Virtually everyone who works has an email address. Email is the easiest way to transmit information and conduct business negotiations in a timely manner. However, giving employees in your company access to the Internet with the ability to exchange e-mail messages will invariably entail threats related to the security of the corporate network.
In this article, we have a list of the main email security threats in 2021 and ways to prevent them. But first, the basics.
Let’s start with a list of some of the most famous threats that organizations with email systems are exposed to today:
A simple glance at most companies’ websites can give an attacker a list of email addresses to implement, for example, a phishing attack, a malicious email attachment, or a link to a hacker website. After visiting the latter, a software tool, which steals their passwords to corporate resources or other valuable personal information, is discreetly installed on users’ computers.
Even if the CEO’s email address is not posted on the company website, that does not mean it cannot become a target for an attack. Most companies adhere to a standard email address format – firstname.lastname@example.org. By collecting and comparing this information from the website, a hacker can easily guess the legitimate email addresses adopted by a particular organization, including those of top management.
Email security is threatened from inside and out. A breach, through which serious losses will flow, can be made by phishing scams and insiders.
Email is vulnerable, and no one can guarantee complete protection against hacking or identity theft. Major corporations, LLCs, and sole proprietorships, even politicians and security officials have already been affected by email vulnerabilities.
91% of identity thefts and infiltrations start with email. Malware such as WannaCry, Lazarus, and Petya, have used email to attack users’ computers.
Radical changes in workflows and other COVID-19 consequences have caused a weakening of IT infrastructure protections. Ineffective remote access implementations, VPN vulnerabilities, and lack of personnel to address these issues have put corporate data at risk of unauthorized access.
Home devices are also at increased risk: the increased number of remote employees has created an environment where intruders can easily connect to corporate PCs via unsecured local networks. Plus, employees simply have no way to quickly contact IT personnel and prevent the threat of unauthorized intrusion.
When employees work remotely, the line between performing work and personal tasks on a corporate device blurs, and innocuous actions – such as reading personal email – can have serious consequences. Companies will increasingly face employee emotional burnout, which can lead to increased errors.
With that said, let’s get to a list of the main email security threats in 2021.
Phishing is an Internet scam using spam emails. The user receives an email convincing him/her to visit a fake site and enter confidential data. In a typical phishing attack, the cybercriminal sends numerous fake emails made to look as if they come from a trusted source, a well-known trading or financial company (e.g. a bank). In the email, the “victim” is strongly encouraged to update his/her personal information, supposedly in order not to lose access to special services (access to an online bank account, etc.). For this, the user is offered a link to an “official” website, seemingly legit.
However, by clicking on the proposed link, the user is redirected to a fake site of the attacker, no different from the original site (typically, a clone). In this way, the victim unsuspectingly fills out the proposed forms and leaves all of his/her personal information with the hackers. Moreover, even if the user doesn’t download anything or fill out any forms, simply clicking on the link might provide the necessary information (logins and passwords) to the attackers. In this case, the latter could launch an attack on the user’s browser and upload all the necessary exploits that would download automatically, after clicking the link.
There are two types of phishing:
In the first case, the attackers inundate people with emails that contain imaginary winnings or fake notifications from providers and banks. The victim then expects to get money or recover lost data, but, instead, part with it. The user gets online if he/she goes to a fake page and gives up confidential information: e-wallet data, passwords/logins, etc. By clicking on a phishing link, you can also get yourself malicious spyware, bug, keylogger, or trojan. Mass emails are sent indiscriminately to everyone. Circumstances are such that at least one out of hundreds of thousands will take the bait.
Now, spear phishing is a more interesting option. Obviously, it works in a targeted way: phishers select a particular group or an individual (e.g. a company, department, secretary, or an executive), consider communications in detail, collect information in social networks about education, places of work, interests, and habits.
Next, the tools of social engineering are used, affecting subconsciousness. The phishers attempt to scare their victim(s), inventing an urgent reason to make them provide the necessary information. They don’t even have to threaten anyone – recently, scammers have been trying to reduce the suspiciousness of the user with ordinary content.
