Email is embedded into the everyday lives of U.S. adults.
For starters, the average person receives over 100 emails a day. To sort through all of that, workers spend an average of five hours a day checking their email. With this communication tool demanding so much of our attention, it’s no wonder cybercriminals use it as a preferred method for carrying out major attacks.
Check out a couple of high-profile examples from the past few years:
- A business email compromise (BEC) attack involves hackers spoofing or taking over the email of a legitimate company or person, typically to request a wire transfer or send a fake invoice to redirect payment. In a recent BEC attack, the Norwegian Investment Fund lost $10 million when fraudsters spoofed an email address and redirected cash payments into their accounts.
- The FBI estimates that in 2021 alone, BEC losses totaled $2.4 billion.
- Fortune 500 insurance company Magellan became the victim of ransomware in a multi-stage attack that started with a phishing campaign impersonating a company client. The attackers also stole login credentials and sensitive employee information.
The cloud opens up many new options for collaboration and information sharing, and in the future, those tools may replace email as the main communication tool. In the meantime, there are ways you can boost your email security.
Email Security Tips For 2022
1. Use Strong Passwords
Some things never change. Whether it’s 1992 or 2022, passwords are a nuisance to remember. Consequently, many people create easy passwords and reuse them frequently (such as “Password 1234” or a pet’s name).
But using easy passwords and/or reusing the same passwords for your email and various online services is a dangerous practice, because all it takes is for one of them to be breached, and your login credentials become available on the dark web at almost no cost.
Some of the best practices you should follow include:
- Create long passwords combining letters, numbers, and symbols that don’t spell out dictionary words or contain personal details. Consider passphrases, which would be the combination of the first letter of each word in a sentence, such as, “I have watched Teenage Mutant Ninja Turtles 1011 times since I was a kid” could turn into the password: !HWTMNT1011TSIWAK!
- Don’t reuse your email password for other accounts.
- Consider using a password manager, which helps you generate strong passwords and store them securely.
- Monitor for leaked credentials — many financial institutions offer this as part of a free credit-monitoring service for customers.
2. Look for the 5 Signs of a Phishing Email
Phishing involves fraudulent communication with the intent of stealing sensitive data (such as credit card information or login credentials), deploying malware into a computer system, committing financial fraud, or practically any other nefarious endeavor you might imagine.
Scammers get better all the time at tricking email users, but you can still look for red flags such as bad grammar and unusual requests. Don’t trust an email just because the sender’s address looks accurate, because email addresses can be easily spoofed.
Pay Attention To Multiple Parts Of Every Email To Determine If It Can Be Trusted:
1. The Email Account Name:
Right before the actual email address, your inbox may display a name. It is important to observe the name and compare it to the email address that is also being used. In the example above the inbox summary says it is coming from Employee Benefits. There are a couple of questions to ask yourself upon seeing that name.
A) Do I know this name? Be suspicious! Does your company’s HR team call themselves “Employee Benefits?”
B) Compare the Email Account Name to other pieces of the email, especially the email address it’s coming from.
Perhaps “Employee Benefits” isn’t suspicious enough on its own to ring alarm bells in your mind, but after you look at the email address and see that it doesn’t at all match the account name, you know that you can’t trust the email.
2. The Email Address:
There are four major parts to pay close attention to:
A) The sender’s username is email@example.com.
Does this look like it is coming from the sender the email claims to be? Are you familiar with this email username? Does it match what you expect?
B) The position of the @ symbol.
Sometimes cybercriminals place the @ symbol in unique places to try to slip past your attention to detail. If your company had an “A” in the name such as Ark Enterprises they may try to use an email that manipulates the position of the @ such as, firstname.lastname@example.org
C) The domain name.
You need to consider who this is coming from. If it is coming from your own company, does the domain name match your company? Does it match the company it says it’s from?
D) The extension.
