Simple Tips for Improving Email Security
The risk of email compromise is a constant, attackers more efficient than ever at finding ways to break in and gain access to your account. The two most common threats are:
A) Attackers find credentials by compromising another system or website, and then use those credentials to access your email which is using the same password.
B) Attackers compromise someone else’s account and use that to send malicious emails from a known sender. This makes it easier to trick you into trusting the message and becoming compromised yourself.
Protecting yourself is made even more challenging because email is not a secure form of messaging. Anyone can put a letter into a post box with a different return address if they want to make it look like it came from someone else. Similarly, an email can be sent with any “from” address to pretend to be sent from someone who had nothing to do with it.
There is a LOT that can go into an effective defense against email compromise involving technical protections, policies and procedures, and ongoing education. Many of these measures involve additional expense or effort that may or may not be feasible. However, at a minimum, we would recommend communicating the following guidelines throughout your organization a few times per year:
Ensure that the password for your email account is a completely unique password that is not and has never been used for anything else.
It is ideal to set unique passwords for every login by using a Password Manager. At a minimum, any passwords used to access email, financial accounts, or sensitive information should be unique and not used for any other logins.
The most important factor in password strength, aside from uniqueness, is the length of the password - even if the longer password is simpler. For example, “tractor,goody,intended” is a stronger password than “f7;G,{76”, and it is also easier to remember and type. A long password / passphrase means a minimum of 14 characters, but the longer the better.
Avoid easily guessable passwords. It is very common for passwords to be created using the company name, the word “password”, the current year, the current season or holiday, etc. For example, Winter2019! is a very popular one right now and should be avoided. One trick that can be helpful is to involve unique words from recent personal events or objects around your office or home. For example, an employee who just had a baby might find it easy to remember something like HospitalbED@room236*
If you receive an email that you did not expect prompting you to download a document, log in to an account, provide information, or transfer money - call or text the sender to verify legitimacy before acting on it. If the notification came from a service like your bank or credit card, open an internet browser and log into that system directly to see if the message is there without clicking on any link in the email. It is important not to reply to the email until vetting it, if the email is malicious the reply cannot be trusted.
If you receive a suspicious email that you would like reviewed, please forward it to [email protected] and we will analyze it as soon as we are able. If you suspect your account has been compromised, please email [email protected] and call 612-424-2063.
There is much more that can be said on this topic, but these relatively simple steps can go a long way towards reducing the risk of a damaging and embarrassing email compromise. Many additional measures and protections are available, if you’d like to discuss email security in further depth please don’t hesitate to contact us!