On a day to day basis, an astronomical amount of personal and confidential information is shared via email. However, you might be surprised to know that email by itself contains no built-in security at all. Any person with a little technical ability can make emails seem like they are coming from your boss or one of your business partners in an attempt to pry sensitive information from you. You may have heard of this referred to as “email spoofing”, and there is no way to stop malicious users from doing this. Although with a good technical team on your side, steps can be taken to both greatly mitigate these attacks and implement programs that make email more secure.
It would be difficult to overstate the role that email plays in almost all facets of our lives. Despite how much information we send and receive daily through email, few understand the security and privacy risks associated with it. Outlined in this article will be common practices used by malicious persons to gain access to personal info in your inbox, alongside the technology and techniques you can use to safeguard your data.
One of the most common tactics used by those seeking your personal details is social engineering. Social engineering is the practice of deceiving people into delving out information that can then be used against them, such as: their address, social security number, or credit card information. Malicious users will pretend to be other people, a process called spoofing, to carry out their social engineering attacks. They could pretend over email to be your boss, coworker, or even your friends and family. Social engineers would rather have you give them your info then breach your network to take it.
A Proofpoint report from 2019 relayed an unsettling truth, 99% of all email attacks rely on the victim clicking a link. Malware laden emails are an unfortunate part of business these days and are increasingly becoming more and more common. Criminals will use social-engineering styled tactics in order to entice users to click links they normally wouldn’t, which could grant these criminals with access to your system. Links and attachments in emails should always be treated with utmost caution, even if sent from trusted sources or people you know.
All of these attacks and security vulnerabilities may have you wanting to never send an email again, but on the other hand, there is plenty we can do to counteract these issues and make email as safe as possible. One of the best and easiest ways to share sensitive information via email is by adding an email encryption service. Email encryption software allows you to encrypt your data by simply pressing a button. Email encryption takes the email you composed in cleartext, runs it through an algorithm and converts it to cipher text. This cipher text is transmitted over the internet, and is unreadable to any attackers who may be trying to intercept this sensitive information. The only person who can see what you are sending is your intended recipient, because only they have the key to decrypt this information. In 2019, email encryption is an absolute necessity, and no one should ever send any personal identifiable information (PII) unencrypted over the internet.
Email encryption is a great tool that every user can use to help secure their email, but there are also steps your technical team can take behind the scenes to make your email system as secure as possible. The three big names in email security are Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-Based Message Authentication, Reporting, and Conformance (DMARC). The first and oldest email security standard of the three, SPF, plays a key role in stopping sender address forgery. Essentially, SPF stops people from impersonating your company by specifying that only your email server may send as your company. This prevents malicious users from impersonating you to get information from one of your clients or colleagues. DKIM is another email security standard that is highly recommended. DKIM checks the integrity of emails to ensure you receive the exact email you were sent by a trusted sender. This is very useful in fighting against attackers who may try to intercept, alter, and forward an email to you from a trusted sender. DKIM works using a private and public key pair to sign emails. The sending email server signs the email and the receiving email checks that signature to ensure that the sender’s identity matches the domain specified in the signature.
Finally, DMARC builds upon both SPF and DKIM to help stop email spoofing. If you’re unfamiliar with the term spoofing, it simply refers to someone forging a from address in an email. For example, joe@phishing.com could send you an email and change it to say that it came from your CEO. DMARC fights against this by giving you the ability to control what happens with this message. SPF and DKIM will test this message to see if it is truly from the domain it says it is. DMARC gives your company the control to either reject or quarantine emails that fail these tests. This way, spoofed emails never event make it to user’s mailboxes. With email encryption provided to users and the proper security measures put into place by your technical team, email can be a far more secure means of communicating than it is in its organic form.
Email is only going to continue to play a bigger role in both businesses and daily life, and attackers are only going to get smarter and harder to stop. It is vital for companies to stay up to date with the most secure email practices. Security is never convenient, in any sense, including the world of technology and certainly with email. However, taking any of the steps listed in this article could save you or your company from falling victim of a social engineering or phishing attack.
For more information regarding email security and encryption software, please contact Plummer Slade at hdsupport@plummerslade.com or call 412-261-5600 option 3.
Sources: