While measures such as strong passwords, encryption, and secure remote access will help mitigate the chances of a breach, strong email security also includes active measures taken by the end user.
Email continues to be a highly attacked entry point for bad actors to gain access to a firm’s sensitive data. High frequency of use, ability to log in from multiple devices, ability to add attachments and links, method of user verification, and the constant anxiety of clearing inbox clutter are just some of the reasons why email is the point of least resistance for a breach. A common way for bad actors to gain access through email is through a phishing attack. According to cybersecurity company Proofpoint, in 2022, direct financial loss from successful phishing attacks increased by 76%, and bad actors used a major technology company’s branding or products in over 30 million malicious messages sent (Proofpoint, 2023).
In a phishing attack, emails sent to a victim’s inbox appear to be from an authentic and known contact, and often have a call to action with a time constraint to coerce the victim into taking immediate action, without thinking about whether the email is legitimate or not. This is often done by having a malicious link included in the email that once clicked, would provide access to the victim’s email account and possibly their network. In the corporate context, these malicious emails are sent by a bad actor impersonating a person of authority such as a manager or company executive asking for sensitive information, or impersonating a client or vendor with an urgent funds transfer request to a fake bank account number.
To best protect yourself and your firm from email breaches and phishing in particular, the following tips can help mitigate the chances of a breach through business email and subsequent claim.
Employee Education and Training
Firms should implement cyber security training for employees as part of onboarding and periodically throughout the year as new threats emerge. Training should include how to identify an email appearing to be a phishing scheme, who to notify if one suspects they have been the target of a phishing scheme, and how to safely destroy the fraudulent email.
Filter Out Malicious Emails
Firms can implement a mail proxy server in front of their email hosting provider to filter out and block any malicious emails from reaching their employee’s inbox, as well as block websites that have been flagged as potentially containing malware. Additionally, email hosting providers should provide the option for users to flag an email as being a phishing attempt, which can help your firm’s IT department update its list of threats and take appropriate measures to protect the firm from future attacks.
Social Engineering Fraud Insurance (SEF)
Whether as part of a cyber insurance or crime insurance policy, firms should look to purchase SEF coverage in the event there is a breach through a phishing attack and the firm suffers a monetary loss as a result of said attack. Firms looking to purchase this type of coverage should have robust vendor verification procedures in place, as well as multi-factor authentication Strengthen Your Digital Defense with an Extra Layer of Security – Purves Redmond Limited. It is important to note that bad actors do not discriminate between large multi-national firms and local small businesses. Every firm should treat cyber security as a top priority, regardless of their size, geographic location, or industry.
For more information on Email Security, contact:
Chris de Sousa Costa, MBA // 647.242.7469 // cdesousacosta@purvesredmond.com
Works Cited
Proofpoint. (2023). Threat Report 2023 State of the Phish. Retrieved from ProofPoint: https://www.proofpoint.com/us/resources/threat-reports/state-of-phish?utm_source=google&utm_medium=cpc&gad=1&gclid=EAIaIQobChMIpPWI0dr3_wIVFRN9Ch3jXwCaEAAYAiAAEgIV-PD_BwE&gclsrc=aw.ds
