Email compromises cost on average $24,439 per case (PurpleSec). All it takes is one malicious phishing email to breach your system. That’s a tough pill to swallow when you realize how many emails enter your mailbox every single day. These emails can look like anything from an urgent message from your boss to a request from your bank. Knowing what may be a scam will not only boost your company’s cyber maturity, but ensure your employees follow safe email habits in their daily lives.
1. Don’t Open Attachments from Unknown Senders
92% of malware is delivered by email, often in the form of attachments disguised as pdfs, text files, and even photos (PurpleSec). If you receive an email that you weren’t expecting from an unfamiliar address, do not open ANY attachments. Your email provider (Outlook, Gmail, etc.) may have content blockers enabled to ensure you don’t accidentally click malicious attachments, but hackers have their workarounds.
Take a look at the example below. The email looks unassuming at first glance – a typical message about an outstanding payment. However, the first red flag is the random email address, not associated with any business. The second red flag is the mysterious excel file attachment. Since nothing in this email is familiar, the attachment should not be previewed, opened, or downloaded.
2. Never Click Links Inside Spam Emails
Similar to the previous tip, never click links in spam emails. This even goes for the “unsubscribe” button at the bottom of such emails. For instance, the email below looks like any other unassuming sales pitch. However, we don’t know where that unsubscribe button goes. It’s best to play it safe and DO NOT click unsubscribe. Instead, you should forward the email to your IT team, so they are aware of the potential threat.
3. Don’t Reply to Spam, Forward It To IT
While we’re on the topic of spam emails, you must avoid replying to them (no matter how tempting it may be). By responding to spam emails, you only confirm that your email is valid and a potential target.
Instead, you should forward all possible phishing emails to your IT department. They will be able to identify any patterns and alert your team of any social engineering attacks.
4. Beware of Phishing Emails
One of the most common attacks we see is phishing attempts. Hackers will imitate your boss, IT company, and even vendors with email addresses that are very similar. They’ll also express urgency to trick you into making an impulsive decision. Oftentimes, you’ll be asked to transfer funds to a new account or to simply reset your password with a link in the email. There are many red flags you need to watch out for when it comes to phishing emails.
The email below is a perfect example of a password phishing attempt.
At first glance, everything looks legitimate. However, there are a couple of red flags that point to this being a malicious email:
- The “From” email address is not an official Microsoft address
- The recipient did not create a support ticket with Microsoft
Always confirm with the sender of any emails asking to reset your password. If you didn’t request a password reset, do not click ANY link in the email. Even the company logo could lead to a malicious website.
5. Avoid Sending Sensitive Information Via Email
It’s not a matter of if your email is compromised, it’s a matter of when. Take a proactive stance and limit the amount of sensitive information in your email inbox. You should really never send any of the following information over email:
- Bank Account & Routing Numbers
- Debit/Credit card numbers
- Social Security Numbers
- Driver’s License Numbers
- Any state-issued ID numbers
This also helps avoid potential phishing attempts to gain this information from you. If you refuse to send it via email, you’re less likely to fall victim to such attacks.
6. But If You Must, Encrypt Sensitive Emails
However, sometimes the situation may call for you to send sensitive information over email. If you have no other option, then make sure you’re taking extra safety precautions like email encryption. This prevents attackers from compromises these emails and allows only the intended recipient to view the information.
It’s also a good practice to delete emails with sensitive data as soon as you no longer need them.
7. Never Share Your Email Login Info
You should never share your login information to any account, but especially not to your email. Why? Think what happens every time you forget a password – you’re sent an email with a reset link. If a hacker gains access to your email, it’s basically a goldmine of other accounts they can easily infiltrate.
NEVER share your passwords with your coworkers, your boss, not even IT. Your IT company can access your account on their side without the need for your password. If they ever ask for it, that should be a major red flag that something isn’t right.
8. Use MFA For Email Logins
Multi-Factor Authentication is an absolute necessity to your cyber security toolkit. Essentially, it’s an extra way to verify that the person signing into your accounts is really you. Since login credentials are easily compromised, MFA is the last line of defense for your personal data.
Let’s say hackers managed to obtain your username and password. If MFA is enabled, you will receive a notification whenever there is a login attempt to your account. You simply deny the hacker’s request, and now have an instant notification that someone has tried to compromise your account. Without MFA, it could be weeks, months, until you realize someone else has accessed your personal information.
9. Be Cautious of Open Public Wi-Fi
Your favorite coffee shop or hotel lobby may offer free Wi-Fi, but oftentimes these conveniences are far from secure. It’s simple for malicious attackers to access your devices through public internet connections.
If you decide to utilize public Wi-Fi for work, make sure that you aren’t handing over information to hackers. Don’t access your personal or financial information on public Wi-Fi, and definitely don’t stay permanently signed into online accounts. If you need to access this kind of information, use your mobile device instead. Your mobile data is usually encrypted.
10. Keep Business and Personal Separate
We know it may be convenient to add your personal email and logins to your work computer, but we strongly recommend you don’t do that. Keep your business and personal devices separate to avoid cross-compromises. If your personal accounts are compromised this way, that could mean disaster for your business accounts (and vice versa). Plus, you can decrease exposure and increase work-life balance at the same time.
These are some of our top tips for beefing up your email security. By following these tips, you can be one step closer to protecting your business from cyber-attacks. Security is a team sport, so make sure everyone is on the same page about email security.
The cyber landscape changes daily, though, so this list is not exhaustive. Check out our YouTube Channel and other blog posts for more ways to stay protected and mitigate your risk.
Sources
Firch, J., Firch, J., Allen, R. by J., & Allen, J. (2021, October 28). 10 cyber security trends you can’t ignore in 2021. PurpleSec. Retrieved December 7, 2021, from https://purplesec.us/cyber-sec….