never click links in emails from my bank or credit card company, even though I know they are probably legitimate,” says Robert Siciliano, CEO of Boston-based IDTheftSecurity.com. “I’ll just go directly to the credit card company or bank’s website to see my statement. Generally, the only time I'm clicking a link in the body of an email is if, say, I’m engaged in refinancing my property and I have ongoing dialogue with the mortgage broker. Or if I’ve just signed up for a brand-new website and I have to click the link in order to confirm my email address.”
Whenever in doubt about a sender’s true identity, Siciliano advises, “Pick up the phone!” This is the best way to validate – or invalidate – the sender.
Avoid Scams, Apply Common Sense
Robinson offers some additional common-sense email protection tips:
- Is the content of the email in line with what you’d expect the alleged sender to send you?
- Is your name in the “To” area, or does the message appear to be sent to a group of people? “These observations matter,” Robinson attests. “If the group email address is unfamiliar to you, don’t open the email.”
- Are they asking you to wire money or share sensitive information? “As part of best practices,” she says, “these should not be requests that come in the form of an email. Always, verbally confirm with the sender.”
And be mindful that bogus emails don’t always come from an outsider. According to Forrester Research, insiders accounted for 39% of data breaches in 2015 through accidental or misuse of data. Services that specifically monitor internally generated emails are available.
Developing a set of corporate email best practices, training the team on them and installing software that supports them is crucial.
One option is to institute a level of encryption that prompts both the sender and the recipient to log into a third-party portal. A fraud defense system that allows you to block all unauthorized emails is another. You might also select a detection tool that allows you to respond in real time when an attack is occurring by disabling links and attachments and removing the email.
Email security risk-assessment services are also helpful to gird your defenses.
Cybercrime: ‘The New Normal’
Being smart goes a long way. Still, the level of investigation and intelligence that today goes into creating fraudulent emails makes them a formidable foe.
“This is the new normal,” Robinson agrees, “and it is everyone’s responsibility. If a leader isn’t investing in solutions to deter these risks, they’re setting their company up for failure.”