Many successful cyberattacks start with someone clicking a link in an email. According to Verizon’s latest Data Breach Investigations Report, phishing and pretexting represented 93% of all social breaches they studied. And email was the most common attack vector (96%). But it’s impossible to imagine doing your job without email, so what can you do to mitigate some of the risk?
The Problem with Email
Email is the application that first made the internet popular. It changed the way we communicate and do business. Not only is it inexpensive, it is extremely efficient and user-friendly. Many of us remember how amazing it was the first time we typed a message and clicked a button to have it delivered in real-time.
Simple Mail Transport Protocol (SMTP) ― a part of TCP-IP, the language of the Internet ― is the original definition of Internet email. It's a very simple protocol that defines how mail servers send and receive messages. It was originally documented in 1982 as FRC 821. The primary problem with email is that the original protocol did not consider security, which is also the central challenge of its parent, TCP-IP. There was no methodology to validate that what was being passed along as a message was a legitimate message. Still most organizations use SMTP to send and receive messages over the Internet.
Bad actors take advantage of the limitations of SMTP. They send fraudulent emails, generally through an “open relay” ― an email system that they control directly ― or by compromising a user’s email account and sending email posing as that compromised user. Their messages get passed through other machines as they travel over the Internet until arriving in inboxes. So, what could go wrong?
Regular (unencrypted) emails over SMTP are protected about as much as a postcard. If you can capture the data in transit, you can see who’s sending it, where it’s headed, the subject, and all the content of the message. Everything is completely visible to anyone who can capture the traffic. This is also known as a “clear-text” protocol.
So, what happens if someone sends as many postcards as they want, without paying any postage and faking the sender? That’s SPAM, which we’re all familiar with.
But, what if someone sends a poisonous postcard that looks like it’s from a friend or a colleague? These are the malicious emails that put us at risk. Most organizations are now reporting that 95% or more of all the inbound email that their gateway sees is being rejected as malicious. It only takes one to cause an incident though.
What You Should Do
- Most of the email clients (e.g. Microsoft Outlook) block malicious messages automatically, but if something suspicious gets into your mailbox mark it as Junk.
- Report all SPAM to the Federal Trade Commission (FTC). There are laws in place against sending SPAM, and the FTC will take action. Although don't expect them to get back to you about your particular issues.
- If you suspect that your organization is being targeted by a specific campaign, make sure to report it to your security team. That way they can examine it and takes steps block similar messages at your perimeter.
What You Should Not Do
- Never open a suspect message in your inbox. If you need to check to see if it’s legitimate, you can move it to the SPAM/Junk folder first. These folders typically have automated safeguards built-in that disable automatic triggers that could pose a threat.
- If you did not subscribe to a suspect email, do NOT click the unsubscribe link.
- Never click a link or open an attachment in an unsolicited email.