Email Security Best Practice Guide

The first point to note is that the Verizon 2018 Data Breach Investigation Report found that 50% of attacks and data breaches are now carried out by organised criminal groups. These groups are well financed, organised and motivated.

While a recent white paper published by Barracuda revealed startling statistics.

In February 2018 there was:

• One piece of malware for every 645 emails 
• One phishing attempt in every 3,331 emails

While Mailguard reports that:

• 90% of internet cybercrime is perpetrated via email
• 97% of people cant discern a legitimate email from a fraudulent one
• 25% of people click on dangerous links

How it Works

Email attacks come in many forms with differing objectives. However, we can pick out some common methods favoured by malicious actors.

General Phishing - Phishing email attacks are often carried out on a massive scale, targeting large audiences. They are often crude with identifying features that reveal their true nature.

Attacks work by trying to trick a user into providing personal credentials or sensitive information.

A common trait within phishing emails will be to present an urgent notice to the user, requesting a password reset or personal information.

Phishing attacks while not highly sophisticated, depend on deception and carelessness.

Business Email Compromise (BEC) - BEC attacks present a far more sophisticated operation when compared to mass phishing attacks.

The financial reward involved in a successful business attack, means malicious actors are willing to spend more time creating sophisticated methods to fool them.

There are five main types of BEC attack. 

CEO Scam - This may be the most infamous email attack.

In this scenario, malicious actors pose as the company CEO emailing employees in finance, requesting the immediate release of funds into an account they control.

The scam works by leveraging the authority a CEO has over a regular employee. Malicious actors bank on this authority being enough to pressure an individual into fulfilling a request.

NOTE: they also use a distressed or hostile tone to add further pressure. 

Toy maker Mattel, owners of Barbie and Hotwheels not long ago fell victim to the CEO scam. Knowing the company had just replaced its CEO, the scammers contacted the finance department. Pretending to be the new, unfamiliar CEO, they demanded an immediate payment of £2.3 million to a Chinese bank account. It was only later revealed the CEO hadn't requested such action.

Bogus Invoice Scam - In this scam attackers pretend to be a business associate, requesting the immediate transfer of funds into an account they own.

This scam often threatens the termination of a service or product unless the invoice is paid immediately and in particular, is used against companies with foreign suppliers.

Legal Impersonation - In this scam, attackers will pose as an authorised representative from a law firm associated with the business.

Bogus requests for personal information may be sent, along with a request for funds.

Again, urgent and hectic language may be used, and requests can come at the end of the working day. This is done to leave the sanctioning individual with little time to think and no time to inquire.

Data Theft - Individuals within HR are generally targeted and requested to disclose personal information including financial information such as a tax statement.

This information is then used in future attacks or sold to other parties.

Account Compromise - In this scenario, the malicious actor gains direct access to the business email account or an employee's email account.

This can be a devastating breach, particularly if not discovered quickly.

Malicious actors can send invoice payments to vendors listed in the email contact list as well as request information. They are also capable of manipulating mailboxes to hide their actions by deleting sent or received correspondence.

While BEC can be highly damaging for a business, it is often carried out with non-sophisticated methods. It relies primarily on deception and manipulation. 

Lets take a look at the actions you can take to mitigate this threat.

Best Enterprise Level Practices

Employee Training

Employee training should be the cornerstone of your email security plan. It provides the most effective way to ensure employees are up to speed on best practice procedures and company policy.

Through regular training, employees should be introduced to the current and potential threats your organisation faces.

Problematic with email security is that under working conditions employees are encouraged to discard of suspicious emails promptly. Therefore, they aren't always well versed with the specifics of a fraudulent email. Training provides employees with the opportunity to explore malicious material in a controlled environment.

Similarly, as company policy is revised to reflect the changing security landscape, it is necessary everybody throughout the organisation is up to date.

IMPORTANT: It is also vital here that everybody within the organisation is educated on the protocol regarding a compromised account. For instance, If your company handles personal date belonging to European Union citizens, GDPR now dictates a specific set of steps that must be taken if you are to remain compliant with regulation. One such example is the need to inform the Information Commissioners Office within 72 hours of the breach. Employees need to know the correct procedure if your organisation is to respond effectively.

