Email is the primary attack vector for hacking and fraud, and the situation is only getting worse. From 2017 to 2018, email-based attacks on businesses increased 476%, according to the most recent threat survey(new window) by the cybersecurity firm Proofpoint.
The FBI reports(new window) there are around 14,000 email scams each year worldwide, costing companies $12 billion. And most small businesses(new window) don’t believe they could remain profitable if they lost their data.
There are several reasons hackers target email so often:
- Email attacks work — human error is an unpatchable weakness in any security plan, and email is a perfect medium to exploit people.
- Email accounts store lots of data — your email account is a trove of sensitive data, including financial information, contacts, and information that can be used in social engineering schemes.
- Email is ubiquitous — everyone uses email, making the number of potential targets in a single organization as large as the payroll.
- Email is identity — your email account is used to verify your identity, email addresses are often usernames, and a successful account takeover is an entrypoint to further attacks.
Given the stakes, secure email practices must be a priority for your organization. Based on what we know about attacks, implementing this advice can reduce your exposure to email attacks.
Train employees on common attacks
It’s important to create a culture of security awareness(new window) in your organization, and email security should be at the top of the list. There are a few areas you should cover:
Phishing
Phishing attacks(new window) attempt to trick victims into clicking on links or downloading attachments in emails that appear to be legitimate. Phishing emails often look obviously fake. But sophisticated ones might spoof the “from” address(new window) to look like an official sender and design the email in a convincing way.
For example, the phishing email that exposed Hillary Clinton’s campaign emails looked like this:
When her campaign manager clicked the “change password” button, it took him to a page operated by the hackers, where he proceeded to enter the login to his Gmail account. Other kinds of phishing attacks might result in malware or ransomware being installed on your device or network.
You can prevent phishing attacks by training your employees to be vigilant. As a general rule, they should never click on links or download attachments in unexpected emails without first verifying their legitimacy. Proton Mail provides a number of anti-phishing features(new window), such as report phishing and anti-spoofing protection with SPF(new window), DKIM(new window), and DMARC(new window). If you receive an unexpected email alert from an online service you use, it’s always better to go to the website and log in to your account there, rather than clicking the link in the email.
Fraud
The FBI report cited above focuses on another kind of email attack: scams. You’re surely familiar with the emails from strangers hoping to send you millions of dollars, provided you cover their wire fees up front. Businesses are often the target of more sophisticated scams that use social engineering.
One common tactic is to spoof(new window) a manager’s email address (or actually take over that person’s account) and send an “urgent” message to a lower-level employee asking for a quick transfer to a client. Or they might fake an invoice from a plausible vendor.
Employees should be trained to be skeptical of any emails requesting money transfers or sensitive personal or business data. If there’s any doubt, reach out to a manager or IT contact in the company.
Require two-factor authentication (2FA)
Every employee in your organization should use two-factor authentication (2FA) in any online account that offers it. With 2FA enabled, after entering their username and password, a person then also has to enter a code from a fob or an authenticator app installed on their mobile device. (Email and SMS codes are also common, though these are less secure. Hardware authenticators(new window) are most secure). If Hillary Clinton’s campaign manager had 2FA enabled on his Gmail account, the hackers would not have been able to access his account unless they also had control of his smartphone.
Enforce password security
Using a strong, unique password is the first line of defense for all your organization’s accounts and devices, including email. We have previously offered our recommendations for choosing strong passwords(new window), but there are two main points:
- Use a different password for each online account.
- The longer(new window) and more random your password is, the more secure it is.
There is no reason to ask employees to reset their passwords periodically or to require the use of certain kinds of characters. It’s much more important to ensure they are choosing a strong, memorable password or using a trustworthy password manager to help them do it.
Use encrypted email
Some email providers are more secure than others. If you are using an email service that does not use end-to-end encryption(new window), then there is a possibility that a data breach will expose your organization’s emails. For certain organizations, this can also increase your liability for penalties under HIPAA(new window) and the GDPR(new window).
Unlike Gmail and other mainstream providers, Proton Mail does not have the ability to decrypt users’ emails and neither do hackers. The only way someone could access messages sent between Proton Mail accounts would be to compromise the end-user or stage an elaborate man-in-the-middle attack. We have also taken measures, such as encrypted Proton Contacts(new window) and address verification(new window), to drastically reduce the possibility of one of these attacks succeeding.
Reduce your attack surface
Every email address is an opportunity for an attacker. So if you reduce the number of employees with publicly available email addresses, you can reduce your potential attacker’s options. You should only list essential employee names and contacts on your organization’s website. You can also consider using non-obvious email formulations that are difficult to guess. For example, instead of alice.smith@example.com, you could use as938@example.com.
Proton Mail is committed to providing the most secure email service possible for businesses. Over 10 million users, including thousands of organizations, governments, and small businesses, depend on us to keep their data safe. Learn more about Proton’s secure business email(new window).
Best Regards,
The Proton Mail Team
You can get a free secure email (new window)account from Proton Mail.
We also provide a free VPN service(new window) to protect your privacy.
Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan(new window).Thank you for your support.
