Email is an essential part of any modern day business, it is used by over 90% of companies with the average business person sending and receiving about 112 emails per day. As a result it represents a consistent and reliable attack surface for hackers. Being able to properly secure your company’s corporate email is an important part of your overall security strategy. Through email hackers can use many different methods to get access to your network. Firstly, they can trick people into giving away important information such as their username or password. Secondly, they can trick people into downloading malware onto their computer, which will give the hacker direct access to that machine. What makes it particularly difficult to stop is that many times, the target of the email is not someone who is very knowledgeable about these things so they are more susceptible to not recognizing a suspicious email. In order to minimize the risk of someone failing for these scams, it’s important to have the right controls in place. Here I outline some of the main ways attackers try to trick users through email and controls you can use to stop it:
Social Engineering
Social Engineering is one of the most common attack vectors in security. Social engineering is the practice of manipulating people into performing actions or giving up confidential manipulation. Here are some of the common types below:
Phishing Emails
One of the most common types of social engineering techniques used on companies are phishing attacks delivered through email. Phishing is the act of pretending to be a legitimate person in order to get someone to give up information, this can be usernames, passwords, credit cards, employee information etc. 90% of all security incidents involve the use of a phishing attack. Below is an example of well crafted phishing email.
Source @ phishing.org
The goal of this email is to have you click on the login link, which would send you to a replica of the Paypal site and once you enter your login information, it would be sent directly to the hacker.
Email with Malware Attachments
Another way hackers use email in their attacks is to attach malware that looks like a real attachment and trick the user into downloading the malware. There are many software packaging tools that can be used to make programming scripts look like a pdf or word document, with the correct file extension and icon. Additionally, hackers can write malware as macros that can be attached to a legitimate excel or word file, once it is downloaded and macros are enabled, the program can run automatically.
Spear Phishing
Spear Phishing is phishing that is targeted for a specific individual. It requires the hacker to do research beforehand in order to craft an email tailored to that person. Since these messages are so tailored it has a much higher chance of success than a regular phishing email. Spear phishing against high level company executives like the CEO, CSO or CIO is referred to as whaling. Here is a comprehensive breakdown of a spear phishing email.
Controls
Spam and Phishing Filters
Most email providers come with spam and phishing filters that are used to filter out many of the phishing emails that will come to your company. You can look up a guide or tutorial for your email provider and get that setup to block many of the obvious emails.
2FA
Enabling 2 factor authentication(2FA) can mitigate the effects of a phishing email. If someone is tricked into giving up their login information, the hacker still won’t be able to login to the account if 2FA is enabled.
Browser Based Password Managers
Browser based password managers come with all modern browsers like Safari, Chrome, Microsoft Edge and Firefox. They indirectly prevent users from being tricked into entering login information because of a phishing email. Let’s use Facebook as an example. The way these password managers work is they save your password to a certain webpage when you make them, so in this case Facebook.com. If you are taken to a fake facebook login page by a phishing email, your computer will recognize that this is not the correct site and not autofill your password, which prevents you from accidentally sending it to the hacker.
Chrome Password Manager
Employee Training
It’s important to train employees on how to properly identify phishing emails. In order for a phishing email to be successful it must trick the user, so investing time in educating your employees is an important part of defending against it. Many phishing emails have several common components that employees can be taught to look for:
1) Incorrect sender domain: For example someone claiming to be a google employee, sending an email from @gmail.com instead of @google.com.
2) Vagueness: Many phishing emails will avoid specifics. Instead of using your name it will say sir/madam or it may speak of an account with referencing an account number.
3) Sense of urgency: It will try to make it seem like an emergency or time sensitive issue in order to compel people to take action.
4) Call to action: This is where they ask you to do something in particular such as login to a webpage, call a certain number, email back with your account information and so on.
5) Poor Grammar: Many phishing emails have poor grammar and spelling errors, the type of errors you wouldn’t expect from a legitimate company.
6) Strange Attachments: If the email is unsolicited and it contains a strange looking attachment, that can also be a giveaway that it is a phishing email.
Mail Based Antivirus
You should use an antivirus that is capable of scanning email attachments. This way if someone receives an email with a malware attachment pretending to be a legitimate file, the user will be alerted and prevented from downloading or opening that file.
Conclusion
Email is an integral part of the modern day business and will most likely be here for a long time. However, it serves as an easy communication point between your company’s employees and an outside hacker. It’s important that companies implement the proper controls and employee training to reduce the chance that hackers are able to exploit this. Employees should be trained to recognize phishing emails and encouraged to use 2FA and browser based password managers. On the technical side using Spam and Phishing filters, along with email based antivirus, will drastically reduce the likelihood of phishing attacks tricking your employees.