Password Hygiene

Implementing robust password best practices is imperative. The Verizon 2017 Data Breach Investigations Report Illustrates that stolen credentials are again a leading cause in data breaches. In 2017 four out of five data breaches involved stolen credentials.

While the 2018 LastPass Global Password Security Report found that 50% of people do not create different passwords for personal and work accounts. If an attacker has either managed to purchase your password online or stole it from on one application, they have a good chance of applying it to another with success.

Best password practice is essential, follow these tips:

• Never reuse a password for multiple applications
• Never share your password
• Make it long and complicated, include numbers, symbols, upper and lower case
• Use a passphrase instead of a password (lyric from a song, line from a movie)
• Get a password manager

For a full guide see our 10 Best Practice Password Tips

Implement Multi-Factor Authentication

Passwords have numerous inherent weaknesses and need to be supplemented and reinforced with Multi-Factor Authentication (MFA). MFA provides another layer of security you can add to your email account.

MFA works by requiring a user to have three separate pieces of information:

• Something we know (password, PIN)
• Something we have (phone, card)
• Something we are (fingerprint, voice recognition)

Even if your password becomes compromised, an attacker would still need the remaining pieces of evidence to gain access to your email.

For a better understanding of how to implement MFA see our MFA best practice guide for more information.

Work only Email Policy

Worryingly more than one-fourth (28%) of employees don’t know whether their company has a cybersecurity policy!

Having a company policy concerning cybersecurity and email more specifically, is essential for your organisation if it is to operate a credible security system.

It will spell out what practices are and are not acceptable.

The policy your organisation adopts should be tailored around your organisation's needs, but it should apply to everyone with no exceptions made.

While policies will vary between organisations, restricting the use of corporate email to purely corporate activities is essential. Using a corporate email in private circumstances significantly increases your exposure to manipulation from potential attackers.

Similarly, email accounts should only be accessed on trusted devices. Unknown devices may be compromised by malicious software which would leave your email vulnerable.

Regulate Bring Your Own Device

With an ever increasingly flexible workforce, the Bring Your Own Device (BOYD) scheme has gained traction in recent years.

While BOYD has many benefits regarding productivity and flexibility, it also presents another challenge regarding safety.

Employees need to understand the responsibilities and requirements that accompany the scheme and then educated on how to follow them correctly.

Implement BOYD best practices immediately and incorporate it into your cybersecurity policy with specific guidelines covering email practices.

End to End Encryption

End-to-end encryption (E2EE) is a system that provides the secure transfer of information from one point to another. Data is encrypted at the starting point of the information journey and decrypted when it reaches its intended destination. Unlike non-encrypted information which is susceptible to manipulation at any point, only at the beginning and end point of the journey can encrypted information be accessed.

This works by generating a pair of cryptographic keys. One key is used to encrypt the outgoing email while the other is used for decrypting it when it arrives at its destination. After an encrypted email is composed, the decryption key is then shared with the party who will receive the email. Once the email arrives the decryption key is then used to access the protected email.

E2EE provides a highly secure method of communication that should be implemented, particularly for correspondence containing essential and sensitive information.

Implement Email Scanning Software

Email scanning software is effectively anti-virus software dedicated to email and can be extremely effective at identifying malware and mass mailing viruses.

Email Scanning software works by accessing emails as they arrive and screens for malicious content.

Problematic however is that it often fails to spot impersonation attacks that rely solely on deception, as they contain no malicious software.

Another factor to consider is that email scanning software is generally ineffective against encrypted emails. Unless configured in advance to allow scanning software access to encrypted emails.

While email scanning software is an essential tool against malware delivered by email, it is not to be considered the be all and end all of your email security.  

Implement Spam Filters/Whitelist

Implementing a robust spam filter can shield your organisation from mass phishing campaigns as well as nuisance mail.

At the same time, you must implement a whitelist to ensure the legitimate mail you wish to receive, is not hindered by your spam filter.

Follow these tips on how to manage your spam filters:

• Review it at least annually in conjunction with your whitelist adding or subtracting domains.
• Mark messages that get through as spam and add them to your list
• Routinely delete emails sitting in your spam folder as they can contain malicious software. By leaving them in place, it increases the likelihood of an accidental opening.