Simple schemes are effective. One can easily use the laws of social engineering and user ignorance of network security to their advantage. As a result, attackers get hold of credentials or launch malware on the corporate network.
In 2021, there will be more innovative phishing baits designed to trick users and make it harder to identify attacks. The most innovative mass phishing method seen today is Emotet botnet email hijacking. The botnet automatically creates decoy emails using data stolen from compromised email services. This data is later used in correspondence, making it very convincing and encouraging victims to open malware files.
The prospect of continued self-isolation encourages people to share more personal information online, which can become a weapon in the hands of cybercriminals. Whaling attacks, a type of phishing that targets senior executives, will become even more dangerous. This is due to the fact that cybercriminals can use personal information found or stolen online to create convincing decoy emails to corporate email addresses. In doing so, hackers will actively exploit hot topics to encourage people to open malicious emails. These could be information about various COVID-19 vaccines, warnings about financial problems, or political instability.
Ransomware has become a favorite tool of cybercriminals, and the trend will continue this year. The rise in ransomware is fueling an entire ecosystem of criminal tools. Malware is sent via email, and viruses such as Emotet, TrickBot, and Dridex often precede its introduction. Many criminal groups use aggressive tools to break into domain controllers, which often prove to be the most suitable entry points for ransomware.
The rise of two-stage extortion campaigns, when the victim’s data is filtered before encryption, will hit government agencies with large amounts of personal data especially hard.
Uncontrolled traffic of incoming and outgoing messages inside the company will lead to serious consequences: insiders and inattentive employees can do serious harm.
An insider has legitimate access to information- and this is the main problem. Anyone can turn out to be an insider who steals sensitive data for personal gain or revenge. For example, there was a case when a bank employee sold the code words of eleven customers to her friend, who then withdrew $55,000 from the customers’ accounts. The woman provided illegal information for five months straight.
Harm can be done unintentionally, as well. Leaks most often occur due to carelessness and inattention. Even if an employee does not want to steal information, he/she can become the source of a leak by sending sensitive data to the wrong recipient.
It doesn’t matter if the employee means you harm or is just a klutz, the consequences can be significant. You have to be careful and control your emails from losing information.
The human factor will always be the weakest link in the seemingly secure perimeter of any organization. With the increasing complexity of IT infrastructures and software, the cost of a single human error can bring down an entire company.
SMTP and SSL vulnerabilities, along with the human error, create an almost infinite number of data breach risks. Not surprisingly, 91% of all attacks start with email.
Once attackers have identified a target, they can proceed in several ways. The very first attack that exploited email functionality targeted vulnerabilities in the so-called Mail Transfer Agent (MTA) or mail server, which is responsible for delivering a message to a specific computer. Sendmail was the first and most popular MTA in the early days of the Internet, and in 1988 anomalies in its operation allowed the Morris Worm to spread and infect much of the Web.
Some would say that was twenty years ago, and that such threats are obsolete as a species, but we wouldn’t be too quick to jump to conclusions. It’s enough to check the official website of any mail server manufacturer – even the most advanced one like Microsoft Exchange – to find out that it may contain vulnerabilities that can be used by a remote hacker to attack your network.
New versions of browsers have built-in “anti-phishing” systems which notify you when you get on a fake page. Fraudulent websites live for 5 days at the most – their data gets filtered out, forcing phishers to create new resources over and over again.
Most email sites filter and analyze traffic. They use preventive tools, e.g. anti-virus scanning systems to check all incoming and outgoing emails, anti-spam tools, and anti-phishing tools.
DLP systems can help implement corporate IS (Information Security) policies, including those for email. Such solutions will keep insiders out. System administrators can then set email security measures and easily apply them to different employee groups.
Despite the effectiveness of today’s technology, it doesn’t provide 100% protection against inattention, laziness, and curiosity. Educate your employees, no matter how thorough the information defense system is. Scammers skillfully use social engineering to gain unauthorized access to computer networks of any security level. Technology improves, but people’s habits remain. Thorough ecommerce testing is also a great way to ensure that your ecommerce website runs smoothly and is not exposed to attacks.
