The 6 biggest email security risks for enterprises

This blog has been updated January 2023 and continues our cyber security user awareness campaign, all of which can be viewed here:

1. How to fight fraud with security intelligence
2. The 6 biggest email security risks for enterprises
3. Security is not privacy: ways to keep personal data secure
4. Building a mobile threat defense for your enterprise devices
5. How to cut security risks for remote workers
6. 10 surprising security risks in your office
7. Do you know all types of internet security threats?
8. Steps of a successful cyber security user awareness program
9. How to reduce security risks in the future

Protecting confidential information is absolutely essential to every organization – but it is especially essential to those that conduct a large amount of their business online. While securing information requires software - such as firewalls, antiviruses, and similar security software - a great security plan starts with employee involvement.

When employees are aware of security threats and their role in squashing them, they’ll create a human firewall that guards against the increasing number of threats in today’s business environment. If businesses don’t build this human firewall, they’re not just missing an opportunity to secure their workforce but they are also opening their organization up to a great number of threats.

To help your organization get started, here is a list of six email security threats to be aware of and additional guidance to help your employees confront them.

1. Chain mail

Chain mail, also known as chain letters, can take on a lot of different forms. Most of us are familiar with strange emails that claim you’ll have seven years of bad luck if you don’t forward it to everyone you know, but some chain emails are more nefarious.

For instance, the original sender of the email could pose as someone in your IT team and claim that they’re clearing out unused software licenses. If you don’t reply to the email and send it to every active member of the organization, the email will claim that your email account or entire Office 365 license will be terminated. Users will assume it’s better to be safe than sorry and forward it to everyone on their team. Before you know it, the original sender of the email has collected every active email in your organization, as well as a list of potentially gullible targets for future attacks.

These attacks can get even more dangerous – for example, asking employees to donate money to a sick coworker when that coworker is unaware of any charity drive, creating a scheme for them to steal hundreds or even thousands of dollars from your employees. As well, they could ask employees to download a file that has malware inside which could compromise employees across the organization. To prevent these threats, let employees know what chain mail often looks like and make sure they know that your team will never do a “roll call” over email to decide which licenses to keep.

2. Phishing

Many employees don’t think they are vulnerable to phishing, but this false sense of security is exactly why phishing is so dangerous. In reality, a third of all breaches in 2019 involved phishing, and 78 percent of all cyber-espionage attacks are phishing related. Even government officials have fallen for phishing attacks! Consequently, it’s worth considering that your workforce is just as, if not more, vulnerable than your contemporaries.

An example of a phishing attack is an email from “Microsoft” asking employees to confirm their Office 365 login because of a recent breach. These emails can look extremely convincing at a glance, but if an employee checks the sender’s information, they will often see a strange email like 'support @ microsoftsupport.com' – clearly not an email that Microsoft would use for official correspondence. The IT team should ensure employees are always checking a sender’s email and never submitting their password in response to a “confirmation” email without express permission from IT.

3. Spear phishing

Spear phishing is a more sophisticated form of phishing. A hacker will study an individual that they’ve identified as high value and/or a security risk, and prior to sending the phishing email they will call that person directly on a work-related topic and make them expect to receive an email or invitation. This will try to trick that individual into giving away confidential information, sending money, or downloading malware. These emails are even more dangerous than regular phishing attacks because the person feels as if the phisher actually knows them.

Preventing spear phishing is similar to preventing phishing. Make sure that employees are checking the sender’s information, and never download files or follow links coming from an unfamiliar “personal” account. If they are unsure, they should either reach out to the purported sender using their official company email or contact IT directly for further guidance.

4. Spoofing

Spoofing is used to deceive a phone, email, or internet user into thinking they are communicating with a known or trusted source. For example, many scam calls will spoof a phone number of someone in your organization (such as a supervisor or IT team member) instead of having the scammer use their actual number. This can be used to obtain important company information or even money from employees and is often utilized as a middle-point leading to a bigger attack, such as vishing (see below).

The first step to thwarting a spoofing attempt is by informing your employees that this practice is very common. If they get a suspicious call from someone using a familiar number, they should try to end the call as soon as possible and forward information about the call to IT so they can alert other members of the organization. If they’re not sure if the caller is legitimate or not, employees should offer to call them back since spoofing is one-way. So long as the employee is making the phone call to a familiar phone number, they won’t end up with a scammer on the other line. From there, they can confirm the identity of the caller.

5. Vishing

Vishing is similar to phishing, but it takes place over voice channels like telephone, voicemail, or even video conferencing platforms. The goal of these calls is typically to convince users to surrender money or private information by spoofing phone numbers and pretending to be a supervisor or client.

For example, you may receive a spoofed phone call from a service provider claiming your account has been compromised and you need to speak with a representative. When you speak with the representative regarding your account, they’ll ask for logins, money, bank info, and more – they’ll often try to get as much information or resources from you as possible.

To prepare for a vishing attempt, IT teams should reassure employees that these calls are often designed to make you panic, and that a real representative that needed this information would likely be patient and willing to work through this with a member of the IT team. Employees should always ask for a moment to stop and think if a call seems fishy or threatening. If an employee gets a suspicious call such as this, they should inform the caller that IT usually handles these calls and forward the call to IT for further evaluation.

6. Malicious attachments

Although many email services offer inherent virus scanning capabilities, malicious attachments are still a danger for many businesses. Scammers often will send an innocuous email with an attachment to your employees, perhaps as part of a phishing attempt, and encourage employees to download the file. By playing off of fear and/or curiosity, these scammers are able to convince workers to download compromised files that will release malware if the document is downloaded or opened.

There are two primary ways to protect your employees from malicious attachments: prevention and protection. Ask users not to download strange documents, even if they are curious or threatened. However, prepare for employees to slip up on occasion by ensuring that all devices and servers are equipped with a quality antivirus that can flag and destroy malware from malicious attachments.