We explain how to protect your email from malware, phishing, ID theft and loss of critical business data.
Despite the growing use of other communication methods, email is still a key tool for many businesses. However, it’s also still one of the primary attack points for malware and phishing attacks that lure people to fake login pages so they reveal their login credentials.
As we’ve reported several times, email scams include fake invoices or other transactions purporting to be from Telstra, Commonwealth Bank, Xero, ASIC, MYOB, eWay, EnergyAustralia, Origin Energy, toll providers and more.
This makes it especially important to take steps to keep email secure.
Avoiding malware, phishing and other nasties
To protect your business from malware and phishing attacks, it makes sense to keep potentially malicious emails out of your and your employees' inboxes.
If your business runs its own mail server or you're not happy with the quality of filtering provided by your mail provider, there are some specialist filtering services.
Such services typically work by filtering email before it even reaches your or your provider's servers. You change your domain's MX record to point to the filtering service, and tell the service where to deliver the filtered emails.
(Picture courtesy of MailGuard)
Another part of your strategy is likely to be to train staff to be suspicious when dealing with emails. One local service that has this goal is Shearwater Solutions' Phriendly Phishing awareness and simulation program.
Unfortunately, it seems training won't work with some people as they show an apparent willingness to allow themselves to be taken in repeatedly. Hopefully you will have few, if any employees in that category.
You do need an approach that combines technological and people-centric methods. The former should keep most email-borne threats away from your organisation, but the latter is particularly important for dealing with a category of fraud known as business email compromise or impersonation fraud.
The way this works is that the crooks gain access to a business owner's or senior executive's email account (typically by spearphishing, or highly-targeted phishing), and use that along with the information it contains to send an email ordering funds to be transferred to a certain account. In some cases the email doesn't actually come from the executive's account, but its details are 'spoofed' (faked) so that it does appear to do so.
A related fraud is to pose as a representative of one of the business's suppliers, asking that payment of outstanding invoices be made to a 'new' bank account.
Either way, any money paid is quickly transferred through a series of accounts, making it almost impossible to recover the funds.
The targeted nature of such attacks means it may pass beneath the radar of automated email filters, which largely rely on spotting significant numbers of similar messages. So you need people to be on their guard, and establish procedures that help protect against impersonation frauds.
These include checking any unusual internal requests for payments regardless of who they come from, as well as any changed payment instructions from suppliers. In either situation, such checks should NOT be made via email – speak to the person face to face or by phone.
Protecting your business data
We've dealt with keeping unwanted emails out, but how do you stop them leaving your organisation? There have been plenty of cases where employees have accidentally emailed sensitive information to the wrong people, or deliberately sent it to their own private email accounts for subsequent misuse.
One solution is what’s known as data loss prevention (DLP), where outgoing emails are analysed for sensitive content – although in practice, DLP systems can address more channels than just email.
That can be as simple as looking for credit card numbers or copies of files that are known to be sensitive, but can be a lot more complicated and context-dependent.
Protecting your ID credentials
To a large extent, a person's primary email account is the key to their digital identity. If someone else gains access to it, they can often use it to reset the passwords for other services.
So use a strong email password. IBM security expert Chris Hockings said that while the rule of thumb for passwords previously focused on complexity – at least eight characters, with at least one letter, one number and one special character – the new guidance is to use longer (at least 20 character) passphrases made up of several unrelated words as they are harder to crack and easier to remember.
This idea was brought to wide attention by the xkcd online comic.
But as UK-based PenTest Partners points out, passphrases aren't actually as hard to crack as it first seems. For those interested in the technicalities, we’ve explained this further below, but the point is, if you use passphrases, you should add some complexity (upper case, digits, special characters) just as you do with 'simple' passwords. Or you could use five or six words rather than four. Either way, that makes the password harder to remember.
A password manager (such as KeePass or LastPass) can help create long and complex passwords such as 48Zj6cgLos#jclHRSHp7PiYs27$b0Z7YYzcXAaEOIV50y6Bob*ECB&3!Ia#Hxjqn*VkZgXu!Yv!i@PnftjuWiNk*4ip1I6YfzUU#.
Perhaps more importantly, password managers save you having to remember all your passwords and passphrases. You do use a different one for each service, don't you?
Two-factor authentication (2FA) is another thing to consider, as that makes it harder for crooks and others to access your email even if they have managed to obtain your password. This can be as simple as associating your computer, phone and tablet with your email account. Then if you - or more importantly, someone else – try to log in via a different device, additional steps are taken, such as sending a security code to your known devices, or asking the security questions that were set up when you opened the account.
Hockings suggests that you create fake answers to these questions, as the real information could be found online. For example, are you sure you've never identified your primary school, first car or favourite movie on social media? A password manager can help you keep track of the fake answers you provide, and that's another reason for making sure your password manager itself is protected by a really strong password.
How passphrases can be cracked
As we mentioned above, PenTest Partners has found that passphrases aren't actually as hard to crack as it first seems, because each word can be treated as a single symbol rather than as a collection of characters.
Estimates of the size of the average vocabulary of a native English speaker vary, but unless we made a particular effort when making up a passphrase, most of us would probably draw on the 5000 or so most common words.
If that assumption is valid, there are roughly 5000^4 permutations of four words from a list of 5000, or about 6.25x10^14 different passphrases – which is small enough to be cracked in a matter of minutes. That number is reduced if you apply other rules such as “at least 20 characters”. Conversely, if you allow four or five words there are approximately 5000^4+5000^5, or around 3.13x10^18 possibilities.
(In this context, “cracked” means finding a passphrase that matches a particular hash that's been exfiltrated from a server, not conducting a brute-force attack on a server.)
There are 95 characters that you can easily type on the US English keyboard that most of us use: 26 lower-case letters, 26 upper-case, 10 digits, space, and a bunch of punctuation and other symbols. So there are 95^10 possible 10-character passwords, which is about 4.3x10^19. But most people use primarily lower case in passwords, so the effective number of possibilities is quite a bit smaller.