Raise employee awareness of social engineering attacks. Hold briefings, meetings, newsletters, etc.
However, the best way is to learn from your own mistakes.
There are training sessions that simulate phishing. For these sessions, you can use automated systems that send fake emails and collect response statistics, such as Gophish, an open-source framework. It allows you to easily and quickly figure out employee reactions to fraud.
Be careful about email security. If services you know ask for personal information, first make sure they are who they say they are. Don’t forget that banks never send requests for your password.
Sometimes, phishers promise bonuses or discounts. Don’t rush to click on the link. Examine the incoming email carefully – check how the logo looks and the individual letters are written. Visit the official company’s website and compare the URL to the one in the email. If a colleague or friend sends you a greeting with a suspicious link, do not click it until you are sure the sender is real.
Your emails can easily fall under the control of intruders. That’s why there are several additional layers of protection for the content and process of sending emails. One of the most common types is Transport Layer Security (TLS), which secures the email as it travels over the Internet. This method is similar to a physical letter in an envelope, i.e. you can see where the email is coming from and where it’s headed, but the content can only be seen after it’s opened.
Another method of email protection is end-to-end data encryption. The essence of this method is that the message is encrypted at the sender and decrypted at the recipient, with the message looking encrypted during transmission. Only the intended recipient will be able to decrypt and read it.
Quite often spam and infected emails that contain malicious software are distributed via an inbox. Therefore, to protect it from more unwanted and malicious emails, most mail servers have a “blacklist” of known spam and phishing senders. You can also filter messages by attachment type or allow verified sources only. To ensure their users’ emails are protected, many service providers check their emails for malware and viruses before spreading via the network.
As mentioned earlier, attackers often use a simple method to spread threats through email, which is disguising malicious emails as legitimate ones. However, there are ways to limit this activity, although they are not yet widespread enough. In particular, these methods help authenticate the contents of the message and control the users and accounts that are allowed to send messages from your provider’s domain.
Using authentication and authorization is an important part of mail server management, as is quickly deleting accounts or at least changing your passwords for accounts that are no longer in use. This applies to accounts previously owned by employees who no longer work for the company.
Multi-factor authentication is one of the most effective levels of email and account access security. Identification is performed using a one-time key sent to you in a text message. Multi-factor authentication provides email security and is an important part of the email or network login process.
Traditional methods of protecting access to the corporate network, apps, and data no longer work, the strategy of building perimeter network protection is obsolete. In addition, over the years, the decentralized workforce has led to the rise in popularity of the SaaS model. This means that critical data ends up outside the local corporate servers. Organizations have to defend themselves against previously unknown threats, so technologies such as biometrics will be heavily used by companies in the future.
Zero-trust is the best approach for securing information when working remotely, but to effectively manage identity and access, the system must be easy to use. A key priority of the zero-trust model is quality authentication methods, such as biometrics.
The year 2020 has demonstrated the critical need for new approaches to secure remote access to endpoints and secure management of distributed endpoint infrastructure. In the future, every element of the IT infrastructure will be a cybersecurity battleground, from remote workers’ PCs and smartphones to industrial IoT components. Organizations need to adopt security and management systems and incorporate necessary technological innovations into workflows.
Technologies such as micro-virtualization are transparent to end-users.
Micro-virtualization is a technology that abstracts applications and sub-processes from hardware and runs them in isolated environments. It relies on proprietary software called “Microvisor” (micro-hypervisor), developed by Bromium, a desktop security startup, acquired by HP in 2019. This means they can confidently open email attachments and download files, knowing that the system will protect their device from virus penetration. This approach to security leaves hackers no chance, helping organizations cope with any threats both in 2021 and in the long-term future.
About the author:
Edward Bishop is a content writer of Corecommerce and content-strategist of visualmodo. He worked in different companies and got a lot of experience. Edward is focused on making a difference with content he develops and curates.