Guide to email security: Secure your email and environment
Phishing attacks are reported to account for nearly 22% of data breaches, making it one of the most prevalent cyber crimes according to the FBI. And with the average cost of data breaches to organizations coming in at over $4 million, securing your email and following best practices is not a “maybe”, it’s a “must”.
In this guide, we’ll go more in-depth into why email security is so important, the types of email threats organizations are up against, their impact, and what you can do to secure your environment against email-based attacks.
What is email security?
Email security helps to safeguard email communication against cyber attacks that can result in data breaches, unauthorized access, phishing attacks, malware, and other advanced threats. It involves a series of collective measures enveloping various technologies, techniques, and policies that are aimed at preserving the integrity and confidentiality of email data.
Why email security is so important
Where there is a rise in email use, there is also a rise in cybercrime surrounding it. According to the Radicati Group’s Email Statistics Report, business and consumer email volume is on an upward trend, exceeding 400 billion emails per day in 2023. This is accompanied by a hefty increase in phishing attacks in 2023 compared to the previous year.
With time and the sheer volume of email use on their side, cybercriminals are becoming increasingly adept at infiltrating businesses and their data through email-based attacks. And the consequences can be devastating, resulting in severe reputational and financial loss to the organizations affected.
All businesses are at risk and while larger, well-known organizations may be more attractive to cybercriminals, it’s important to remember they don’t discriminate against the smaller ones!
Types of email-based attacks
Cybercriminals are a creative bunch and they’ve devised multiple ways to attack organizations via email. Here are the most common types of attacks you should be aware of.
Phishing, spear phishing and whaling
Phishing involves sending a malicious email that, upon first glance, appears to be legitimate and from an organization known to the recipient. The goal is to steal important personal information, such as login credentials or bank account details, through brand impersonation (for example, Google, Slack, or Microsoft) and requesting that the user perform an action, such as click a link and log in to an interface.
The attacker will often make the situation seem urgent, explaining that the recipient must log in or provide other personal information due to a security breach or to retain account access, for example. This is done to cause panic so that the recipient reacts quickly without thinking or double-checking the email.
Spear phishing works in the same way but targets very specific individuals whom the attacker is likely to have researched in order to make the attack more convincing. Whaling, on the other hand, targets high-profile individuals such as CEOs or other senior figures at an organization.
Malware and ransomware
Malware means malicious software and includes viruses, worms, spyware, and ransomware. Its purpose is to infiltrate computer systems to harm, disrupt or exploit them. When it comes to malware attacks on businesses, criminals often use them to steal data or cause disruption to the organization.
Malware is usually distributed through email via a malicious link or attachment. When the recipient clicks the link or downloads the file, the malware will be discreetly installed so, often, they won’t even know they’ve been compromised.
Ransomware is a more specific use case that involves the attacker gaining access to an organization’s system in order to hold it or its data hostage. Once the ransomware is installed, the user will typically be locked out of the system and will receive a message to pay a ransom for access to be restored.
Spoofing
Spoofing involves forging email headers, by changing the From address in the header, to trick email clients and recipients into believing they are a legitimate sender.
Attackers may use spoofing to carry out other types of attacks, such as phishing, malware, and BEC (Business Email Compromise) attacks.
A famous case of spoofing and phishing is the 2016 email attack on John Podesta, Hillary Clinton’s campaign chairman. The attack was launched by Russian hacking group, Fancy Bear, and involved an email from the domain “googlemail.com” claiming that the email account had been compromised and urging him to change his password. The breach resulted in Podesta’s emails being leaked on WikiLeaks.
Business email compromise (BEC)
BEC attacks use social engineering over email to trick the victim into performing an action, such as paying a fake invoice or making a bank transfer. These types of emails often make it through spam filters (as they don’t contain any malware or viruses), pass DMARC authentication, and are usually made up of plain text to be more convincing as a genuine email.
What makes them even more dangerous is that they typically impersonate a higher-up within an organization and use spoofing to make the email appear more legitimate. Similar to phishing attacks, they’ll use a sense of urgency to push the recipient to react without properly checking the authenticity of the email.
Denial of service (DoS) attacks
Also known as “mail bombs” DoS attacks involve overwhelming mail servers with a massive amount of incoming mail. This renders them unable to continue functioning and prevents legitimate emails from getting through.
