Email Security

Using Your Email Safely

Your company’s email is one of the most important tools you’ll use to keep in touch with your clients, your suppliers and your technical support. It’s one of the easiest ways to send important documents, and it makes ‘trackable’ conversations simple and searchable. Email will continue to play a role. But although advances in email office software have made email simpler and safer to use than ever, your company still can’t afford to disregard basic email security processes. Let’s have a look at a few things you should know about.

Two-Factor Authentication

Have you ever wondered how celebrities and world leaders manage to keep their private email and social media accounts safe? One method at their disposal is called ‘two-factor authentication’, or 2FA.

What this does is it makes your email ‘harder’ to log into by requiring a code from another device, such as your mobile phone, in addition to your password. A code may be issued to you via text message, or may be continuously cycled by an app or a key fob synchronized to your account. Some two-factor authentication methods even use biometric data, such as by taking a quick scan of your facial features, or reading a fingerprint.

You can think of your password as one ‘factor’ to log into your account, and this code or other data is the second ‘factor’ – hence, two-factor authentication. This means that even if a hacker somehow figured out your password, your email will still be safe unless they can also access that code. If they couldn’t steal your phone or simultaneously hack into it, your email would still be safe.

Two-factor authentication is used for many social media and online platforms in addition to email programs. Twitter, Facebook and other social media organizations offer strong 2FA options for their users. Online gaming platform Steam, which manages digital items and licenses sometimes amounting to thousands of dollars for a single player, offers a convenient 2FA option for users in the interest of protecting their accounts. In fact, nearly every major online service offers some form of 2FA for their clients, even for personal use. So it makes sense that your business should be able to protect your accounts the same way.

Of course, 2FA is a little less convenient than requiring only a password. But that’s the price of security!

Phishing For Trouble

Computer hackers on television are often depicted as someone on the other end of a screen actively trying to break into a remote system. Of course, because it’s on television, it looks glamorous, dangerous and exciting. But one of the most common methods of getting into your system doesn’t look anything like Mission: Impossible – it’s more like Gone Fishin’. Or, more appropriately, Gone Phishin’.

‘Phishing’ actually works a lot like it sounds. A phisher will send thousands of emails to thousands of email addresses, usually obtained anonymously via advanced data collection techniques. Those emails will pretend to be an entity that the user trusts, such as Apple or Visa, and usually will request some kind of information or cooperation from the reader. For instance, one recent phishing mail that received wide circulation was a fake notification from ‘Apple’ disguised as a receipt for an Apple Store purchase.

‘Cooperation’ from the reader might include clicking a link, opening an attached file, or replying to the email. Sometimes phishing attackers ask for your bank’s password or your credit card number. And often there is a sense of urgency expressed, as though the reader doesn’t even have enough time to think it through first.

Phishing attacks depend on the law of large numbers. If a phishing attack sends 10,000 mails, it’s a sure bet that someone will make the mistake of clicking through. That can be enough to compromise a single system, which can open up access to a network. A malicious attacker can then install ransomware, essentially holding your business hostage until you pay, or steal sensitive documents and client data.

Alternately, a phishing attack can turn into a ‘social engineering’ hack, which is less of a technical hack and more of an old-fashioned method – simply tricking someone into revealing sensitive information. A little deception can be all a charismatic hacker needs to get the keys to the kingdom. After all, a hacker wouldn’t need to hack into anything if a confused intern will just tell them their manager’s credit card number in the first place.

How To Stop Phishing Attacks?

Fortunately, you can help stop phishing attacks in your organization with a few key steps.

First, if a mail seems suspicious, check the sender’s email address by viewing the email’s properties. Don’t be fooled by the email’s Display Name! Even though the title of the email might say that the email is from Apple or Wal-mart, checking the actual email address might reveal that the email is actually from a free web service such as Google Gmail (in other words, something a scammer would use without paying). Misrepresenting the identity of the organization sending the email is a surefire way to tell that an email is illegitimate.

Another common tell that an email is illegitimate is poor grammar and spelling, or ugly formatting. Many phishing attacks originate from countries that utilize English as a second language (at best). Of course, it’s unlikely that a trillion-dollar company would send out a form email containing spelling and grammatical errors, or attachments with sloppy and lengthy filenames. This can be an easy-to-spot red flag.

Your organization can deploy spam filters and email scanning to stop suspicious emails before they even hit your inbox. If an email looks suspicious, it can quarantine the email so that the reader will have to take extra steps – and hopefully spend some extra scrutiny – before reading the email.

Finally, it can be tempting to write a potential scammer back and give them a piece of your mind. Don’t. Your email will go into a database and they’ll know it’s a ‘live’ one. This only invites more spam and more phishing attempts.

To Wrap It Up

This isn’t everything your company should be doing to secure your email and your data. But these are great places to start. If your company is relying on only the most basic methods to protect your data and accounts, it may be time to conduct a professional review of your systems. A comprehensive overview by a team of professionals can help identify security gaps and shore up your company’s defenses.