Cyber Awareness 101: Email Security Best Practices
When you say the word "cyberattack," most people imagine a shadowy figure sitting behind a wall of computer screens, frantically typing away, trying to bypass security systems using high-tech tools that require significant technical knowledge. That's not a very accurate picture.
The vast majority of cyberattacks are low-tech, requiring nothing more than the ability to set up a simple website and send out some emails. The rest of the “hacking” is really just sitting around and waiting for a victim to take the bait – which is why these common attacks are known as phishing.
97% of companies have been targeted by a sophisticated phishing attack, and 90% of all corporate data breaches are a result of phishing or other similar social engineering attacks. When the costs of falling victim to an attack can run in the millions or tens of millions of dollars, you can't afford to ignore this simple and common threat.
Maintaining solid cyber awareness and email security practices is the best way to stop phishing attacks. Here is some information about phishing attacks and some best practices to help prevent them from threatening your company's bottom line.
Cyber Awareness: What Is Phishing?
As cybercrimes go, this is one of the simplest. It doesn't involve any significant technical skill but instead relies on tricking human users into giving the attackers information that they can then use to access computer systems illegally.
There are several different types of phishing attacks, but one of the most common typically runs something like this:
- The attacker sets up a simple webpage that looks exactly like the login page for a commonly used web platform, either a widely used shopping or service site or an online business platform. The page is set up so that any usernames and passwords submitted are sent directly back to the attacker.
- The attacker then sends out emails to dozens, hundreds, or even thousands of different email addresses, pretending to be a representative from the company or platform. The email may offer an exceptional bargain on a product, claim that there's a problem with a user's order, or otherwise prompt the user to click on a link contained in the email.
- The user clicks on the link and is taken to the attacker’s web page. Not realizing they’re not on the site they think they’re on, the user submits their username and password – and the attacker now has the key to the front door.
Phishing attacks have been used successfully to make fraudulent purchases, perform identity theft, access sensitive corporate data, install malware, and initiate ransomware attacks.
Cyber Awareness: Email Security Best Practices
While phishing attacks can originate on platforms other than email, email remains by far the most common threat vector for these costly attacks. But by making sure your team is aware of and using the following best practices can go a long way towards reducing your risk of falling victim.
- Encourage Unique Passwords
Many phishing attacks are successful at gaining access to multiple systems at once for one straightforward reason: most people use one or two passwords over and over again on various platforms. When attackers get their hands on a user’s information for one platform, they’re also getting the information for several others.
Encourage your team members to use a different password for each online platform they use. Implementing a company-wide password management platform can make this easier for your employees to manage.
- Never Click Email Links
Most victims of phishing attacks click on a link in an email. While it may look like a link to, for instance, amazon.com, it may actually be pointing to a different site entirely. Users should always hover over links in emails and see if the actual link that pops up matches the URL indicated by the link text. If it doesn't match, don't click.
Even better, never click on an email link at all. If an email encourages you to visit a particular website, open up a browser window and type the URL in by hand – that way, you’ll know you’re going to the correct site.
- Be Hyper-Aware of Attachments
The other main threat from phishing involves email attachments – files that an attacker can use to install millions of different types of malware on computer systems. Train your employees to never trust attachments from unknown sources and to remain vigilant about email attachments that appear to be from trusted sources. Attackers can make their emails appear to come from almost anyone.
If an attachment is a particularly dangerous file type (.exe, .jar, .msi), always contact the alleged sender via phone, text, online chat, or other non-email channel and verify that they did, in fact, send the attachment in question.
- Implement Multifactor Authentication (MFA)
This practice isn't exactly an email security practice but an overall security best practice. Multifactor authentication requires users to verify their identity via more than one means before they gain access to your systems. You’ve experienced this if you’ve ever entered your password into a website and then been texted an access code that you then had to submit before being allowed in.
MFA won’t prevent your employees from falling victim to phishing attacks, but it will significantly reduce an attacker’s ability to access your systems once a user’s information has been compromised.
- Limit Access to Corporate Email
Another threat vector for phishing and other email-based attacks is unsecured computer systems. When your employees access their corporate email or other platforms on unsecured personal computers or mobile devices, they are exposing your corporate systems to any security flaws that may exist on their personal machines.
By only allowing employees to access company systems on company equipment, you can maintain better control over access and limit your systems’ exposure to bad actors.
Need to Improve Your Company’s Cyber Awareness? Schedule a Call, and Let Us Protect Your Data AND Your Business.
With cybersecurity services from Nocwing, you can rest assured that your company’s data is protected by a robust, next-generation stack of defenses, including human-monitored threat detection. Our team also understands phishing and social engineering tactics and has tools to both reduce the risk of these attacks and train your team on how to avoid them.
Nocwing is a full-service managed IT services company based in Griffin, Georgia, providing robust cybersecurity, IT management, business continuity/disaster recovery, user support, and VoIP solutions for companies throughout the Southeastern United States.