Are E-mails a threat to Information Security?

Not everyone in a company needs to be aware of how to secure their work emails, but any employee who handles sensitive information must understand how vulnerable emails can be and notice when a system is safe to transmit information.

information_security
Photo by Markus Spiske on Unsplash

Email messages are usually sent over external networks: untrusted networks that are outside the company’s security scope. This is why if the emails do not have necessary security safeguards, they can be very easily tampered with.

In order for one to understand how emails can be a threat to information security, they must also understand why it is important to monitor employees, teach employees how to use email correctly, and how to protect a company from spam and malicious mailings. Over time different situations have proven that email security can be threatened from inside and outside.

In general, securing email systems falls under the IT department’s responsibilities. However, individuals responsible for the availability, confidentiality and integrity of the information sent over email should be aware of the threats and understand the basic techniques for securing these systems.

How do email systems work?

It is pretty evident to the average person how email transmission works. A person sends an email, another receives it. Just like how normal mail transmission works. But in reality there are more complex elements that interfere with email exchanges.

Email exchanges have two components: Emails are composed using a mail program (mail client), the other component is mail servers.

Users read, compose, send and store their email using mail clients.
The email is composed and sent through the mail client via the network infrastructure to a server. The server is the computer that delivers, forwards and stores emails.

All the above mentioned components must be protected to ensure a safe usage.

There are industry standards that ensure the cooperation between the different mail clients and servers. Nevertheless, cybercriminals find their ways around the protective protocols and recognize any vulnerability as an opportunity to access the information in these emails.

Common Threats

Emails are frequent targets of attacks because they are widely used and often contain interesting sensitive information. Cybercriminals could launch attacks to access confidential information, gain control of an organization or disrupt IT access to resources.

Here are the most common threats to email systems:

External threats:

Phishing

Phishing is an online scam using spam mailing. The user receives a letter in which a person is persuaded to go to a fake site and enter confidential data. Cybercriminals with mass phishing networks bombard people with imaginary winnings or fake notifications from providers and banks. The victim expects to receive money or recover lost data, but it leads to data breaches and monetary losses.

Bulk mailings are sent to everyone indiscriminately. Circumstances will turn out so that at least one of hundreds of thousands will fall for the bait.

There are two types of phishing: phishing is carried out by poachers with a massive network and spear phishing carried out by experienced hackers with spinning and a bunch of baits.

Spear Phishing and Business Email Compromise (BEC)

Spear phishing works in a targeted manner. Scammers single out a specific group: a company, department, secretary or manager, think over communication in detail, collect information on education, places of work, interests and habits in social networks.

In general it is the same scenario as normal phishing, the process, the content of the email and the links. The reason why this could be more harmful and interests corporations more is because they tend to attack and harm a whole organization. Sensitive information, client confidentiality and reputation damage are one of the worst consequences companies will need to deal with in case they fall victims of spear phishing.

Social Engineering

The tools of social engineering work on the subconscious. They try to scare the victim, come up with an urgent reason for the release of information. However, it is not necessary to threaten, lately scammers have been trying to reduce the user’s suspicion with ordinary content.

Simple schemes are effective. It’s easy to play on the laws of social engineering and users’ ignorance of the basics of network security. As a result, attackers take over credentials or launch malware into the corporate network.

Malware

A user gets into the network of victims if he goes to a fake page and gives away confidential information: wallet data, access passwords, etc. When you click on a phishing link, you can also get a spyware, keylogger or Trojan viruses.

Malicious Files and Attacks

The seriousness of the attacks launched over email is increasing day by day. All is needed is one link containing malicious files and it is enough to gain access to a whole computer.

Misconfigurations

This is a common problem. An inadequately configured email service can cause serious problems which allow email to be sent without proper authentication.

Here is a possible scenario: a cyber criminal connects to your email service without authentication and has now the possibility to send whatever email he wants to your employees in your name.

Internal threats

Uncontrolled traffic of incoming and outgoing messages within the company will lead to serious consequences: insiders and inattentive employees can do harm. An insider has legitimate access to information. Anyone could be an insider stealing sensitive data for profit or revenge.

Malicious entities

When cybercriminals attack a mail server, they might also gain access to resources in different areas of an organization's network. For example, once the server is compromised, users' passwords could fall into the hands of the attacker which will allow the criminal to access other hosts on the network.

Accidental acts by authorized people

Similar leaks most often occur due to carelessness. Even if an employee does not want to steal information, he can become a source of leakage by sending private data to the wrong recipient.It is necessary to control e-mail from information loss.

How to manage Information security threats?

Technical measures: filters and DLP systems

New versions of browsers have built-in “anti-phishing” that notifies about hitting a fake page. Fraudulent sites live about five days at most — data about them gets into the filter, and phishers have to create new resources over and over again.

Most email sites filter and analyze traffic. They use preventive tools: anti-virus scanning all incoming and outgoing messages, anti-spam and anti-phishing.

DLP systems will help to implement corporate information security policy, including for e-mail. Such decisions keep insiders away. Administrators can set up email security settings and easily apply them to different groups of employees.

Email Authentication Protocols:

In order to protect emails and information, email security protocols have been created, these protocols are: SPF checker, DMARC ,DKIM and BIMI among others.

Preventive measures. Instruction and training with imitation phishing

Despite the effectiveness of modern technologies, they do not provide one hundred percent protection against inattention, laziness and curiosity. Train the user, no matter how solid the information defense system is. Fraudsters skillfully use social engineering for unauthorized access to computer networks of any security level. Technology is improving, but people’s habits remain the same.

Raise employee awareness of social engineering attacks. Conduct briefings, newsletters. But the best way is to learn from experience. Case studies that occurred in real life would be a great way to grab employees' attention and make sure they understand the magnitude of the situation.

There are also simulated phishing training sessions. In these sessions, you can use automated systems that send fake emails and collect response statistics. It allows you to quickly find out the reaction of employees to fraud.

Sometimes Cybercriminals promise bonuses or discounts. Take your time to click on the link. Study the incoming email carefully: the sender's email and logo, the way the email is composed and the tone. Go to the company’s website and compare the URL with the one in the message. If your colleague or friend sent a congratulatory email with a suspicious link, do not click until you find out that the sender is real.

Be careful about email security. And remember that banks do not send out requests for your password.

Araz Guidanian is part of the content marketing team at Eadydmarc.com. She writes content about email protection and the future of cybersecurity.