When the Internet wasn’t known as Internet, but ARPANET in the 70’s, the email was already becoming popular.
However, if there is something we have known for a while, it is that all technology has a negative part that can be exploited. And it is being exploited.
In the case of emails, cyber-criminals use creative techniques to extract data or economic resources from users and companies.
In the following lines, we will identify the threats that we face when we open our inbox in a work environment and offer recommendations to avoid disaster.
Cyber threats in email
In cyber security there is a recurring phrase:
The human being is the weakest link.
In other words: a system could be equipped with the latest software for protection, but when it is managed by people, that protection may stop.
How is this possible?
It is due to phishing. It involves a series of techniques that exploit some of the weaknesses of the human being. These are:
- We all want to help.
- By default, we usually trust people.
- We don’t like to say “no”.
- We like to be praised.
Therefore, when an attack is launched through email, there are lots of successful methods that use phishing. The most common are malicious links, attachments with malware and identity theft. Let’s see each of these below.
Incoming emails arrive looking harmless: a sender, a subject, the body of the email and a link to click on.
The link should put you on notice, especially if the email comes from an unknown contact or it has not been requested.
Sometimes, nothing happens by clicking on the link, because the danger comes when the link leads to a fraudulent page (similar to the legitimate one), and we are asked for data that the attacker ends up obtaining.
→ Example of phishing attack in the mail
However, there are attacks in which it is enough to click on the link. There are cases when the computer becomes infected by loading a malicious page. That will depend on the type of threat you are facing.
Attachments with malware
In the same way that emails arrive with links, it’s usual to receive them with attachments. Many times these files come from legitimate people, which means that they send the files without the intention of carrying out an attack. The problem is that many files infect without users knowing.
Updated anti-virus should detect this situation.
However, the most common scenario is one in which a sender writes an email in a way that the recipient downloads and opens it without thinking too much.
An example of this situation occurs near the end of the tax year in Spain. Attackers send a message (sometimes by other methods such as SMS, Whatsapp or Telegram) where it is reported that the Tax Agency can not return the money to the taxpayer because of a lack of information. Therefore, the victim is asked to download the attached file and fill it with sensitive data.
From the official website, they recommend taxpayers never respond to any request for confidential, financial or personal information. Therefore, they advise distrusting any communication where confidential data is requested.
Another danger of attachments are the macros of office files, such as excel files.
A macro is a series of commands that are used to automate a repetitive task. The commands are executed when the tasks have to be performed.
Having the macros enabled by default entails a series of risks, such as the fact that the computer gets compromised when an infected excel is opened.
For this reason, it is highly recommended to have the macros disabled and to enable them only in cases where we are sure of the origin of the file. Also, it is recommended to scan it with an anti-virus before opening it. From this official Microsoft Office page, they teach you how to disable macros.
Identity theft (CEO scam)
Email is a great tool that allows us to maintain a communication with our contacts from anywhere and at any time.
Its great advantage is, at the same time, a great inconvenience for the users.
Lack of interaction face to face facilitates deception. That’s what identity theft is about, making the other person believe that they are dealing with the real person or company to get something out of their own benefit, in order to access data or steal money.
Within this section, the scam of the CEO is particularly important. In recent years, it has become a major threat to companies.
The scam of the CEO consists of posing as the head of a company or simply as a superior, when sending an e-mail to a worker of the company so that they have to make an urgent payment to a client. Cyber-criminals use an email address similar to the person they are posing as and facilitates the data so that the payment is made in their bank account.
→ Example of a CEO scam
Sometimes, this scam is also done by posing as a provider of the company, so you have to be careful with the information that is given out about the activities of the organization.
Training and security policies: the essentials to defend against e-mail threats
One of the first pieces of information that any employee should know when arriving at a new job is related to training in cyber security.
This is especially important in those companies and organizations with a technological base, since the more technology involved, the more likely it is that it will suffer cyber-incidents.
Cyber security professionals recommend prioritizing training over investment in security tools and software.
Becoming familiar with the policies of security of information technologies present in the company is one of the objectives of training. There must be a document that reflects the rules and procedures that must be applied or put in place when a situation arises that concerns the security of the company.
For example, in the security policies it should be clear how to use the company’s email or what to do when detecting a cyber threat in the inbox.
Other recommended actions to conserve the integrity of the data that we have in the inbox consist of enabling the double factor of authentication or encrypting the emails that are sent between workers. All precautions are small yet important when it comes to preserving the data in the information age.