Last year, 60% of organizations are hit by Cyberattacks which have been spread by their own employees? We will understand EMAIL security in this article, but, before that let me update you with some facts, it will be interesting to know how vulnerable we are. Top Cybersecurity facts, figures and statistics in the recent past:
- 94% of malware is delivered via email
- Phishing attacks account for more than 80% of reported security incidents
- $17,700 is lost every minute due to phishing attacks
- 60 percent of breaches involved vulnerabilities for which a patch was available but not applied
- 63 percent of companies said their data was potentially compromised within the last twelve months due to a hardware- or silicon-level security breach
- Attacks on IoT devices tripled in the first half of 2019
- Fileless attacks grew by 256 percent over the first half of 2019
- Data breaches cost enterprises an average of $3.92 million
- 40 percent of IT leaders say cybersecurity jobs are the most difficult to fill
Increase in attacks during Pandemic
Email based cyber-attacks have increased whilst we have all been working from home. Now that we don’t have the security infrastructures in place, cybercriminals have taken this as an opportunity to start attacking our vulnerabilities. These are the common phenomena with the individuals as well as organizations. So to help you keep safe, I’ve got some material for you and also to share with your employees to ensure that business data is kept in your control. As a latest study reveals that cyber criminals are not going after company systems any more, they are going after a company’s users. It is important to have security best practices and especially practices that include email. When you understand the most common e-mail threats, you are better able to set up protections and policies to help ensure the security of your business.
Common types of email threats
- Malware: Increasingly attackers are taking advantage of emails to deliver a variety of attack to organizations by using malware or malicious software that include viruses, worms, Trojan horses and spyware.
- Phishing: Unsolicited commercial email commonly referred as a spam is the sending of unwanted bulk commercial email messages. Phishing refers to falling prey to such deceptive emails to trick individual and then responding to the email clicking on some file disclosing sensitive Information.
- Spear fishing: This is a highly specialized phishing attack that targets the specific individual or a small group of individuals. This kind of phishing is done generally to gain access to computer systems, networks or data.
- Social Engineering: Let’s talk about social engineering. Rather than hacking into a system the attacker can use email to gather sensitive information from organizations or the users are forced to perform action that further help an attack. Social engineering is the art of manipulating, influencing, or deceiving someone in order to gain confidential information or money. To deceive the target, cybercriminals mine for information from social media sites, LinkedIn and Facebook profiles, and other sites will provide a wealth of information about the organization’s personnel. The type of information that can be found includes contact information, connections, friends and details of ongoing business deals, photos and more. It is observed that management team including CMD,CEO, CFO, COO are often targets of such attacks or being used as a person to successfully masquerades another by falsifying the sender information showed in the emails to hide the true origin.
- Unintentional acts by authorized users: Lot of security threats are unintentional. Authorized users may send proprietary or other important sort of information through email exposing the organization to embarrassment or a legal action.
How to protect from the common threats?
- Avoid using a personal account for transferring company data. Make sure that you don’t risk your company’s security and your job by transmitting sensitive company data beyond your own personal computer or email address. This includes using your personal email account over the job as well as sending company data to your personal account. In most countries, the employer has a right to monitor business emails, be mindful and refrain from anything through email which does not follow your companies policies.
- Messages that try to persuade you to send your password or a credit card number are forged, even if they appear to be probably from your banker or system administrators.
- Be alert while accessing corporate resources from a public device and always remember too log off when you finish with secure websites. If you do not, the next person to use the computer will have access to your personal information.
- When you put up email address in the “bcc” rather than the “cc,” none of the recipients can see the addresses of the other involved recipients. New email users are often rely much on the “to” because it is the default way of sending emails. This is fine as long as you are writing to just one person but if you were sending mails out to a group of people confusing between “cc” and “bcc” raises some serious privacy and security concerns. If anyone within the group treats the same as spam, the whole group will start treating the same in that manner only.
- Sometimes the mistake isn’t in deciding between “cc” and “bcc” but between hitting “reply all” instead of “reply”. When you hit “reply all” you’ email message is sent to everyone included on the original email and if you didn’t intend to include them the information might be bad for both a security and personal humiliation prospective.
- Forwarding emails can be a great way to quickly inform someone speedily about the subject without having to write up a summary email, but if you aren’t careful, forwarding emails can create a significant security threat for yourself and the earlier recipients of an email. As an email is forwarded the recipients of the mail until that point in time are automatically listed in the body of the email. As the chain keeps moving forward more and more recipient id’s are placed on the list.
- Just because you deleted a message from your inbox and the sender deleted it from their sent inbox does not mean that the email is lost forever. In fact messages that are deleted from inbox or sent folder still exist on the server of the service provider for years, and that can be retrieved by skilled professionals. There are normally four copies generated of any email written, in your sent folder, receiver’s inbox, on your server and on receiver’s server. So, I suggest that you should treat an email as a permanent document while writing, and, should be very careful regarding the content and language written in emails, it can lead you to legal implications in future.
- Never ever click on suspicious links that you might be receiving over email. Clinking on such link will lead you to unspecified location and may download a malware to your computer, which in turn will help the hacker to take control of your computer. These links are difficult to identify, but with little efforts and training, one can identify such links. It might carry a similar looking popular website or a web portal, with a little change in the name, i.e. Amazon.com could be Amaz0n.com, in turn will lead you to a spurious site exposing your computer, with your data at stake. You also have to be very cautious while opening up emails and attachments sent by unknown senders, they may contain harmful contents. Such emails could be with very tempting subject lines to attract users to click on it.
- Primarily all the phishing attacks are done with a motto to capture vital information of an individual or an organization. Those who are using local email clients shall avoid opening up any spurious emails and for verification the same can be opened up on a web-based email clients.
- One common technique used for phishing is to use unsubscribing link. Fake newsletters pretending to be from a reputed organization will pose not to be a very informative email for common people, which will have a very eminently visible unsubscribing link. One click on that link will lead to an injection of malware into your computer, which will lead to the theft of your vital information or may attract loads of spams. So, be very specific about what you have subscribed and what you want to unsubscribe.
- Finally, be skeptical about all the mails you receive, from within the organization or from known emails IDs also. They may contain a virus or a malware, if the sender’s computer is infected. Be away from alarming notices from Banks, tantalizing photos, Mort-gauge scams, fake news alerts.
So friends, keep your data safe and secure. Install a legal anti-virus from a reputed service provider. In case of a small, medium or large organization, where the population of the users is as low as ten users, deploying a Unified Threat Management (UTM) is desirable to have many essential security features. If you or your organization is not very tech savvy, consult a Cyber Security Service Provider to setup policies on immediate basis.
Be alert, be aware, be safe.
If you have an interesting Article / Report/case study to share, please get in touch with us at firstname.lastname@example.org/ email@example.com, 9811346846/9625243429.