Con-man Marc Dreier is currently doing 20 years for selling fictitious promissory notes worth about $700 million. One of his methods was to meet the victim in a conference room of the firm whose name was on the bogus notes. He was able to do that because there was always someone polite enough to let him in.
So he sat there, wearing a suit, saying the right words inside the right building. Potential buyers believed him, and suffered huge losses—because of someone’s lapse in fundamental security awareness.
An equally simple lapse in email security awareness could lead to staggering damages. Yes, email can be a threat to daily productivity, but it can also be a gap in your enterprise’s defenses. Those defenses are founded on the security practices of the users, and here are five fundamental email practices to start with.
1. Watch your replies
Of course you know better than to reply to spam, since the arrival of the reply will tell the spammer that the email address was valid. More insidious is the Reply All option, since everyone will see all the addresses copied. That may be alright as long as it stays inside the organization, but if anyone on the list adds another name it could stray outside, and those addresses could be gold to the wrong person.
An alternative is Bcc, or Blind Carbon Copy. With Bcc it’s possible to send a message to a list of recipients, but each recipient sees only his or her own name.
2. Don’t assume that phishing is easy to spot
Spam involving money scams has moved well beyond the old “Nigerian millionaire” come-on and similar ploys and has evolved into phishing, i.e., highly targeted emails with enough information in them about the recipient to lull even reasonably suspicious office workers into taking action—the wrong action.
They may laugh off email from government officials in countries they’ve barely heard of who inexplicably need help moving large sums out of their country. But what about emails from a traveling executive overseas who suddenly needs cash?
These days astonishing amounts of information about an organization can be found online, and this information can be fleshed out with a few innocent-sounding phone calls. Establishing which executive is traveling, where, and why, is a straightforward puzzle for a hacker to solve, and suddenly the executive’s staff may get alarming—and plausible—emails demanding money.
Carefully crafted and precisely targeted phishing is called “spear phishing.” Remember, if it didn’t work, the hackers wouldn’t be doing it.
3. Don’t open attachments from strangers
This rule may seem easy to follow—until the arrival of an urgent notice from a shipping firm saying an attached form must be filled out and returned immediately or a mystery package will be stuck in a customs warehouse in Hong Kong indefinitely. Opening the attachment out of curiosity would be human nature—and what the hackers want.
A spyware infection will follow, since it’s a phishing email. Basically, scammers keep upping their game, and phishing gets more and more insidious.
If it was a link, it would be possible to put the mouse icon over it and see if the link’s URL was even remotely reminiscent of the URL of the purported sender—and back off it is wasn’t. With an attachment that’s not possible—and the scammers know that.
4. Keep things separate
Have separate email accounts for office use, and for home use. Use different passwords for them.
Make sure the passwords are strong: don’t use dictionary words, and pile on the numbers and special characters.
Better yet, for social media, online gaming, and any other online activities outside the office, make sure those accounts have passwords that do not even remotely resemble the passwords of office accounts. That way, if a hacker steals the passwords of a fantasy sports service, no office password will be on the list.
5. Don’t relax outside the office
A given office may have an admirable email security system. But when logging in through public Wi-Fi at a coffee shop, hotel, or airport lobby, that security system is no help. It might be better to not log into a business account from such places, since someone with sniffer software can watch what’s happening. Even without software, there’s “shoulder surfing” (i.e., eavesdropping.)
With the right email security software solution, the consequences of user lapses become less dire. For an environment that merges the latest technologies with human factors, give Sendio a try. You can request a demo to see just how effective it can be in keeping your organization safe.