In the present day more businesses than ever rely on being online and having a safe digital space. But the more time we spend online, the more opportunities we create for malicious hackers to try and take advantage of cybersecurity weaknesses. Email security has been a concern for as long as email accounts have been commonly used; Back in 2019, 94% of all cyberattacks were delivered via email (Source: Verizon).
Phishing attacks are one of the most common forms of cyberattacks, so common that the vast majority of people with an email account will have received a phishing email at some point. These emails are designed to trick the receiver into revealing personal information, such as passwords, financial information, or other sensitive data.
A phishing email is disguised to look like it has come from an official source. For example, you might receive an email that appears to have come from your bank, a client, or another reputable business such as Microsoft or Apple. Some of these emails appear obviously fake and it can be hard to believe someone would fall for it, but cybercriminals continue to produce more and more convincing phishing scams, so always keep an eye out.
Spoofing is similar to phishing attack, and is sometimes referred to as if they were the same. However, the key difference between phishing and spoofing is that spoofing attacks specifically try to make the email recipient believe that the email has come from inside their company, or place of employment. Spoofing can also be done using phone calls but is performed using email for the vast majority of time.
Cybercriminals will create an email with the same header or footer as a company uses, as well as other details to make the spoofing email more convincing such as logos, email addresses, and even employee’s real names. This is an attempt to confuse employees into providing classified information, that can later be used to extort money from the company.
Malware isn’t solely reserved for emails, but emails do help create the easiest pathway for hackers to get malware onto your computer systems. Malware, sometimes referred to as malicious software, is a code that is designed infect your computer system, steal or encrypt your data, and infect your technical system.
This type of cyberattack is often used in conjunction with spoofing, with cybercriminals using an email address pretending to be a colleague and including an attachment that seems like legitimate work, but is just disguised malware. It is vital for employees to not open documents and attachments unless they are completely confident that it is not a form of cyberattack.
4. Weak Passwords
Time and time again we have seen companies that otherwise have strong email security fall victim to a phishing attack, or other form of cyberattack, simply due to an employee having a weak password. We briefly spoke about the dangers of weak passwords in our previous blog, about identity and access lifecycle management.
You could have the strongest email security in the world, if a hacker simply guesses an employee’s password then it doesn’t matter. The National Institute of Standards and Technology (NIST) does not recommend using a forced password expiration policy, as it can lead to poor employee cybersecurity practices for many companies. Your organization must define, communicate and implement a strong passphrase process that ensures common and compromised passphrases are not used.
We hope this article has given you insight into some of the most common threats to look out for when it comes to email security for your business. When it comes to protecting your business’ cybersecurity, staying alert and knowledgeable about common threats can be half of the battle, the other half is implementing and enforcing effective policies for yourself and employees.
At Euclid Security we offer a range of cybersecurity services, including consultation and advisory, and security awareness and training for you and your employees. If you feel like you need more help with your email security then don’t hesitate to get in touch for a no-obligation discussion.