Here are our key tips to improving your email security. Read on below to have a better grasp of email threats and how to minimise your risk.
- Be sceptical of all email. Pay careful attention whenever dealing with an email that contains links or attachments.
- Look for specific information that identifies you or your relationship with the sender. Generic, unspecific info is an indicator the email is not real. It also suggests the email is not urgent, even if real.
- Hover over links to check their destination. Check every link in an email, sophisticated attacks will use a mix of legitimate and fake web addresses. If possible, try to search for the link in your web browser without clicking on it. E.g. access your online accounts as you normally do, don’t click on the link to login.
- Avoid opening attachments. Only open attachments when an email contains unique and detailed information to you, and when you’re expecting the attachment. Alternatively, use secure file sharing services with known contacts wherever possible.
- Verify details independently. Don’t click any links. Open your web browser separately, search email addresses, website addresses & phone numbers to confirm they are real. Look to your existing address book, work address book or ask a colleague. Don’t rely on any details within the suspicious email.
- Check for grammar and spelling issues. They are clear indicators of malicious emails. Particularly if the email is supposedly coming from a business or other organisation.
- Never send a read receipt (this request may pop-up after reading an email).
- Never share financial details over email, particularly credit card information. You cannot ensure the recipient has adequate account security, or whether the financial details will be forwarded again.
What are malicious emails trying to do?
Most malicious emails are trying to obtain personal or financial information, to either steal money or gain access to your online accounts. Malicious emails are typically part of a phishing or malware attack.
To take your sensitive information, malicious emails will generally ask you to make an action. Often these actions will be: respond, click a link, open an attachment or send a read receipt. The email may try to trick you into doing these actions, by teasing that more information can be found by opening an attachment or clicking a link. It’s crucial to remain vigilant in these scenarios.
Unfortunately, even the best email filtering software will see occasional spam or malicious email reach your inbox. Making email security awareness necessary.
Steps to safely using email
1. Treat all email with suspicion
It’s best to be suspicious of all email. Make the contents of each email prove that it is legitimate. Look for information you’ve only shared in-person or over the phone. Look for someone carrying-on a conversation from outside the email.
Generic content, like “Dear client” or a non-specific email title such as, “Please check this document”, are clear warning signs of a scam email.
Often, these scams will either have no formal greeting, or will use the first part of your email address. Instead of your actual name or nickname, e.g. ‘Dear william.smith’ instead of ‘Dear Bill’, where the email address is firstname.lastname@example.org.
Always be suspicious of emails requesting a payment, asking you to click a link or referring to an attachment for more information. Whenever you see an email requesting an action, it’s good to work out why before you click or open anything. Don’t send read receipts when requested.
2. Scan email for unique & identifiable information.
Break the email down into elements. Check that each element meets your expectations.
- Sender name and email address
Look for a correct first and last name. Check that the email address domain name is correct, e.g. ‘email@example.com‘, not something like, ‘firstname.lastname@example.org’.
- Grammar, spelling & layout
- Hover over links
Check all links in an email, not just one or two. Hover your mouse over the link to see a preview of the destination. Do not click the links (otherwise close them immediately).
- Check the branding is accurate, up-to-date
In a separate window, go to the website of the sender. Check the logo and branding match.
Email scams generally rely on assumptions, playing on your presumed knowledge. They also want to leave you second-guessing yourself, as if the email is bringing you important information that you’ve somehow missed. It’s in this moment that you may let your guard down, by interacting with a dangerous email to try and find out more information.
3. Verify the email information using external information that you trust.
Confirm information from sources outside your email service. Check email addresses and other details using your contact address book or other external app. Go to the sender’s website (type it into your browser, don’t click a link) and check contact details there.
The best and quickest way to confirm an email? Call the contact using a phone number you already had in your existing contacts list. Don’t call any of the numbers in the email.
4. Never share financial details over email. That includes credit card and banking details.
Don’t. Ever. You never know who will receive the email, where it may be forwarded, if it will be deleted, if it will be deleted permanently, if it can be recovered or accessed by an unknown third party.
Sharing credit card details over the internet is like sharing anything over the open internet; once entered in, you can never reliably be sure it has been removed.
5. Minimise your use of email
If you expect to have regular, on-going correspondence with a contact, consider using a dedicated platform.
There are any number of platforms which are more secure and reliable for sharing information. Furthermore, they work with users external to your organisation. Consider: Microsoft Teams, Skype for Business, Slack, Planner, Trello, Google Hangouts & more. Microsoft Teams and Skype for Business are particularly attractive options because they’re included in Office 365 subscriptions at no extra cost.
Each platform will have their positives and negatives, but all offer a richer and more secure experience than email.
6. Think of scammers as intelligent
You probably have an idea of cyber criminals in your head. Considering the number of scam emails with poor spelling, grammar and formatting, you’d be forgiven for thinking they’re not bright.
But scam emails can make thousands, if not millions of dollars. Individual email scams can form part of larger, much more sophisticated attacks.
Social engineering attacks have demonstrated that criminals are willing to go to extreme lengths to steal a payday. Even going so far as to risk themselves being exposed. And they’re willing to do this over a period of months, if not years.
All it takes is a string of tiny interactions, to confirm internal business knowledge, to build a plausible story. Then, they email you when you’re least suspecting, like late on a Friday, with an urgent request for money or commercial information.
It sounds dramatic, but it does happen, and it happens to Australian law firms and businesses.
Improve your account security
For more information on improving your account security, see the related articles below.