Backup Emails

Whether it be an accidental loss, physical damage or a data breach, a backed up email inbox is an essential component of business continuity and disaster recovery.

Backing up an email's inbox to a PC, external hard drive or cloud service will provide access should something go wrong.

Should a breach occur, the content within those emails may have been compromised and manipulated. A feature of ransomware is that once uploaded it will scan through a device selecting files and coding them much like encryption. Once this encryption has taken place, you can either pay the ransom with no guarantee you'll be given back access to a known compromised file, or you can cut your loses.

Having a backup, ensures you have access to a safe, non-compromised inbox.

Best End-User Practices 

Control Whom you Give it to

Be selective about who you give your email to. Controlling where your email goes is a useful practice that helps stop unwanted spam and misdirected traffic.

Think about providing your email, only to the people who need it. Displaying your email address on social media such as LinkedIn may help you network, but it also exposes your corporate email to individuals outside of the enterprise.

Your company email policy should provide guidelines on email distribution.

Watch out for Phishing Emails

Never open unexpected mail without first checking it over.

Here’s what to watch for:

• Display name - check who it has been sent by before opening. Don’t trust an unknown address, assume it could be malicious. If you recognise the name, double check to verify it is indeed the correct address. It is easy to be fooled by Looksimilar@.uk and Looksimiilar@.uk as the same two accounts!

• Be aware - when using a mobile phone! Due to the smaller screen size, emails are edited. The full email address tends to be hidden with just the name showing.

• Display header – attackers also use email headers to spoof people. They often use bold urgent headers to grab your attention.

• Spelling mistakes - while a single typo may be an innocent mistake, it could also indicate a bogus email, particularly if the text contains multiple cases. Similarly, check for unusual and awkward wording it may suggest it is not the sender's first language.

• Check but don’t click - check any attachments closely. Hover your cursor over the attachment to display its information without clicking on it. Does the file format correspond with formats regularly used by your organisation?

• Requesting personal information - official correspondence from a legitimate organisation will never request sensitive information via email.

• Check the salutation – check who the email is greeting and how. Most legitimate businesses will specifically refer to you, however, bogus organisations often use vague greetings such as “Dear Customer.”

• Urgent or aggressive tone – malicious actors try and manipulate an individual by impersonation, but they also use urgent and potentially aggressive language to pressure people into disclosing personal information. “URGENT: password reset needed” is a typical example.

Never Forward

Never forward an email you suspect of being bogus; looking for a second opinion on its legitimacy.

It just exposes more people to a potential threat, and there's a chance the individual receiving it may open it accidentally.

NOTE: another practice your policy should cover is ‘reply all.’ At times it may be necessary, but your policy should clearly state when this is acceptable.

In 2016 a single email was sent to 840,000 NHS staff with many recipients responding with reply all, only further exasperating the problem. The system slowed and hindered doctors from communicating sensitive patient records in a timely fashion. While this is an extreme example, reply all emails can represent a threat as well as an annoyance.

Never Attempt to Unsubscribe

Whether it be in your spam or your official inbox, never try and unsubscribe no matter how annoying they become.

Phishing emails will often bank on you trying just that and malicious actors have factored that into their methodology. By clicking unsubscribe you leave yourself vulnerable to being directed to a bogus domain.

These sites are designed to capture your personal information.

Merely delete, take note and add to your spam blocker.

Use VPN over public WiFi

Public WiFi hotspots are exceptionally vulnerable and easily compromised. Running your email traffic through a public hotspot places you in a vulnerable position.

Instead of using public WiFi hotspots, opt for a Virtual Private Network (VPN)

VPN is a service that takes your internet connection and makes it more secure by using encryption methods.

Conclusion

Email security constitutes one of the biggest threats an organisation can face. The sheer volume of correspondence in today's world is only increasing and its likely the threat posed by malicious emails will rise inline with it. 

The key to mitigating this threat is in having a well educated workforce that knows what to look for and how to respond. The strongest defense you have against social engineering is to have people spot it when it presents itself. 

Implement our email best practices to mitigate the risk to yourself and your organisation. 

If you have any questions regarding the implementation of these practices then feel free to contact us here, we are happy to help!