Common Email Security Risks

Phishing and Spoofing

You may have heard the term phishing before. In phishing, someone sends an email that may look perfectly above board to the casual eye. However, the email is actually from a scammer who hopes you’ll give them sensitive information, including passwords and/or financial information.

What is phishing and how does it work?

Here’s a overview of the types and components of phishing attacks:

• Phishing
  As an example of this, imagine you get an email that looks like it’s from FedEx. But clicking a link in the email sends you to a fake FedEx website that prompts you to enter sensitive personal information to access a tracking number.
• Spear phishing
  Spear phishing involves would-be scammers making more targeted attacks. For instance, they might look company employees up on sites like LinkedIn so they can make their emails sound like a coworker. Their goal is to make sure their target doesn’t question anything when they ask them to do something like click a link and change their password.
• Spoofing
  Spoofing is typically a component of phishing. When someone spoofs an email or website, they’ll make one very small change and hope you don’t notice. For instance, let’s say someone is trying to imitate northwestregisteredagent.com. They might direct you to a URL that’s actually “northwestregisteredaagent.com” and hope you don’t pick up on the extra “a.”

Those are just the basics, but it’s a good starting point as you move forward with securing your email.

Why is phishing so dangerous?

According to the federal Cybersecurity and Infrastructure Agency (CISA), more than 90% of successful cyberattacks begin with a phishing email. Phishing emails can be very subtle and hard to identify if you’re not paying careful attention. It tries to get through people’s mental defenses rather than going after their email system’s technical defenses.

Once a bad actor gets access to your email, they can do things like steal money, sell your data to the dark web, or even enable ransomware that requires you to pay money before you can access your company’s inbox again.

How do I make sure I don’t get phished?

Train your employees (and yourself) to recognize red flags in an email. For instance, if someone they don’t recognize frames a request as “urgent,” they should feel empowered to contact you or someone else first, ideally by phone, chat, or some other communication method that hasn’t possibly been breached.

Here are a few other precautions you can take:

• Use a strong spam filter
• Verify email sender/address
• Consistently check emails for small variations from the norm
• Don’t click on any links or attachments unless you’re certain they’re safe

Phishing attempts are inevitable, but falling victim to one is not.

Weak Password Security

What makes a weak password? For starters, a “weak” password is one that’s short and easy to guess. For instance, if your dog is named Biscuit and you plaster her all over your public social media, using “Biscuit123” would be a weak password. Dogs are great, but they are man’s best friend, not man’s best password.

A weak password is also one that you reuse across multiple sites. Reusing passwords is common, as most people don’t feel like remembering 100 distinct passwords. But if your email password is the same as your bank password, then a person who guesses it now has access to all the accounts where you use it.

How does using a weak password put my security at risk?

If you use a weak password, it makes it easier for someone to guess it, and that makes your account more vulnerable to things like data theft and financial fraud, just to name a couple of things.

What is a secure password?

A secure password does not simply mean making a password long and throwing in lots of random characters. A password containing five to seven words (known as a “passphrase”) is better than just one word.

Let’s say your current password is something like “fluFF3rKin$.” It almost looks like “flufferkins,” which could be a nickname for your dog, but it uses random capitalized letters and a special character to make it harder to guess.

To upgrade your password even further, you can change it into a full sentence with spaces and punctuation. For instance, “fluFF3rKin$ loves to eat peanut butter treats” is seven words, which is a good length, but it’s also easier to remember than a random string of words that have nothing to do with each other.

Should my employees memorize their passwords or can they write them down?

Neither option is ideal. Instead, password managers like Bitwarden are one of the best ways to ensure that you and your employees are using the strongest possible passwords. Password managers store passwords securely and allow employees to access them as necessary, all without writing them down or requiring them to find the one employee in the building who knows the password for a specific site.

Here are a few other ways to boost your company’s password security:

• Enable multifactor authentication
• Avoid using public, unsecured WiFi networks
• Use an encrypted network to send emails
• Train staff to never give away their password
• Make sure your software is up to date

Above all, keep your guard up, and you’re less likely to end up with a compromised password.

Using Free Email Accounts

If you’re using a free domain like Gmail or Yahoo for your business email, you’re doing more than just risking looking unprofessional. You’re also exposing your email to unnecessary risk. It’s like riding in a car without fastening your seat belt first.

Why are free email accounts riskier?

These kinds of email services often engage in practices like scraping emails for keywords to send you targeted ads and sponsored emails or scanning emails to feed AI learning tools. Privacy can take a serious hit.

Another issue is a lack of control over your DNS records. DNS (Domain Name System) records are online instructions stored within your domain that help devices connect to your website. It does this by telling the DNS server how to respond when it receives a request.

For instance, there’s one DNS record called DKIM (DomainKeys Identified Mail) that adds a specific signature to your messages to prove they weren’t intercepted or otherwise interfered with. Think of it as like a tamper-evident seal for your email. Without this signature, you won’t know if your message has gotten into the wrong hands.

A secure business email provider will let you configure DNS records as you see fit. But free email services like Gmail and Outlook don’t give you any control over your DNS records.

What are the alternatives to using a free email account?

The best option is buying your own domain, like [email protected]. A good email host will give you a unique domain and help you configure certain DNS records to make your business email account more secure.