According to the State of Email Security 2020 report, businesses have seen a 56% increase in email phishing incidents in recent months. 60% of organisations believe there is no foreseeable decrease in email security threats, suggesting they will be the inevitable target of compromised email at some point this year.
Email security threats are only growing more prevalent
These statistics point to the wider context and cause of the increasing effectivity and accessibility of email attacks. With the pandemic disrupting workforces across the globe, and forcing individuals to work from home, email security threats are more popular than ever.
Users are operating within less controlled environments and are not inclined to uphold good security practices from the comfort of their own home. Users are also operating on multiple, less controlled devices. Neglecting to behave in a responsible and security-forward manner exposes users and their entire organisation to email compromise and potentially severe loss and damages.
Top 4 email security threats
When users are lax with their email security practices, email becomes an even more accessible point of entry for malicious cyber-actors. Top email security threats include:
Phishing
These attacks are popular because they are easy and cheap to deploy. Email phishing requires that the cyber-actor disguises the sending address as a trustworthy individual or entity. Phishing is enacted in hopes of obtaining credentials and other sensitive data such as banking or account details. These emails can also contain links to fraudulent sites, encouraging users to type in usernames and passwords or make payments.
Spear Phishing
Spear phishing is a more customised and researched approach. A cybercriminal may collect information from a colleague’s social media profile or past emails to craft a seemingly legitimate email sent from what appears to be a dependable source. The victim assumes the email is coming from a reputable sender and is more likely to click on attachments or provide credentials.
Business Email Compromise (BEC)
Like spear phishing, BEC involves more effort and research to compose an outwardly legitimate email. Financial managers are often the target victim, as cybercriminals compromise the email account of executive managers to request the transfer of funds to the attackers account. Japanese media enterprise, Nikkei, was victim to BEC just last September. An employee from Nikkei America transferred a whopping sum of $29 million to an attacker posing as the parent company’s executive manager.
Malware
Cyber-actors will insert malicious malware into emails via downloadable attachments and links. Ransomware attacks are also commonly deployed, as cyber criminals encrypt a victim’s files and negotiate a monetary transfer in return for this critical data.
7 Email security best practices to reduce attack
Enterprise best practices to protect against email security threats
1. Implement Security Awareness Training.
As we discussed in a recent blog post, security awareness training (SAT) is a great way to strengthen your security defences. We can assist you with implementing SAT as a managed service. This involves running blind phishing campaigns that will assist in identifying your baseline and work towards uplifting your security through continuous reporting and testing.
We can assist you in deciding a suitable security awareness training solution for your organisation. If you are interested in learning more, please contact one of our cybersecurity specialists.
2. Enforce a strong password policy.
A good password policy has complexity requirements that users should be encouraged to meet. Having good password hygiene practices will assist in securing emails and the general security of an organisation.
3. Invest in an email security gateway solution.
Safeguard your environment with an email gateway solution. Email gateways monitor both inbound and outbound emails for spam, malware, viruses and other fraudulent matter. They work to prevent the transmission of malicious content and allow security teams, as well as individuals, to review traffic prior to the release of emails.
Individual best practices to protect against email security threats
4. Proceed with caution.
Take time to manually scan emails before you act on an email. Look out for incorrect spelling or if the sender is using language out of the ordinary. If a colleague typically refers to you by a nickname and instead greets you using your full name, act cautiously and query their request in person. In addition, check that the email is sent from a trusted domain and question the urgency behind specific requests.
5. Do not click links in emails, especially from unknown sender.
If a strange email does happen to bypass your email gateway solution, scan the email preview and only hover over links to get an idea of their verity and the site destination.
6. Double-check requests with employees.
Verify email subject matter and demands with the sender via another means of communication. If you are suspicious of an email’s intentions, make sure to call or speak with the employee, supplier or manager to confirm in person.
7. Avoid disclosing critical information via email.
It is good to be wary, but do not let security impede productivity. Scrutinise emails in accordance with your email security policy and the above practices in mind, and check what communication channels are more suitable for sharing different types of information.
There’s no ‘one-size-fits-all’ in email security
As we have previously mentioned, there is no one-size fits all solution for every business. All business should consider a multi-layered approach to dealing with email security threats. This entails implementing the appropriate controls at an enterprise level, and ensuring individual users are acting judiciously in accordance with security policies and procedures.
For more information please contact our cybersecurity professionals today.
Recent news
Latest posts
Key Strategies and Best Practices for Enhancing OT Security
05 April, 2024
A Comprehensive Guide to Third Party Risk Management (TPRM)
26 February, 2024
