Around 70% of malware attacks that a business might fall victim to are the result of an infected or malicious email, due to poor email security.
Malware delivered by email is usually designed to trick a user into opening an infected attachment or clicking on a link to an infected website. Commonly now, scams are also being used to trick the user into granting remote access voluntarily.
In any case, these are all ways (attachments, links, scams) of delivering a ‘payload’, which is the actual point of the attack. In terms of payload contents, the most notable trend of the last 3 years has been the massive increase in ransomware, although more old-fashioned payloads such as trojans are as prevalent as ever.
Let’s begin by looking at how to prevent an attack before it even begins. And for that, email safety is often the single most important area to look at.
The first point to make is that blocking all spam, junk, and scam emails is virtually impossible without also blocking legitimate emails in the process.
It is estimated that over 90% of all emails sent globally every day are spam.
Already the biggest challenge all email hosting providers faces is how to block spam. Of course, no one wants to miss legitimate emails that they are expecting and need to receive. With all the incredible spam detection measures in place on all good email platforms, email providers can’t set the spam detection sensitivity so high that it starts blocking legitimate emails.
This is especially problematic when dealing with scam emails. If two identical emails arrive to your server, both asking you to ‘click here to view your shipping invoice’, it’s very difficult to make a judgement as to which one is real, and which is fake.
The best email hosting systems have multiple layers of security in place to try to distinguish between a legitimate and fake email.
For example, the sender’s location, reputation, server identity (e.g. SPF records), and sending behaviour are all taken in to account. Any suspected spam emails are placed into your spam folder, where there are further controls in place (such as blocking links and images) to prevent tracking or accidental user interaction. Links and attachments are scanned for viruses automatically. Any email containing a malicious link or attachment is quarantined automatically.
Organisation wide policies can also be set for your email hosting, enforcing strict policies which are designed to prevent malicious emails. But even using the best email malware detection systems, some threats such as scams are impossible to block entirely. The things a scammer will say will be exactly the same as those said by a legitimate sender, and it almost always takes a human to know the difference.
Firstly, scrutinise the email. Who is it from, do you know the sender? If you do know the sender, check the email address that the email has been sent from. A very common tactic that attackers and scammers will use is to hide behind a fake name.
For example, you receive an email from HMRC saying ‘click here to pay your tax bill’. Have a look at who has sent the email. It will be displayed as the sender’s name, followed by their email address.
It might be ‘HMRC Tax Department email@example.com’
Or it might be ‘HMRC Tax Department firstname.lastname@example.org’
The first example could well be genuine, and the second example is almost certainly a scam. The problem is that many email clients (e.g. looking at an email on your iPhone) will display the sender’s name very prominently but may not obviously show the email address at all. This is an issue as the ‘name’ field is something the sender chooses themselves with no restriction. The sender’s email address however can’t be faked, at least not without great difficulty.
Make sure you don’t just look at the sender’s name (they could claim to be anyone) but instead look at their email address. Make sure the domain (the bit after the @ sign) is something legitimate. The previous example is a common tactic, they will register a junk domain which has the relevant company name in it, but then a string of random numbers and letters.
A real email from Barclays for example will be from ‘Barclays Customer
Services email@example.com’, it won’t be from something like ‘Barclays Customer Services firstname.lastname@example.org’.
Don’t fall victim to the oldest trick in the book, make sure you look at the full email address and consider, does it have extra unnecessary numbers and letters, does it look neat and tidy? Don’t just look at the sender’s name, as they can enter anything into that field.
For more information about email threats, email security and best practices for your business, please download our free Cyber Security and Data Protection Guide for SMEs.
In the guide we cover email security in more detail, as well as viruses, ransomware and malware, GDPR, PCI DSS, ISOs 27001/22301 and more.