Email is so embedded into everyday lives that U.S. adults spend an average of three hours a day checking their work email and devote another two hours to personal emails. With this communication tool demanding so much of our attention, it's no wonder cybercriminals use it as a preferred method for carrying out all sorts of nefarious activities.
Here are just two recent examples:
- In a business email compromise (BEC), the Norwegian Investment Fund lost $10 million when fraudsters spoofed an email address and redirected cash payments into their accounts. BEC involves hackers spoofing or taking over the email of a legitimate company or person, typically to request a wire transfer or send a fake invoice to redirect payment. The FBI estimates that in 2019 alone, BEC losses totaled $1.77 billion.
- Fortune 500 insurance company Magellan became the victim of ransomware in a multi-stage attack that started with a phishing campaign impersonating a company client. The attackers also stole login credentials and sensitive employee information.
The cloud opens up many new options for collaboration and information sharing, and in the future, those tools may replace email as the main communication tool. In the meantime, you can boost your email security by following these basic steps.
1. Use strong passwords
Passwords are a nuisance to remember, and consequently, many people create easy ones and reuse them frequently. If you're using the same passwords for your email and various online services, all it takes is for one of them to be breached, and your login credentials become available on the dark web at almost no cost.
Some of the best practices you should follow include:
- Create long passwords combining letters, numbers, and symbols that don't spell out dictionary words or contain personal details.
- Don't reuse your email password for other accounts.
- Consider using a password manager, which helps you generate strong passwords and store them securely.
- Monitor for leaked credentials — many financial institutions offer this as part of a free credit-monitoring service for customers.
2. Look for Signs of Phishing
Scammers get better all the time at tricking email users, but you can still look for red flags such as bad grammar and unusual requests. Don't trust an email just because the sender's address looks accurate, because email addresses can be easily spoofed.
Be especially wary of urgent requests or links to information about current and hot topics. Scammers are great psychologists who know how to appeal to your sense of urgency or curiosity.
3. Be cautious with attachments
Don't open attachments from unknown recipients. Word, text, Excel, and PDF files, in particular, can hide malware. As a rule of thumb, don't open any executable files (ending in the extension .exe) from any recipient.
4. Check the URL before you click a link
Even if the sender looks legit, hover over links before you click and make sure the URLs makes sense and the embedded URL match the one displayed. But beware of lookalike URLs that are one or two letters off.
Other tips:
- Don't click on a link from a company you don't do business with or don't expect any correspondence from.
- Instead of clicking on a link to log into an account, go to the website directly and access the account from there.
- When it doubt, use a tool like Virus Total to check if anti-virus engines have recorded the URL as malicious.
5. Use email-security tools
Email spam filtering and anti-virus help make your email more secure, but you need to keep them up-to-date. Enable automatic updates both for your security tools and your email application if you're using a desktop version. Don't forget to keep your mobile email app current as well.
6. Separate personal and work accounts
Don't sign up for personal accounts, such as social media and shopping accounts, with your work email. To protect your personal email, it's also a good idea to create a separate account for purposes like subscribing to news lists, accessing gated content, and receiving merchant updates.
7. Don't email sensitive information
Your email can be intercepted during transmission. Don't email anything containing sensitive or confidential data. Instead, use a secure, encrypted file-sharing service.
These are basic actions that all individuals can take to protect their email. Organizations should include these and other best practices in their cybersecurity awareness training program. At the organizational level, a holistic cybersecurity plan should include other strategies like using more advanced email tools and threat detection and response, but even simple things that each end user does at the personal level can go a long way in keeping data secure.
