If you look at all the biggest breaches over the last couple of months, you will notice that majority of it start with an email. Many cybercriminals use emails as a gateway to spread malware and infect computers through a variety of ways. It often involves tricking users into clicking a malicious link, downloading an attachment, or an unusual direct contact from a senior official to get employees to do a wire transfer and bypass most office protocols.
Phishing has been around since the mid-‘90s, yet many companies or individuals continue to get victimized because the attacks get sophisticated over time. Most attacks also target large scale corporations and large numbers of people all at once.
Just recently, a spear-phishing attack that targeted Twitter made headlines, causing accounts of notable people such as Elon Musk and Joe Biden to fake tweet about a bitcoin scam. This shows that even Twitter, with their heightened security protocols, can still experience a breach. It also proves how critical it is to increase your company’s online security etiquette and implement security solutions whenever possible.
According to Proofpoint's 2020 State of the Phish, almost two-thirds of US organizations “experienced a successful phishing attack last year”, which was far higher than the global average of 55%.
We cannot emphasize enough how critical the roles email play when it comes to keeping online systems secure. Even with the most sophisticated technology that can detect phishing scams, some emails with malicious intent can remain undetected. As such, here are some things to look for when receiving crucial emails:
The email is from a public email domain
According to Barracuda, just 10 popular email domains are used to launch 62% of phishing attacks, with Gmail.com domain accounting for 30% of the total recorded attacks
When receiving an urgent email that requires the recipient to perform a quick action, again involving one of the three things: downloading an attachment, clicking on a link, or performing a wire transfer of some sort, always ensure that the email address is legitimate and is free from and misspellings or alteration, and the email domain is legitimate.
Misspellings and use of spoof emails
This goes together with the previous point because with display-name spoofing, attackers create a Gmail or other email account and impersonate someone else by changing the display name.
Email domain phishing or spoofing allows hackers to alter a reply-to address slightly different from the actual company they are imitating.
Since employees that use mobile devices only show the display name and not the actual email address of the sender, they are more prone to being victimized by this type of scam. So, each time a user receives an email that claims to be from your company or partners, make sure that the source is legitimate by inspecting their email addresses carefully. It might save your employees, and your company, a lot of trouble.
Pressure and sense of urgency
85% of all phishing attacks are crafted to induce a sense of urgency, or in some cases even cause panic. The perpetrators often pretend to be a senior executive or trusted colleague. When a victim is in panic, they would most likely not question the motives or inspect the email closely and completely go autopilot, which is why it is such a widely used tactic. It only takes a second to shift the target’s internal gears from doing exactly as the phishing email says to do what they should, which is inspecting the email and ensuring the sender is exactly who they claim to be before acceding to any request.
Request for wire transfer
In CEO fraud, a specific type of Business Email Compromise (BEC) scam, fraudsters will identify themselves as high-level executives, lawyers, or other types of legal representatives and ask for a wire transfer to be sent to the bank immediately. Be wary of these types of emails and perform a background check before proceeding. Also have a protocol that must always be followed, such as a person to call for verification before proceeding with any form of transaction.
Email attachments and links
Phishing emails are known to contain malicious attachments or links that can compromise a computer and having data files stolen or spied on. When receiving an email, do not download an attachment or click on any links without inspecting the email address of the sender first. This is critical because some websites can harm your computer by just visiting them, also known as a drive-by download.
Protecting E-mail Communications through S/MIME
The convenience and benefits emails offer come with some risks. Hackers have evolved at targeting businesses via email, it could be through intercepting messages to get sensitive information or using email spoofing to redirect potential victims to phishing sites or triggering malicious downloads. Therefore, businesses need to use email encryption to ensure security across email communications.
Secure/Multipurpose Internet Mail Extensions, or more commonly known as S/MIME, is a technology that allows users to digitally sign and encrypt their emails, to ensure message privacy and keep sensitive data from falling into the wrong hands.
Digitally signing and encrypting emails through S/MIME can protect your company against phishing and data loss.
It also ensures security without the confusion. If this is your first-time hearing about S/MIME, don’t be anxious to use it! Its implication and usage require minimal user training. For most clients, digitally signing and encrypting an email is as simple as clicking a button. This can often be done to all outgoing messages automatically.
GlobalSign offers comprehensive certificate management such as S/MIME for email encryption and added safety to protect emails from unwanted access. Our point-to-point message encryption is also compatible with many popular enterprise email clients. You can request for a demo here!
For more blog updates, click here.