Sometimes all the other parts of the email address match what you’d expect except the extension! Pay attention to the extension to determine if it is different than what you were expecting, such as .net, .org, .co or any other extension that doesn’t match who the email says it is from. Don’t overlook this!
The bad guys know that if they can elevate your stress level, you won’t be paying as close attention as you should. Adding urgency or danger to their message can often cause you to rush, increasing the chance you won’t stop to think twice before replying or acting.
The tip: Slow down and take the time to determine if an email can be trusted.
4. Enticing Offers.
Scammers are great psychologists who know how to appeal to your sense of urgency or curiosity. Cybercriminals also know that they stand a better chance of getting you to reply or click on their link and take action if they can grab your interest.
Many times, the bad guys play the numbers game and send their scam offers to as many people as possible in hopes of striking a chord with a handful of people who are interested. Other times they are targeting a niche group with a more specific scam offer.
Here’s a few best practices to avoid falling for enticing offers:
A) Don’t act on it from your work computer. You shouldn’t be using your work machine or work accounts for personal things anyway!
B) Remember that, if an offer seems too good to be true, it probably is!
C) If the offer comes from a suspicious sender, don’t click!
5. Call to Action.
Everything in the email, all the work the cybercriminal has put in, is all to convince you to take action and either click on the link they’ve given you, download the attachment, or reply to them.
STOP. RIGHT. THERE.
Don’t blindly trust links! Don’t blindly download attachments. Don’t blindly reply.
You must always fully verify it is an email that can be trusted before you take any action.
If you are on a laptop/desktop, you have the ability to hover over the link (without clicking) to see the url it will send you to if you click. If that URL looks nothing like where it is claiming you will be going. DON’T CLICK!
Also, if the email says it’s coming from a place you trust, but you aren’t sure about the email itself, then just use your browser separately and type in the website address you are familiar with.
Don’t open attachments from unknown recipients. Word, text, Excel, and PDF files can hide malware. As a rule of thumb, don’t open any executable files (ending in the extension .exe) from any recipient.
- Watch out for letter or number swapping!
-‘r’ next to ‘n’ to replace an ‘m’ such as .corn instead of .com
– ‘0’ in place of an ‘o’
-‘!’ in place of an ‘I’
– a lower case ‘L’ (l) in place of an upper case “i” (I)
- Watch out for misplaced punctuation “n.caldwell” or “nc.aldwell”
- Don’t click on a link from a company you don’t do business with or don’t expect any correspondence from.
- When it doubt, use a tool like Virus Total to check if anti-virus engines have recorded the URL as malicious.
3. Use Email-Security Tools
Email spam filtering and anti-virus help make your email more secure, but you need to keep them up-to-date. Enable automatic updates both for your security tools and your email application if you’re using a desktop version. Don’t forget to keep your mobile email app current as well.
4. Separate Personal and Work Accounts
If you have to use your machine for both work and personal activity, be sure you are doing all you can to separate them from each other.
Don’t sign up for personal accounts — such as social media, shopping accounts, or streaming services —with your work email. Even if you are intending to sign up for a newsletter that is in line with your role at work, unless it’s an approved site by your company’s IT team, don’t use your work email to sign up.
The fewer groups, lists, or sites that have your work email info, the better. It’s also important to keep your personal accounts as safe as possible. To better protect your personal email, icreate a separate account for purposes like subscribing to news lists, accessing gated content, and receiving merchant updates.
5. Don’t Email Sensitive Information
Your email can be intercepted during transmission. Don’t email anything containing sensitive or confidential data. Instead, use a secure, encrypted file-sharing service.
These are basic actions that all individuals can take to protect their email. Organizations should include these and other best practices in their cybersecurity awareness training program.
At the organizational level, a holistic cybersecurity plan should include other strategies like using more advanced email tools and threat detection and response, along with effective teaching materials to keep employees on guard, but even simple things that each end user does at the personal level can go a long way in keeping data secure.