With the number of public email security risks, attacks, and misfires, you’re not the only person wondering “is it time to reduce dependency on email?”
There is no doubt that there are more collaborative options on the market. And it’s common for heavy users of tools like Microsoft Teams to preach the productivity benefits. but the most pressing concern for IT administrators remains security.
Are these alternative tools more, less or as secure as email? And if email security is such a big problem, how do you address it without destroying your company’s communication hub?
In this post, we will provide details on the following:
- Are emails safe?
- What are the risks of email?
- What is phishing?
- what are examples of phishing?
- why phishing is dangerous
- types of email security
are emails secure?
Most emails are encrypted in transit. this means that the process of sending an email is secure during transmission. Technically, no one can see your email during the send/receive process.
Because of this, we tend to think of email as the most secure method of written communication.
andra zaharia, cybersecurity expert and marketer, explains why we view email as a critical layer, not just because it’s old and trustworthy.
“There are tons of layers of security designed to protect email, but it’s also an important component of our digital identity. sharing passwords, data, and collaborating on sensitive things on free tiers of slack (and some other platforms) is much more dangerous because it lacks the robustness and layers of risk mitigation that email has.”
but, when emails are static, ie they are not sent from one account to another, they are stored as text. this means that the sender, the receiver, and even third parties, such as the email provider itself, can read your emails.
While this may sound intrusive, when you sign up for any email account, you agree to the terms and conditions that set out the reasons third parties may need to read your email. these are also for your safety.
So, since the only people who need access to your emails do so for good reasons, you might think emails are safe, right?
well, not so much according to the federal bureau of investigation (fbi).
According to the FBI, phishing is the most common route criminals use to infiltrate an organization. there were 1,100% more complaints about it in 2021 compared to 2016, and more than $2 billion was lost to corporate America alone.
Users of services like Microsoft 365 often assume that email security is built into the package. and it is, but only up to a point.
is the email secure?
tom arbuthnot, a microsoft mvp, explains how email is not as secure as we think and that there are still things to consider:
“if the specific question is “is email secure?” then this question usually infers whether people outside the target audience can access or change the content.
By default, email is encrypted in transit between users within the same provider. so if all users are in gmail or microsoft 365, it will be encrypted in transit.”
here is a simplified diagram showing microsoft 365 email encryption:
tom continues: “with a group of users from different providers, email is not secure in transit, so it will travel across the internet unencrypted, as if it were written on a postcard.
anyone can read it or the content, including files, on the way. By default, it’s easy for the recipient to take the content, share it again, or forward it, either accidentally or intentionally. this is usually the biggest security concern.
Email systems like Microsoft 365 allow you to use Information Rights Management (IRM) to encrypt and also apply usage restrictions to email messages.
for example, users can receive a message but not forward or capture it (of course, they can always pull out their camera phone, a challenge for all types of communication).
if you use email to collaborate on a document, it would always be better to share a link to the content, for example to onedrive, where you can choose exactly who can see and contribute to the content and even, if it’s a microsoft office document, whether the user can download it or not. you can also revoke access later.
Finally, it’s important to protect how your users access email.
Like any online tool, they should use multi-factor authentication. It’s no good encrypting email in transit or at rest if someone can log in with a valid user identity and access the contents.”
So if the risks don’t necessarily lie with who reads your email once you’re done sending and receiving it, what are the biggest email security risks we face today?
what are the risks of email?
1 – false sense of security
andra zaharia, cyber security expert and marketer, highlights how email security gaps lead to over-reliance on inboxes and failure to protect our email accounts.
“as email users, we all have a false sense of security in our inboxes, what ethical hacker james linton calls inbox hypnotism™. therefore, glaring gaps in email security email make it even easier for cybercriminals to exploit our inherent trust in our inboxes through deceptive elements that manipulate our perception and actions The biggest risk that mediocre email protection creates is that it exposes one of the most trusted layers from the organization that always unlocks access to the most valuable assets targeted by attackers (data or $$$).
2 – possible forgery
Unlike “wet” signatures, providing an email signature on a document is a quick task that saves postage, effort, and time.
tools like echosign and docusign exist to make the process of sending and signing professional documents and contracts a snap.
While these tools are efficient and secure (up to a point), there is a chance that your documentation could fall into the wrong hands.
Even the simplest typo in an email address or the wrong address copied and pasted can send your document to a random party. this element of human error demonstrates a security risk for companies that enter into deals online. wrong recipients can easily accept documents on behalf of other companies or people they are not affiliated with.
3 – send private information
email was designed to make written communications faster and easier. and has achieved that goal without end.
but, in some cases, it has become too easy to share information that shouldn’t be shared with anyone at all.
with a few clicks and sometimes a few seconds, the information stored in the company’s file management systems can be downloaded and emailed to any third party.
