List: Phishing scams and spam – what email threats should you be looking out for?
Email is one of the most common routes in which a hacker can gain entry to your data and organisation. Organisations should be vigilent to this every-day tool, with constant reviews in how email security can be improved.
Here are a few of the major email-related threats out there and how they can be mitigated.
1. Human error
As Tony Pepper, CEO of Egress, says, “despite the fact we know that human error is the leading cause of data breach incidents, organisations continue to fail to tackle this problem.”
Pepper was speaking in the context of the news today that Microsoft accidentally sent out an internal dossier containing profiles on members of the press to the magazine Gizmodo.
The leak was probably due to the autocomplete function on email, which supplies the email address of common recipients based on the first few characters that somebody types into the ‘to’ field.
In Microsoft’s case, the leak was perhaps slightly embarrassing but hardly damaging, but it would be easy for the same leak to happen with more sensitive information.
The obvious solution here is for employees to take more care, which may require some training from the IT department in good email hygiene.
However, implementing controls on the data itself, such as encrypting it with keys that are only shared internally, is another way of preventing this kind of data breach.
According to research by Cyber Security Partners (CSP), there are 156 million phishing emails sent every day.
Phishing emails essentially aim to trick a user into giving up personal information.
A spear phishing email is more targeted still, appearing to be from an individual or business that you know.
The growing amount of information that people are putting online is making targeted phishing scams more common.
A recent scam, for example, sends an email to all of a victim’s contacts, claiming to have been stranded at a foreign airport and asking for the money to fly home.
Solutions include training employees to recognise the hallmarks of a phishing scam and to establish controls to ensure that the sender of a message is always verified.
A common email-based attack uses attachments to get a document with malicious code onto a victim’s computer.
The attached file could be almost any type. It could be a Microsoft Word document claiming to be a CV, or a PDF claiming to be a financial report.
The executable code is concealed within the document; in Microsoft Word this could be hidden in the form of a macro. Once the user enables macros, the code is executed and the PC can be taken over.
As well as training employees to recognise these kinds of documents, there is firewall and antivirus software available that can easily detect these kinds of files and
There have been several major cases in the news recently of account details such as usernames and passwords appearing on the Dark Web, with big companies involved such as O2 and Yahoo.
From an email perspective, this is a cause for concern. Employees are likely to have a consumer email account to use for tasks outside of work.
However, due to the difficulties involved in creating and remembering multiple passwords, people will often use the same passwords for multiple accounts.
Then, when a low security database is hacked into and these details are stolen, these details will still be valid credentials for accessing the email account.
This is a good reason to ensure that employees are given the tools that they need to do the job.
If employees are regularly finding their work email accounts inadequate for the tasks that they need to complete and resorting to using consumer email applications, it could be just a matter of time before sensitive corporate data is sitting inside their consumer account.