That’s not hyperbole. According to some estimates, 3.4 billion of sent emails are from bad actors, most of them designed to mimic a trusted sender. And this activity, known as “phishing,” can have very real consequences.
Take, for example, the sophisticated attacks aimed at Facebook and Google between the years 2013 and 2015. The attacks, which involved a series of fake invoices disguised as coming from Taiwan-based company Quana, cost the two companies $100 million before the scam was discovered.
Keep in mind that the victims of these attacks were Facebook and Google, two of the biggest tech companies on the planet. If disguised emails can break through their security measures, what are small and mid-sized companies supposed to do to protect themselves?
The answer has two parts: good ol’ common sense and ever-evolving technical controls.
In any security measure, the weakest link is always the human element.
Common mistakes are of passwords that are reused or stored in easily accessible locations. Credentials that are conned out of unsuspecting people over the phone. Badges that are stolen and duplicated. The list goes on and on.
Victims of successful phishing attacks often miss signs that an email they’ve received is fraudulent. Sometimes this can be chalked up to simple inattentiveness on the part of the recipient. But as scams have become more sophisticated, even the most vigilant can be bamboozled.
Here’s how phishing attacks commonly work:
Simply opening one of these scam emails is generally harmless. But should a recipient follow the instructions inside — say, logging into an account to verify their identity or check the activity on their account — the information they provide is easily captured.
So what should users be on the lookout for in these deceptive emails? Areas to check include:
But even if each of these areas appear legitimate, it’s still worth doing a little digging if something about an email feels off.
For example, if an email from Amazon asks you to verify your name and password, go directly to the Amazon website and login there rather than through the email. If you have a legitimate issue, you’ll be prompted to fix it on the actual site.
Every email provider offers tools for protecting against phishing attacks.
Microsoft, for example, has a full suite of security measures both paid and unpaid that are available as part of its Office 365 SaaS offering.
As effective as these tools are, though, their usage is often beyond the capabilities of your average email user.
That’s where IT comes in. Every professional IT department or organization has a list of best practices for email security. At Dynamic Computing, we focus on:
In addition to these steps, we have a “nuclear” option should a phishing scam successfully hit its mark. Upon discovering that credentials have been compromised, we immediately boot all connections to the account until new passwords have been created — effectively cutting off access for hackers before they can do any more damage.
While this response is certainly annoying for a user, it pales in comparison to the negative effects that compromised credentials can cause to a business or an individual. Not just financially, but reputationally as well.
Humans may learn best from firsthand experience, but when it comes to email security, the last thing you want to do is learn from a mistake.
As email phishing attacks continue to evolve, it’s important to educate yourself and your employees on how not to fall for a scam. It’s also critical to fully leverage the tools and best practices provided by IT and email providers.
Bad actors are everywhere, and their means to conning unsuspecting people out of information is only getting more sophisticated. With the right guidance from IT professionals, you can have the security you need to keep every inbox scam free.