On a day-to-day basis, this is common practice. we share files we’ve been working on with contractors, vendors, and customers.
But more often than not, employees have simple access to share private information they’d rather not share with competitors, former employees, or any other third parties.
how long do you think it took to fetch and compile?
4 – easy to click inappropriate links
Think of any email you’ve classified as junk or spam.
How many of them encouraged you to click on a link of some kind?
if the answer is less than “most”, we would be surprised.
This is the most basic level of email phishing. Simply sending an email (often to an entire organization) is the easiest way to get in the door for cybercriminals.
Even the most savvy IT professional can be fooled by a carefully crafted email and a spoofed email address.
we have seen changes in phishing emails from this:
to well-constructed emails that impersonate large, trustworthy organizations like amazon, apple, and even google.
Take a look at the example below to see how easy it is to create a google-like email to lure in unsuspecting email users.
5 – email phishing
One of the biggest threats to email security in recent years is phishing.
Let’s dive into what has become quite a complex issue for IT administrators to mitigate and manage.
what is phishing?
Spoofing is when cybercriminals attempt to impersonate organizations and individuals in order to provide private, confidential, or valuable information and data.
wikipedia defines phishing as a type of social engineering. it’s easier to explain phishing as an online trap for prey (email users). the trap is often set as a form, link, or request for information.
Phishing can come in many forms (email, sms, voice, page hijacking). the most common example of phishing in business is email phishing.
Email phishing has been widespread for over a decade and is getting harder to detect. At first glance, an email may appear legitimate.
sometimes there are just small discrepancies like g00gle instead of google or daviid@yourcompany.com instead of david@yourcompany.com.
if you had to read it twice or didn’t understand that they were spelled differently, this is precisely how email phishing works.
Email signatures often include authentic logos that can be downloaded from the internet, and even real employee names obtained from sites like linkedin.
The more compelling the email, the easier it is to go unnoticed.
As email phishing has become more difficult to detect and control, it’s not just small businesses that are being targeted (successfully).
what are examples of phishing?
There have been some high-profile examples of companies that have fallen foul of email phishing.
look no further than two of the most powerful companies online: facebook and google.
Between 2013 and 2015, Facebook and Google were cheated out of $100 million due to an email phishing campaign. In this scenario, the scammer learned of a vendor that regularly bills both companies.
By creating and submitting fake invoices, more than $100 million was lost to an illegitimate company for fictitious services. proof that even the largest companies can fall prey to a clever email phisher.
This is one of the largest reported losses attributed to email phishing, but the examples don’t end there.
By company, well-established organizations (and some themselves) have suffered from email phishing scams:
- crelan bank ($75 million)
- fischer advanced composite components ($61 million)
- ubiquiti networks ($46 million)
- upsher-smith laboratories ($39 million)
The first major documented email phishing attack dates back to 2001, when e-gold appeared to ask email recipients to verify their account. a simple request that could be carried out with the click of a button.
Even if the recipients were not e-gold subscribers, the process made it easy to complete and file your email as done. Only, in this case, the link redirected him to provide his bank details, and thousands of pounds soon followed.
In addition to the clear monetary risks associated with email phishing, you should consider other risks of not fully protecting your email assets.
why phishing is dangerous
If a business becomes a victim of phishing, there are several repercussions to be aware of:
- if you’ve been the victim of a phishing attack, chances are you’ll be again.
- the covid-19 pandemic has normalized receiving emails from unexpected addresses.
- email phishing continues to get more sophisticated.
- different generations entering the workplace are less suspicious of email security.
- security policies they expire over time and are not renewed every so often. regularly.
Any of these can lead to negative press, reduced credibility, and an impact on your bottom line. so the hazards have a ripple effect outside of security.
With an understanding of why phishing is dangerous, your next immediate step is to identify the right type of email security your business needs.
types of email security
To mitigate email security risks, it’s important to find the right option for your specific business.
There are tons of email security software available and some do a great job right out of the box.
for businesses, rather than individuals, a tailored approach ensures your business is protected from the risks it’s most vulnerable to, rather than what email security vendors say it is.
At nasstar, we provide fully managed cybersecurity and IT services to keep your business protected from phishing attacks and any other email intrusion.
john stention, IT manager at prosper homes, uses nasstar to keep his email systems secure:
“With the rise of digital and cyber security threats, it has never been more important for effective security monitoring and response. As our trusted partner, and not just a supplier, I feel secure knowing that nasstar is the best choice to help us thrive on our digital transformation journey.”
If you’re a Microsoft 365 customer, learn more about our security hardening service here.