At some point in your life, you’re likely to experience an email security epiphany.
One day, you awaken to the shocking realization that you depend on your email for practically everything and you’re not doing enough to protect your accounts.
Sometimes this epiphany arrives when you suddenly see the extent to which you rely on your email account.
Think about it: what happens when you change the details on one of your online accounts? You get an email notification, asking you whether it’s you.
But it begs the question: what would happen if a hacker broke into your email account itself? You’d have no additional security to fall back on. They’d get access to everything.
Having your email hacked by malicious actors is no laughing matter. They could access:
- Your personal information
- Sensitive business information
- Your purchase history
- Your credit card information
- Your confidential correspondence with legal professionals, medical professionals, and accountants
- Your existing two-factor authentication methods that rely on your email account
- Your other apps, business systems, endpoints, and data
The personal and business costs of a successful breach can be tremendous, so your goal should be to ensure that it never happens. And that means upping your email security game.
If that doesn’t shock you into action, the following statistics will:
- Over 94% of malware gets delivered by email
- Over 48% of malicious attachments are just regular office files
- In 2020, more than 1 in every 4,200 emails sent was a phishing attempt
- The smallest organizations – those with fewer than 250 people – had the highest hacker targeting rate. 1 in 323 was a victim
- In April 2020, Google was already blocking 18 million phishing emails per day. It now blocks more than 100 million per day.
The purpose of this post is twofold:
- To teach you how to create a strong and secure email account
- To make it much less likely that you’ll become the victim of email hacking
So how can you and your organization defend itself against this mounting threat?
Different Types Of Email Security Protection
Before you can start implementing email security measures effectively, you need to understand the landscape.
Today, there is already a wide range of email security measures operating in the background of most standard accounts.
The most secure email services use data encryption – a digital process that scrambles all your information before sending it over the web.
Email encryption works in a similar way to traditional ciphers. Both your email client and your recipients’ have a key that allows them to interpret, encode and decode your messages.
Without this in place, hackers could potentially intercept your messages in transit and lift confidential personal or business data.
Fortunately, most modern email services use email encryption automatically, so you don’t need to download any plugins or do any complicated coding. But some still don’t. And that could be putting your enterprise at considerable risk.
Google says that it is currently intercepting 100 million phishing emails per day – communications specifically designed to get users to hand over sensitive account information to malicious actors.
What makes phishing so insidious is that it is not hacking in the traditional sense. Cybercriminals aren’t trying to find clever coding methods to get around your antivirus or firewall. Instead, they’re using confidence tricks to co-opt members of your organization to voluntarily hand over data they need to breach your network.
Many top email services now automate phishing security to prevent emails from reaching users in the first place. Some still get through, though.
Hackers will often load emails with malicious software designed to infect the target computer. When users click links or download attachments, they inadvertently allow malware to gain access to their systems.
The good news is that a lot of vendors now provide built-in email scanning.
Norton, for instance, creates a gateway between incoming and outgoing mail servers, allowing it to scan attachments before they have a chance to install themselves on your endpoints.
Similarly, Bitdefender offers server-side tools that block incoming mail based on suspicious patterns of behavior.
A lot of businesses will even go as far as image control to protect their email accounts and the security of their network.
Images are common in emails – especially those of the marketing variety. But they’re a risk. Cybercriminals will often use them to conceal dangerous links and files.
However, Gmail and some other providers have largely solved this threat. Google used to warn users every time they received an image attachment and got them to click a link labeled “display images below,” which was a hassle. But these days, the provider runs images through its own proxy servers, checking them for malicious content first before forwarding them to users.
What is endpoint protection?
Endpoint protection is one of the most powerful tools available for businesses looking to defend their email accounts (and other data) against criminal activities.
Today, organizations face a broad array of threats from nation-states, rival companies, private hackers, and even their own colleagues. Endpoint protection is a system that secures all the portals through which people access your company network and data, such as mobile devices, laptops, and desktops. The purpose is to continually scan outgoing and incoming data, build up a threat database, and create a security solution that evolves with the times.
Endpoint protection (EPP) is a little different from regular antivirus. Suppliers of EPP usually store all relevant threat information in the cloud (not locally), which reduces bloat for end users and makes it easier for businesses to scale their IT.
The system is effective because it is learning all the time. Whenever it discovers a new threat, it adds it to its database so that it can counteract it if it sees it again in the future.
Endpoint protection comes in a variety of forms. The most common is via “software-as-a-service” (SaaS). Here, professionals manage the EPP service remotely for you, monitoring your email while using shared security threat knowledge from multiple clients to further protect your business. EPPs can often detect threats quickly – sometimes in a matter of seconds.
