Why email might be your biggest cyber security weak spot

4th May 2021

Back in 1971 when the first ever email was sent, nobody could have possibly predicted that it would still rule the internet airwaves into the 2020s. Long after social media and messaging apps have taken hold, email is still going strong.

However, email can be your weakest link when it comes to cybersecurity – due in part to the fact that it’s just so essential and so ingrained in our daily routines.

Are we saying not to use email? Absolutely not! But when it comes to online security, it pays to be aware of your potential vulnerabilities.

Phishing (the obvious one)

Let’s start with the one cyber infraction that gets the most fanfare – and for good reason. The 2021 DCMS Cyber Report tells us that phishing is still the most common threat vector around by far and it shows no signs of slowing down.

Other stats tell us that one in every 99 emails is a phishing attack, and that 25% of phishing emails squirm their way past default Office 365 security. Yikes!

Phishing emails can take many forms. They could present as a phony login request from trusted tech providers aiming to steal your access credentials for that service. Or they could be scary, officious-looking missives that mimic your bank, HMRC, or law enforcement and use sneaky social engineering psychology to extort sensitive information. Or they can could be a targeted attack developed for a specific, high profile individual with a surgically precise goal in mind. Needless to say, phishing threats aren’t to be taken lightly.

How to combat phishing threats

To defend against phishing attacks, three solutions come to mind: cyber-awareness training, mock phishing email training, and DNS filtering.

All of your team need cyber awareness training, even if their interactions with traditional IT systems are minimal. As well as other helpful cyber-safety knowledge, good training will keep your team on their guard for fraudulent emails and help them sense-check unsolicited messages that claim to be from trusted providers.

Sending your team harmless, mock phishing emails is a great way to test your team and embed their learning. These exercises show you how your team are likely to respond to a real phishing attack and how well they’ve taken any phishing training on board. Those who “fail the test” can be sent learning materials to get them back up to speed.

DNS content filtering can help keep your team from accessing known phishing links or domains with a poor reputation. Content filtering is valuable but it should only ever play second fiddle to training in the battle against phishing attacks.

Email credential theft

Think of all of the sensitive information that’s sitting in your email inbox and sent box right now. Depending on your role, that may include invoices, payment details, HR information, financials, and even (shock horror) logins shared in plain text.

Gaining access to your emails is also a valuable end goal for criminals so they can feast on the juicy information within. Unchecked access to a single email address can give a cybercriminal a real leg-up into your business’s internal workings.

However, it gets particularly dangerous if hackers are able to access an account with admin rights for your Office 365 or Google Workspace suite. Not only could the criminal pretend to be that person on email, but they could also hypothetically have access to sensitive documents; have the power to exclude or include individuals from services and data; or they could simply “smash and grab” what they can before anyone suspects a thing.

Sensitive access credentials aren’t just gathered through phishing, though. Usernames and passwords can be gained through all sorts of practices, like hashed password leaks, keyloggers, password spraying, server hacking, and more!

How to combat credential theft

Because usernames and passwords can be stolen in such myriad ways, it’s hard to give solid advice to prevent it from happening. However, there are a couple of best practices that can mitigate these threats.

Firstly, there’s multi-factor authentication (MFA). This is a way of authenticating users as they log in using additional credentials that only genuine users can access. Therefore, if a hacker did nab someone’s login details, they would still be unable to access the account in question without the additional authenticating steps.

You also need robust password policies that encourage your team to set strong passwords that change every 4-6 weeks. This is especially important for sensitive credentials like email, productivity, and collaboration tools.

Malware propagation through email

It may seem a little old-hat but malware can still reach you through email. It’s now fairly common knowledge that you shouldn’t open email attachments where you don’t trust or know the sender as they may contain viruses. Attached executable (.exe) files and macro-enabled documents should be treated with particular caution. It’s a particularly conspicuous way of spreading malware nowadays but it certainly still happens!

However, attachments aren’t the only way that cyber-nasties can end up on your machine. Simply clicking on a link in a dodgy email can result in a malware infection. In fact, if a phishing email is directing you to its own “login page” to harvest your information, there’s a chance that page may contain malware too, delivering a particularly destructive one-two punch.

