What You Need to Know About Email Security
Social Engineering Inboxes and VoiceMail
Social engineering is non-technical, malicious activity that exploits human interactions to obtain information about internal processes, configuration and technical security policies in order to gain access to secure devices and networks. Such attacks are typically carried out when cybercriminals pose as credible, trusted authorities to convince their targets to grant access to sensitive data and high-security locations or networks.
An example of social engineering is a phone call or email where an employee receives a message that their computer is sending bad traffic to the Internet. To fix this issue, end users are asked to call or email a tech support hotline and prompted to give information that could very likely give the cybercriminal access to the company’s network.
Phishing Email Compromises
One of the most common forms of social engineering is email phishing—an attempt to acquire sensitive information such as usernames, passwords and credit card data by masquerading as a trustworthy entity. Phishing is likely the #1 primary email security threat employees need to focus on.
Such emails often spoof the company CEO, a customer or a business partner and do so in a sophisticated, subtle way so that the victim thinks they are responding to a legitimate request.
Among the reasons these scams succeed are the appearance of authority—staffers are used to carrying out CEO instructions quickly. That’s why phishing can be so easy to fall victim to.
Four Common Phishing Techniques
The scope of phishing attacks is constantly expanding, but frequent attackers tend to utilize one of these four tactics:
- Embedding links into emails that redirect users to an unsecured website requesting sensitive information.
- Installing Trojans via a malicious email attachment or posing ads on a website that allow intruders to exploit loopholes and obtain sensitive information.
- Spoofing the sender address in an email to appear as a reputable source and requesting sensitive information.
Attempting to obtain company information over the phone by impersonating a known company vendor or IT department.
Email Security Best Practices—Five Ways to Block Phishing Attacks
Employees should always be suspicious of potential phishing attacks, especially if they don’t know the sender. Here are five best practices to follow to help make sure employees don’t become helpless victims:
- Don’t reveal personal or financial information in an email—Make sure employees also know not to respond to email solicitations for this information. This includes clicking on links sent in such emails.
- Check the security of websites—This is a key precaution to take before sending sensitive information over the Internet. <http> indicates the site has not applied any security measures while <https> means it has. Also consider if employees are practicing safe browsing habits. Sites that do not serve a legitimate business purpose are also more likely to contain harmful links.
- Pay attention to website URLs—Not all emails or email links seem like phishing attacks, so employees may be lured into a false sense of security. Teach them that many malicious websites fool end users by mimicking legitimate websites. One way to sniff this out is to look at the URL (if it’s not hidden behind non-descript text) to see if it looks legit. Employees may also be able to detect and evade the scheme by finding variations in spellings or a different domain (e.g.,.com versus .net).
- Verify suspicious email requests—Contact the company they’re believed to be from directly. If an employee receives an email that looks odd from a well-known company, such as a bank, instruct them to reach out to the bank using means other than responding to the suspicious email address. It’s best to contact the company using information provided on an account statement—NOT the information provided in the email.
- Keep a clean machine—Utilizing the latest operating system, software and Web browser as well as antivirus and malware protection are the best defenses against viruses, malware and other online threats. It may be difficult for employees to do this, so the business may want to invest in a managed IT services provider who can also be a trusted advisor for all IT needs.
Next blog: User Name and Password Management
For more information on keeping your small business secure call 678-389-6200 or contact us online.