Endpoint detection and response, or EDR, is similar. It gives you the ability to detect attacks (including advanced threats like zero-day exploits, fileless malware, and polymorphic attacks) and prevents them from infecting your systems or exposing sensitive information.
EPP relies on a vast edifice of technology to protect email accounts, including:
- Machine learning algorithms that automatically detect threats in real-time
- Software that automatically corrects malware across email and other services
- Advanced data classification procedures that rely on big data insights
- Gateway filters to block out email phishing and other malicious business correspondence
- Centralized management, either by in-house IT or from SaaS providers.
- Insider threat protection to stop both malicious and unintentional sending of emails that might damage the brand
What is signature-based protection?
Signature-based protection is a vital tool or component of EPP.
Every digital object has a specific signature – something that marks it apart from all other pieces of software on the web.
A signature is like a digital fingerprint that tells other systems what kind of animal any given object is.
Signatures are vital for anti-malware solutions. Once an anti-malware provider identifies a digital object as malicious, they add its unique digital fingerprint to their database so that they can identify it again immediately in the future.
That’s how they protect you.
Of course, this approach raises the question of what happens when you’re faced with a brand new threat.
If it is genuinely new, then signature-based systems can’t protect you.
And that’s a problem. Research in Cisco’s Annual Cybersecurity Report suggests that more than nineteen out of twenty pieces of malware floating around the internet are less than 24-hours old.
Fortunately, there is another paradigm that helps you avoid falling victim to new email account threats: behavior-based detection.
This approach uses a higher-level of analysis to determine whether an object passes muster or not. Instead of looking at its identification, it evaluates its intention.
The distinction here is profound. It means that EPP solutions can build a database of likely actions that any piece of software might undertake based on its identifiable characteristics. It means that they can evaluate whether it is a danger even if it hasn’t seen it before.
Experts in the industry call this approach to email anti-malware, “dynamic analysis,” looking for threatening behavior as the object executes.
Of course, behavior-based detection systems are not mechanical like signature-based systems. And that means that quality tends to vary a lot. How well these systems perform depends on the skill and insight of the developers.
3 ways to avoid falling victim to email hacking
So what can businesses do to avoid falling victim to email hacking?
Create strong passwords
While hackers will often use subterranean or nefarious methods to gain backdoor access to your account, a lot of them simply guess your passwords.
Thus, Google recommends that email users create passwords that have the following characteristics:
- Longer than 12 characters
- Contains a combination of numbers, letters, and symbols (using ASCII-standard characters)
- Shouldn’t contain any personal information
- Shouldn’t contain any common words
If you’re struggling to generate a lot of passwords, then you can use software to generate them randomly for you.
Google also recommends being prepared if somebody does actually get hold of your email accounts.
The best way to do this is to set up a recovery email in your Google account. You can also add a recovery phone. These additional access points help you re-establish control over your email accounts if somebody is using them right now.
Train Your Team On Phishing Attacks
Phishing attacks are attempts to extract user information and password data from people in your organization. Hackers will often send official-looking emails posing as trusted partners. These gain the confidence of regular employees so that they don’t think twice about handing over sensitive information.
The solution here is partly technology, and partly educational. Here’s what to do:
- Train colleagues on what phishing is and why it is so effective
- Teach them to look out for the hallmark signs of phishing, (such as spelling and grammar errors, poorly written English, errors in the sender email address, and non-company sender domains).
- Don’t allow users to use public WiFi.
- Install behavioral-based detection systems on your email account to filter out phishing attempts.
Use Multi-Tier Authentication
Multi-tier authentication is a tool that you can use to add extra layers of protection to your email account.
The vast majority of large email providers have two-factor authentication where users need to both use a password and confirm their authenticity via a secondary device.
Google mail does this, for instance, by sending a confirmation message to your linked phone.
The reason two-factor authentication works is because it is much harder for cyberattacks to undermine your digital security in two places simultaneously.
Let’s say, for instance, that a phishing attempt is successful and hackers get access to your PayPal account. If all they need is your password, then once they have it, they can siphon all the funds in your account.
But if you set up two-factor authentication, then they’ll also need to give PayPal permission to access your money via a secondary endpoint, usually your phone. And that’s the point at which you can stop them in their tracks and change your password.
Creating a strong and secure email account, therefore, requires a combination of technology and cunning.
Your best strategy is to put in place methods that prevent breaches and allow you to limit any damage if and when they occur.
No email system is ever going to be completely secure. Threats are evolving and people in your organization will eventually make mistakes. But it’s a numbers game. The more you can minimize the chinks in your armor, the less likely it will be that a hack takes place.