DoS attacks are usually achieved by using a botnet to bombard a mail server with emails, or by sending a high volume of emails containing extremely large text file attachments as zip files. The latter results in the mail server unzipping and checking each file for malware, which puts a significant strain on the server.
The point of this is to prevent an organization’s email from working properly. It causes serious disruption to businesses that rely heavily on email, particularly those that use it to communicate with customers, for example, for support tickets.
Man-in-the-middle attack
A man-in-the-middle (or MitM) attack involves an attacker intercepting the communication between 2 parties. Not only are they able to read the conversation, but they are also able to control it by modifying or injecting email messages.
While the intercepted communication can be between 2 users, it’s often between a user and an application, such as an email client. The purpose of this type of attack is usually to eavesdrop on the conversation to retrieve sensitive data, hack the account, or make unauthorized transactions.
Account hijacking
This type of attack involves taking over a legitimate email account to carry out malicious acts or monitor the user’s activity. Attackers will typically hijack accounts to send phishing emails, malware, or spam emails to the user’s contacts.
To take over the account the attacker must first steal the user’s credentials. They usually accomplish this by phishing, malware, password guessing, or using leaked credentials from data breaches.
The impact of email security breaches on businesses
The overall impact of email security breaches on businesses can be significant. As we’ve seen in the real-world examples above, it can cause damage that some businesses are unable to recover from. So let’s dive into the reasons why the implementation of robust email security measures is essential for all organizations.
1. Financial loss
Email security breaches can have a huge financial impact on businesses, both directly and indirectly. Organizations affected by an attack could face costs related to:
Stolen funds
Investigating and rectifying the breach
Potential fines for non-regulatory compliance
Legal fees
Compensation for customers or partners affected by the attack
What’s more, disruption to operations, damage to reputation, and loss of customers will have a long-term effect on financial performance.
2. Reputational damage
If a breach happens, customers, partners and stakeholders will wonder how it happened and how likely it is to happen again. It will result in a loss of trust and confidence in your company and a decrease in brand loyalty, with potentially even those unaffected by the breach choosing to part ways.
It may also be something that future potential customers will think about when considering your business. And to add salt to the wound, competitors may highlight the breach to sell their product or service over yours. Rebuilding that trust and reputation that took so long to cultivate can be a challenging process.
3. Customer impact
If an attacker gains access to your company’s sensitive data, it can have a direct impact on your customers as well. Exposure of their data may result in financial losses, fraud, identity theft, and even harm caused to their own organizations, leading to disruption in their life or work and increased stress.
Any kind of breach, whether it results in significant damage to customers or not, is likely to tarnish their trust and may have a lasting impact on their relationship with your business.
4. Operational downtime
Email security breaches can disrupt normal business operations, leading to downtime, reduced productivity, and a decline in customer satisfaction. Not only does the need to address and repair the effects of the breach take important resources away from core business operations, but it can also have a significant knock-on effect across the whole organization.
If systems and networks are inaccessible, communication between the business and its customers may break down, resulting in delays in responding to customer requests, processing orders, providing support, and so on.
5. Loss of intellectual property or trade secrets
A business’ sensitive information can be just as valuable to a hacker as its money, and where can this information often be found? In emails. Or, failing that, gaining access to a system via an email-based attack can allow hackers into all of the sensitive, secret information that your business keeps under wraps.
Theft or exposure of this valuable data can compromise your business’s competitive advantage, innovation, and market position, leading to long-term implications for your business’ growth and success.
6. Legal and regulatory impact
Non-compliance with industry-specific regulations and data protection laws such as the GDPR, CCPA, NDB, HIPAA, or PCI DSS can result in significant financial and reputational consequences.
Depending on the circumstances of the breach and the applicable laws and regulations, businesses may face fines, penalties, and legal liabilities for failing to protect personally identifiable information (PII) and other sensitive data.
Email-based attacks prevention and awareness
Securing your email is an ongoing, multi-step process that involves various tools, technologies, policies, and organization-wide education. But the truth is, even if you get everything right, human error can play a significant role in email security. If you follow email security best practices, keep up to date with the latest standards, and regularly hold employee training sessions, you’ll lower the risk of a breach and be well prepared in case it does happen.
Enforce strong password requirements
Create a policy for account passwords that involves users choosing unique, complex and difficult-to-guess passwords for each of their accounts. Define how often passwords should be changed, how they should be stored, and offer guidance on how to select a secure password.
