August 18, 2023
Paris Evangelou

Email Security in 2023 - The Hidden Dangers

security researcher at work
Tech Made Simple: Secure IT Solutions for Business with a Personal Touch — from Syslogic’s Chief Problem Solver
Paris Evangelou

Does Email Still Matter in 2023?

In the digital age of 2023, email remains an indispensable tool for personal and business communications. Its continued importance is undeniable, and with this comes a multitude of security risks and hidden dangers. The need for comprehensive email security solutions and practices for businesses is now more vital than ever.

Email accounts hold a wealth of sensitive data, both personal and professional. They contain years of correspondence, financial records, company data, sensitive company information, and more. Given the increasing number of cyber threats in today's digital landscape, protecting this treasure trove of information is paramount.

External parties and their threats

The dangers associated with emails from external parties are significant and varied. Email technology remains remarkably anonymous; although every email carries a name and domain, it's not always clear how to validate this information. This ambiguity makes it easy for malicious actors to hide their true identities, posing significant security risks.

Phishing attacks via malicious emails are a prime example of the threats posed by external parties. These emails, seemingly from trusted sources, lure users into providing login credentials or other sensitive information. For instance, an email pretending to be from a bank may prompt users to click a link and log in due to "suspicious activity." However, the link leads to a fake website where attackers can harvest the entered credentials. In most cases falling victim to this type of attack is a result of human error and not negligence. Many employees are suffering from email overload, getting many many messages per day. These attacks are not limited to individuals; businesses also fall victim to sophisticated phishing schemes.

image of attacker behind email message

Varieties of Email Attacks

Other prevalent email threats include spear-phishing, where attackers craft personalized messages targeting a specific person or organization, and whaling attacks, which focus malware attacks on high-profile companies or individuals. Business Email Compromise (BEC) is another dangerous tactic, with attackers impersonating company executives to make fraudulent requests for sensitive information. Phishing attacks are a subject in themselves, but very closely related to this article. You can read more about how to safeguard against phishing attacks in this article

Malware and other ransomware attacks, too, can spread through malicious email attachments or other phishing links. For example, in 2020, the city of Florence, Alabama, fell victim to a ransomware attackafter a city employee received a spear-phishing email. The city ended up paying a $300,000 ransom after attackers gained access to sensitive data.

The consequences of a successful attack are severe. Once attackers have access to an email account, they can wreak havoc. They can access personal and other data theft or financial information, reset passwords for other accounts, lock users out of their own accounts, or even send malware to email contacts. In some cases, attackers may demand a ransom for the return of the email account.

SIM Swapping

One of the indicators of how important email is to criminals is the practice of SIM swapping or "SIM jacking". Cybercriminals use this method to trick mobile service providers into transferring a phone number to a new SIM card under their control. This highlights the weakness of using SMS based second factor authentication for main logins or password recoveries. If users rely on SMS-based two-factor authentication for their email accounts, attackers can intercept those codes and gain access.

Protecting Email Accounts

To guard against these threats, users and organizations should be proactive. Multi-factor authentication (MFA) is an effective first step, adding to organizations an extra layer of security by requiring two or more verification forms before granting access. Due to the risks of SIM swapping, it is safer to use an authentication app or hardware token for MFA instead of SMS codes.

image of often used weak passwords

Reused passwords

While many services have strong password policies no service can guarantee the employees will not reuse passwords on multiple differing services including personal accounts. Reused passwords are an easy target for threat actors. Employee training programs must include the topic of password hygiene ( how to generate and manage strong passwords).

Strong, unique passwords are essential for email accounts and should be part of user best practices. Password managers can assist in generating and storing complex passwords without the need to remember them all. Users should also be aware of phishing attacks and skeptical of unsolicited emails, especially those requesting personal information or urging link clicks. Verifying the sender's identity through other means before responding to business email is always a good practice.

Account Auditing

Improving email security in 2023 has to include regular account activity monitoring. If any suspicious activity, such as logins from unfamiliar locations, is observed, users should take immediate action. Updating account recovery information like phone numbers or secondary email addresses ensures that users can regain access if locked out.

It is also essential always to use secure connections when accessing email accounts. On public Wi-Fi, a Virtual Private Network (VPN) should be used to encrypt the connection. Users should also ensure that visited websites use SSL/TLS encryption, indicated by "https://" in the URL.

Organizational Email Security

For businesses, email security should be a top priority. They should implement technologies and practices like Secure Email Gateways (SEGs) and Domain-based Message Authentication, Reporting, and Conformance (DMARC) to filter and authenticate incoming emails. Employee training on recognizing phishing emails is crucial, and conducting simulated phishing exercises so employees can test their response.

Email Security in 2023 for Small Business

Small business can feel left out when it comes to some of these solutions, but there are relatively small steps that SMB's can take that don't require advanced IT skills or a dedicated IT staff

To improve email security in a small company without a dedicated IT staff, here are some practical steps that can be taken. Best of all some of these steps come at little or no added cost and they address the human behvaior that leads to data breaches.

First, encourage employees to use strong, unique passwords for their email accounts and to update them regularly. Consider using a password manager to create and store complex passwords.

Second, enable multi-factor authentication (MFA) for all email accounts, which adds an extra layer of security by requiring two or more forms of verification before granting access.

Third, educate employees about the dangers of phishing emails and how to recognize them. Encourage them to be skeptical of unsolicited emails, especially those asking for personal information or urging them to click on links.

Fourth, implement a reliable antivirus and anti-malware software to protect against malicious attachments and links.

Fifth, back up important company data regularly, so that in the event of a ransomware attack, the company can restore its data without paying a ransom.

Sixth, use a secure email provider that offers built-in security features such as email encryption and spam filtering.

Lastly, companies should consider hiring an external IT consulting firm or MSP security audits and recommendations, and strategies. With the advent of remote work having a comprehensive email security strategy may be enough. MSPs, can help bridge the gap for small organizations. To read more on what cost effective security solutions are available through MSP's take a look at this article. This can be a cost-effective way to ensure your company's email security is up-to-date.

These steps are relatively simple and don't require advanced technical skills, making them suitable for small businesses without an IT team.

Conclusion

Securing email accounts is a fundamental defense to protect yourself against cyber threats. Though it might seem tedious, investing time in protecting this digital treasure chest will pay off by keeping personal and financial information safe.

homeuserphone-handsetcalendar-fullclockarrow-right linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram