ProtonBlog(new window)

Email is the #1 target for hackers. Here’s how to secure email for your business

Share this page

Email is the primary attack vector for hacking and fraud, and the situation is only getting worse. From 2017 to 2018, email-based attacks on businesses increased 476%, according to the most recent threat survey(new window) by the cybersecurity firm Proofpoint.

The FBI reports(new window) there are around 14,000 email scams each year worldwide, costing companies $12 billion. And most small businesses(new window) don’t believe they could remain profitable if they lost their data.

There are several reasons hackers target email so often:

  • Email attacks work — human error is an unpatchable weakness in any security plan, and email is a perfect medium to exploit people.
  • Email accounts store lots of data — your email account is a trove of sensitive data, including financial information, contacts, and information that can be used in social engineering schemes.
  • Email is ubiquitous — everyone uses email, making the number of potential targets in a single organization as large as the payroll.
  • Email is identity — your email account is used to verify your identity, email addresses are often usernames, and a successful account takeover is an entrypoint to further attacks.

Given the stakes, secure email practices must be a priority for your organization. Based on what we know about attacks, implementing this advice can reduce your exposure to email attacks.

Train employees on common attacks

It’s important to create a culture of security awareness(new window) in your organization, and email security should be at the top of the list. There are a few areas you should cover:

Phishing

Phishing attacks(new window) attempt to trick victims into clicking on links or downloading attachments in emails that appear to be legitimate. Phishing emails often look obviously fake. But sophisticated ones might spoof the “from” address(new window) to look like an official sender and design the email in a convincing way.

For example, the phishing email that exposed Hillary Clinton’s campaign emails looked like this:

When her campaign manager clicked the “change password” button, it took him to a page operated by the hackers, where he proceeded to enter the login to his Gmail account. Other kinds of phishing attacks might result in malware or ransomware being installed on your device or network.

You can prevent phishing attacks by training your employees to be vigilant. As a general rule, they should never click on links or download attachments in unexpected emails without first verifying their legitimacy. Proton Mail provides a number of anti-phishing features(new window), such as report phishing and anti-spoofing protection with SPF(new window), DKIM(new window), and DMARC(new window). If you receive an unexpected email alert from an online service you use, it’s always better to go to the website and log in to your account there, rather than clicking the link in the email.

Fraud

The FBI report cited above focuses on another kind of email attack: scams. You’re surely familiar with the emails from strangers hoping to send you millions of dollars, provided you cover their wire fees up front. Businesses are often the target of more sophisticated scams that use social engineering.

One common tactic is to spoof(new window) a manager’s email address (or actually take over that person’s account) and send an “urgent” message to a lower-level employee asking for a quick transfer to a client. Or they might fake an invoice from a plausible vendor.

Employees should be trained to be skeptical of any emails requesting money transfers or sensitive personal or business data. If there’s any doubt, reach out to a manager or IT contact in the company.

Require two-factor authentication (2FA)

Every employee in your organization should use two-factor authentication (2FA) in any online account that offers it. With 2FA enabled, after entering their username and password, a person then also has to enter a code from a fob or an authenticator app installed on their mobile device. (Email and SMS codes are also common, though these are less secure. Hardware authenticators(new window) are most secure). If Hillary Clinton’s campaign manager had 2FA enabled on his Gmail account, the hackers would not have been able to access his account unless they also had control of his smartphone.

Enforce password security

Using a strong, unique password is the first line of defense for all your organization’s accounts and devices, including email. We have previously offered our recommendations for choosing strong passwords(new window), but there are two main points:

  • Use a different password for each online account.
  • The longer(new window) and more random your password is, the more secure it is.

There is no reason to ask employees to reset their passwords periodically or to require the use of certain kinds of characters. It’s much more important to ensure they are choosing a strong, memorable password or using a trustworthy password manager to help them do it.

Use encrypted email

Some email providers are more secure than others. If you are using an email service that does not use end-to-end encryption(new window), then there is a possibility that a data breach will expose your organization’s emails. For certain organizations, this can also increase your liability for penalties under HIPAA(new window) and the GDPR(new window).

Unlike Gmail and other mainstream providers, Proton Mail does not have the ability to decrypt users’ emails and neither do hackers. The only way someone could access messages sent between Proton Mail accounts would be to compromise the end-user or stage an elaborate man-in-the-middle attack. We have also taken measures, such as encrypted Proton Contacts(new window) and address verification(new window), to drastically reduce the possibility of one of these attacks succeeding.

Reduce your attack surface

Every email address is an opportunity for an attacker. So if you reduce the number of employees with publicly available email addresses, you can reduce your potential attacker’s options. You should only list essential employee names and contacts on your organization’s website. You can also consider using non-obvious email formulations that are difficult to guess. For example, instead of alice.smith@example.com, you could use as938@example.com.

Proton Mail is committed to providing the most secure email service possible for businesses. Over 10 million users, including thousands of organizations, governments, and small businesses, depend on us to keep their data safe. Learn more about Proton’s secure business email(new window).

Best Regards,
The Proton Mail Team

You can get a free secure email (new window)account from Proton Mail.

We also provide a free VPN service(new window) to protect your privacy.

Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan(new window).Thank you for your support.

Protect your privacy with Proton
Create a free account

Share this page

Ben Wolford(new window)

Ben Wolford is a writer and editor whose work has appeared in major newspapers and magazines around the world. Ben joined Proton in 2018 to help to explain technical concepts in privacy and make Proton products easy to use.

Related articles

How to share a PDF
Sharing a PDF with coworkers, friends, or family members can sometimes be trickier than it seems if you’re trying to share a large file or if you want to use secure encryption. In this article, we show you how to share any PDF quickly, easily, and se
Proton Pass for Windows
Proton Pass is launching its new app for Windows, allowing you to access our password manager from your desktop. As one of our community’s most requested features, it’s available to everyone starting today. Proton Pass is the centerpiece of our effo
password policy
Businesses are increasingly dealing with the fallout from cybercrime: The number of attacks is on the rise and the damage done is growing exponentially. One of the most common vulnerabilities for organizations are their passwords. Since they are your
How to free up disk space
If you’ve ever owned an electronic device of any kind, you know the struggle of running out of space. No matter if it’s a smartphone, laptop, or desktop computer, there never seems to be enough room for all your files. Let’s show you some simple ways
What is 3-2-1 backup
Data backup is vital for businesses and individuals alike: In case something happens to your primary computer, you always have a copy of your data to fall back on.  How should you approach backup, though? The 3-2-1 rule can act as a guide when decid
What was your first pet’s name? In what city were you born?  We’ve all had to answer these questions to reset a long-forgotten password, but consider how that works. Much of this information is easy to find for others (or easily forgotten by you), m