Email accounts are a prime target for cybercriminals. Whether personal or professional, an email account contains a great deal of sensitive and valuable information and is a gateway to other online accounts. Protecting your email account is an essential part of securing your entire online identity.
Best Practices for Email Security
Keeping an eye out for phishing emails is an important first step in email security; however, clicking on a malicious link or opening a malware-laden attachment aren’t the only things that can go wrong in your email account. By following some simple best practices, you can make it much more difficult for a cybercriminal to gain access to your account.
Use a Strong Password
Password security is a serious problem for most people. According to SplashData, an estimated 10% of people use one of the top 25 most common passwords, making them trivially easy for a cybercriminal to guess. Additionally, the majority of people (65%) reuse the same password across multiple accounts, making it possible for a cybercriminal to use passwords exposed in a data breach to compromise other online accounts.
Email accounts are one of the biggest targets of these types of attacks. For most sites, a lost or forgotten password is fixed by sending a reset link to the user’s email account. If an attacker controls your email account, they may have access to all of your online accounts.
Using a strong, unique password for email accounts is vital. Using a password manager to generate and store strong, unique passwords for online makes implementing and maintaining strong password security easier and doable.
Enable Multi-Factor Authentication
The multi-factor authentication (MFA) means that it is necessary to have more than a password to log into an online account. Common MFA solutions include apps (such as Google Authenticator or Authy), SMS messages, and emailed one-time codes.
Enabling multi-factor authentication on online accounts can help to dramatically improve their security. According to Microsoft, 99% of attempted account compromise attacks can be blocked by MFA.
Check Email Recipients
Checking the sender of an email that you receive is important for protecting against phishing attacks. However, thinking hard about the recipients list of an email that you are about to send can be just as important.
Sending an email to the wrong person is one of the leading causes of accidental data breaches. In fact, 44% of employees admit to inadvertently exposing personally identifiable information (PII) by sending an email to the wrong person.
Before clicking the Send button, double-check the list of recipients on the email to ensure that you have the correct email address and that everyone on the email has “need to know” for any sensitive information that it may contain. While an email chain may not have been sensitive when it started, information added along the way may require a more selective recipients list.
Periodically Check Email Settings
Most of us never want to dive into the settings panes of our email programs. Whatever platform you use, there are a number of different options, most of which don’t apply to us.
Cybercriminals know about this reluctance to mess with email settings and are increasingly turning it to their advantage. After compromising an email account, cybercriminals will commonly configure mail rules to forward certain types of emails to an account under their control. This enables them to use the compromised account to collect data for or perform spear phishing and business email compromise (BEC) attacks without any suspicious emails showing up in the inbox.
As a protective measure, it is a good idea to periodically review the settings of your email accounts. If you see any mail forwarding rules to unknown email addresses or security settings configured to unsafe values, then it may be a good idea to change your password and dig a little deeper to see if your account has been compromised and used by a cybercriminal.
Be Careful with Links and Attachments
Phishing attacks are some of the most common types of cyberattacks. This is mainly because they are relatively easy to perform and because they work.
The majority of phishing attacks rely on malicious links or attachments to achieve their goals. When faced with an email containing a link or an attachment, it is always a good idea to take an extra moment to consider if anything “doesn’t look right.” If an email seems suspicious, do not click any links or open attachments, and, whenever possible, it is better to visit the target site directly by typing the URL in your browser and going from there rather than following a link sent to your email.
Trust but Verify
While phishing emails are often link and attachment-based, this is not always the case. Spear phishing emails, such as BEC attacks, do not require any malicious content in the email. Instead, they are designed to look benign and plausible while trying to convince you to immediately pay that outstanding invoice by wiring money to the indicated account.
When dealing with anything out of the ordinary in your inbox, it is always best to take a moment to verify the request out-of-band. Instead of replying to the email or calling a phone number included in it, find the phone number of the alleged sender through trusted means, such as a company directory or past invoices or contracts, and double-check that the request is legitimate. While this extra level of checking takes a few extra minutes, it is entirely possible that it will save the company thousands of dollars.
Implementing Strong Email Security
The best phishing attacks have the potential to fool anyone, even cybersecurity professionals. However, the majority of email-based threats capitalize on little mistakes, which give an attacker an opening to gain access to an email account or password.
Defending against these opportunistic attacks only requires simple security measures. Locking down email with a strong password and MFA and taking a more suspicious approach to email goes a long way toward protecting personal and professional email accounts against cyber threats.
It is always a great idea to do conduct an annual cybersecurity awareness training with your employees to keep them up to date with new threats. Also, providing phishing simulations are a great way to create a cyber secure culture. Contact us to discuss our awareness training.