Enable multi-factor authentication (MFA)
Multi-factor authentication requires users to use at least 2 methods of authentication when they try to log in to an app or service, usually by using their login credentials as well as an authentication app or 2FA text message. It prevents attackers from gaining access to an account even if they intercept the user’s login credentials, as they won’t be able to perform the secondary authentication method. Enable this for all of the apps and services your organization uses.
Email security awareness training
Just as cybercriminals find vulnerabilities in apps and systems to gain a way in, they also need to find vulnerabilities in your organization, which means they’ll target employees. It’s crucial that you carry out regular email security training to raise awareness about phishing, spoofing and other types of email attacks. This will enable employees to know what to look out for and how to act accordingly if they are targeted.
Digital footprint management
In addition to training employees about the various types of email attacks and what to look out for, it’s a good idea to educate them on the impact of their digital footprint, and how it can be used to facilitate an attack. Educate them on:
CEO fraud: The attacker impersonates a senior member of the organization to request something from the target, such as making a bank transfer.
Smishing (SMS phishing): Uses fake text messages to convince victims to click a link and download malware, transfer money, or hand over personal information. Similar to phishing but via SMS.
Vishing (voice phishing): Again, phishing but over the phone. Attackers will claim to be from a bank or other service provider and will use a sense of urgency to persuade victims to provide personal details or transfer money. A common scam is to tell victims that their credit card has been used for X amount in a foreign country, and they need to provide their account details to rectify the situation.
Tailgating and piggybacking: These both involve a cybercriminal gaining physical access to an organization’s premises. Tailgating involves doing this by following an unaware employee while piggybacking involves using social engineering to convince the employee to let you in.
Mobile phone security: Mobile devices can provide opportunities for attackers as employees often have their work accounts saved on them. Make sure that employees are only using business accounts on authorized devices and ensure they are up to date with the latest device operating systems and security features.
Out-of-office email security: Attackers will sometimes use information in out-of-office (OOO) emails to contact and trick other employees within the organization. Keep your OOO simple and don’t give away any personal details that could be used to facilitate an attack.
Having a large digital footprint gives cybercriminals access to a wealth of information that they can use to find contact information for individuals as well as make their attacks more convincing.
Use appropriate email authentication
Ensure that the relevant email authentication protocols are implemented correctly, including DMARC (Domain Message Authentication, Reporting & Conformance). DMARC adds another level of security to your email by binding together SPF and DKIM to link the From domain name, DMARC policies, and DMARC reports. What’s more, it allows you to more easily monitor sending activity from your domain so that you can identify unauthorized sendings.
Use email encryption
All senders should use encrypted connections to and from their email platform with SSL/TLS. This will encrypt email contents as they are transferred over the internet. Organizations that regularly deal with sensitive information, such as healthcare providers or government agencies, should also consider using additional email encryption tools.
Implement a secure email gateway (SEG)
An SEG is like a security guard standing watch outside of mailboxes, a barrier between the inbox and the internet. This email security solution filters and analyzes emails for malicious content and then sanitizes them to block any dangerous links or attachments.
Perform regular software updates
Enforce a company-wide policy for all software and operating systems to be regularly updated so that the latest vulnerabilities are patched.
Developing an effective email security policy
Creating a comprehensive email security policy will provide you and your organization with the guidelines needed to protect against phishing attacks, malware and ransomware attacks, email-based data breaches, and more.
Besides being a preventative measure against email-based cyber threats, an email security policy will also help you comply with the various laws and regulations in place to protect sensitive information.
Your email security policy should include:
Why the policy exists and the risks that it aims to diminish
The person, people or team responsible for maintaining, reviewing, updating and enforcing the policy
The definitions of acceptable and unacceptable usage of the organization’s email system
The responsibility of each employee regarding email usage, security and policy guidelines
Details on how the organization will adhere to privacy regulations and protect any sensitive data sent via email
The consequences of policy violations
Procedures for reporting email security breaches or policy violations
Email security is for everyone
Remember, cybercriminals don’t discriminate! No matter your organization’s size or industry, email-based attacks are a risk not to be taken lightly—and they’re getting more sophisticated by the day. By creating a comprehensive email security policy as part of your overall cybersecurity strategy and following the suggestions in this article, you’ll be well prepared to mitigate the risks and keep attackers at bay.
Keep in mind that breaches can happen even when you do have effective policies and practices in place, but that doesn’t render them useless. Without them, recovery will be much more challenging.