Additionally, if your email software allows for something called “scripting” then code can be hidden and executed simply by opening the email itself.

How to Combat Malware Infections via Email

Before we say anything further, we need to stress a few points. Firstly, disable scripting in your email software, train your team not to open suspicious attachments or dodgy links, and keep each device’s “on-board” antivirus software up to date.

With that out of the way, you need to turn your attention to your network’s gateway antivirus defences – usually these are included with your firewall. Features like sandboxing, behaviour monitoring, deep-packet inspection, and content filtering can all help you keep malware at bay, especially dangerous zero-day threats.

Managed Detection & Response tools like Huntress further augment your antivirus measures by actively hunting down hidden, persistent threats. If a particularly unusual vulnerability does arise on a client’s machine, MDR providers will rope in actual, human security engineers to investigate.

Compromised Email Servers

We’ve already discussed how email accounts can contain a whole host of sensitive information. So, what if a hacker got hold of your whole email server?

You may have heard about the recent Microsoft Exchange Server exploits where state-sponsored actors and other online ne’er-do-wells accessed on-premise email servers, spreading untold chaos in their wake. Though Microsoft reports that 92% of these servers have now been patched or the threat mitigated, the exploits did give criminals a significant foothold in numerous large institutions around the world.

How to defend your email servers from compromise

Who’s looking at your email server’s usage and security logs? Are they constantly monitored, or just glanced at now and then? Do you have alerts set up to notify you when your sensitive servers receive requests from unusual places or at unusual times?

If the answer is “no” and you’re not sure that this is something you would be able to handle in-house, then you should really look into outsourcing this monitoring to a managed security service provider (like us!).

Email spoofing

Did you know it’s technically possible to make an email look like it has come from any sender? This is called spoofing, and it’s scary stuff.

For example, a hacker could send an email to the head of accounts payable that, for all intents and purposes, looks like it’s coming from the Finance Director. It’s a sudden, urgent, strangely worded request to pay an invoice they’d never heard of, but because it has come from the FD, it must be important. So, the invoice gets paid and the criminals get richer.

Because you know the person being impersonated or they have some influence in your company, you’re more likely to do their bidding compared to a stranger, or compared to a phishing email from a known brand. You can imagine all kinds of hare-brained schemes that hackers could come up with – spoofing a trusted IT team member’s email to distribute malware; impersonating a client to gather sensitive information about them; the sky’s the limit!

How to combat email spoofing

This may depend heavily on your own individual setup, but you can protect your domain from spoofing using measures called SPF, DKIM, and DMARCThey’re a bit complex to get into here, but speak to whoever handles your IT security about getting them set up. If you don’t have a security person to call, we’re right here!

Email impersonation

Impersonation is a similar problem but achieved a little differently. It happens when a criminal registers a domain that’s very similar to yours, perhaps using an “i” instead of an “l” or something equally sneaky. Then all they need to do is create an email address using that domain that is otherwise the same as someone in your company with some authority.

With this close duplicate of this person’s email address, they can impersonate that individual and carry out the same sort of schemes as detailed above. The psychology of an impersonation attack is the same as in a spoofing attack: you’ll generally oblige someone you know and trust (or someone you need to keep happy!).

How to combat email impersonation

Content filtering tools can help defend against emails coming from newly set up domains – sometimes called “baby domains.” Most productivity suites like Office 365 and Google Workspace allow for some kind of warning or filtering system that alerts you about messages received from addresses that are suspiciously similar to ones within your organisation.

The Ideal Solution: Managed Security Monitoring

Even with the best preventative measures that money can buy, you still need access to cyber-experts who can monitor your security alerts, protect you from emerging threats, and keep your day-to-day security measures in tip-top shape.

As part of our Network Security Monitoring/MSSP service we’ll keep a constant, vigilant eye on your network security; keeping your security tools up to date, looking into suspicious activity, monitoring alerts, and keeping a close eye on sensitive access and usage logs. We don’t just save you from routine threats – we’ll also proactively defend you from mysterious cyber-nasties that may be lurking on the horizon and hunt down hidden footholds before they become bigger problems.

You’re in safe hands with our cyber security team