Many business owners still assume that “hackers” are the only real cyber threat, and that their business is too small for a hacker to target. While this may have been true 20 years ago, technology has evolved to the point where a person with very basic computer skills can execute a cyber-attack with ease. From “ransomware as a service” solutions to pre-built phishing campaigns, all it takes is a few dollars and your neighbor can attack thousands of small businesses within minutes. These days, small businesses are targeted in mass because they are the low-hanging fruit with minimal cybersecurity budgets and expertise. And bad actors favor one attack vector above all else: Your email.
Why is email such an easy target for cyber criminals?
Have you ever worked with or for a business that doesn’t use email? Email is ubiquitous and remains the primary means of communication for businesses around the world. This abundance of people using email makes it a great launching point for cyber-attacks. After all, most modern cyber-attacks are simply a game of odds. The more people that can be targeted in an attack, the greater the odds of success. Email isn’t just a great platform for attacks for its mass use, though.
Email is rarely private
Think about all the different services, websites, and businesses that have your email address. Now, think about all those data breaches you hear of in the news. Was Yahoo! hacked because the hackers wanted to steal money from Yahoo! or hold them hostage? No. The hackers simply wanted the list of email addresses (and passwords in this example). Breaches like this happen often, and your personal and business email addresses have likely already been exposed in one. That means you are now an easy target for email-based attacks.
Email is easy to spoof
Have you ever seen one of those emails that appeared to come from someone you trust, but ended up being fake? It may seem like black magic to most, but spoofing an email so that it appears to come from a specific person with their exact email address is actually very easy to do. And, since most people are taught to look at the email address to verify if the sender can be trusted, they don’t think twice about an email address that appears to be correct.
Email is overwhelming
The average office worker receives 121 emails per day. If everyone was “vigilant” with their emails and reviewed each one carefully, they would spend over 25% of their day just reviewing emails. Since that is an unreasonable expectation considering the inundation of emails that people experience, it makes sense why people quickly skim through emails and click things they shouldn’t. And this is exactly what bad actors count on.
Email is easy to infiltrate
All the above reasons have to do with an “outside-in” type of attack. But another common and effective attack strategy, business email compromise, focuses on gaining access to someone’s email account first and then attacking other people in the business from within. Remember that Yahoo! breach we mentioned? The other piece of data hackers stole was user passwords. Unless the user has taken extra precautions, such as enabling multi-factor authentication (“MFA” or “2FA”) on their email account, a bad actor simply needs to plug in an email address and password, and they’re inside the user’s email account without any indication of compromise. In a business environment, and with a little bit of digging, the bad actor can quickly draft an email from the CEO or other influential role in the organization, directing recipients to perform actions or route money to the benefit of the bad actor.
Email is insecure by default
Aside from some basic junk email filtering, nearly all email platforms disable their advanced threat protection features by default, or they lack the capabilities altogether. Unless business shoulder this burden or hire an industry expert to help them implement these controls, they are left vulnerable to attack. Sadly, this is true for the vast majority of small businesses.
So, what can a small business do to protect itself?
Let’s first bust one myth: Yes, small businesses can easily afford to implement a proper email threat protection solution. Some managed I.T. service providers (“MSPs”), such as Digital Boardwalk, even provide the technology for free to their clients. So, the obvious first step is to hire a cybersecurity service provider with specific expertise in email threat protection.
Block spoofing attacks
Remember that example we provided where a user receives an email that appears to come from someone they trust, including the correct name and email address? Well, email has a hidden mechanism (known as email headers) that can be used to identify the true sender of the email. Email threat protection platforms, such as Digital Boardwalk’s EnsureMail™ solution, can scan those email headers and detect when an email claims to have originated from one sender, but actually came from someone else. These solutions can even detect if the sender is spoofing just the person’s name but is using a different email address.
Block phishing attacks
Phishing emails are one of the most popular attack strategies today. They are designed to trick the email recipient into providing information or taking action, and usually have some sense of urgency to them. They also often spoof popular brands or services that users wouldn’t think twice about. Most phishing emails have distinct characteristics, either in the way that they are worded or designed, that email threat protection solutions can identify and block.
Block foreign countries
Does your business work with customers or suppliers in Latvia? No? Then why allow those emails through? By limiting what countries you allow email to be received from, you can reduce a significant amount of unsolicited and malicious emails from reaching users in your organization.
Block or modify email attachments
If a bad actor were to send a user an email with a malware installer attached, all it would take is a single click and the attack could propagate throughout the business. Bad actors can even embed malicious scripts in Microsoft Office documents and PDFs. But users practically never need to receive executable software as email attachments or use scripts within PDFs and Office files. So, once again, why allow it? Industry-leading email threat protection platforms can strip emails of executable attachments, and can even modify Office documents and PDFs to strip them of scripts while still allowing the email and attachments to come through like normal.
Block all the junk and unsolicited emails
One of the biggest reasons people fall for email-based attacks is that they’re simply too inundated with email and don’t have the time to spot the suspicious emails. But what if users only ever receive solicited emails? If a user is now only receiving 20 emails per day from trusted contacts, and suddenly one comes in that they weren’t expecting, it’s now far easier for them to spot the tell-tale signs of a phishing attempt and delete the email. While all the other security tactics are incredibly important, simply blocking all the junk and unsolicited emails is proven to be one of the most effective ways of reducing email-based attacks.
No email threat protection solution is perfect
As is true with every other cyber defense solution, there will inevitably be emails that slip through the filters (false negatives), or legitimate emails that get caught by the filters (false positives). The gut reaction from many organizations is to immediately modify the security policies with overrides that explicitly allow or block certain emails. This approach is extremely risky, though, as it bypasses many of the other security features designed to keep the business safe. Do you want to explicitly allow that email from PayPal? What happens in two months when a bad actor sends your business a phishing email campaign that spoofs PayPal? Now, every one of your users is vulnerable to the attack.
Experienced cybersecurity experts will help you carefully evaluate why an email was either blocked or allowed through unexpectedly, and they will tune your security policies to find the best balance between email delivery and security. They will also show you how to use other tools, like a real-time email quarantine portal, that allows you to periodically check your email quarantine throughout the day and release emails that may have been blocked in error, all without having to explicitly allow those emails and jeopardizing the organization’s security.
Remember: Emails aren’t always what they appear
If you have been corresponding with a supplier for years, and then suddenly one day you see an email from them blocked by your email threat protection platform, it may not be a false positive like you’d first expect. Remember that scenario we mentioned earlier regarding business email compromise? Your supplier could have been a victim of a business email compromise attack themself, and now they are sending malicious emails to their customers. Your email threat protection platform would have successfully identified this phishing attempt and quarantined the email appropriately.
Once again, it is important to partner with a cybersecurity and email threat protection expert that can help you navigate all these “what if” situations and help your business implement an effective defense strategy that keeps your users as safe as possible.
