Email Security refers to the security measures that an organization takes in order to secure various aspects of its email system such as identity, content, media attachments or email access.
Email, in a way, can also be described as a central repository or a central point of attack for the hackers. Email security can be a target of a phishing attack, identity theft, spam emails and virus attacks. Email is frequently an intruder’s gateway into an organization. And with over 215.3 billion business and consumer emails being received daily, it represents a dangerous opportunity for unscrupulous entities.
Data breaches are a large concern for businesses today as the number of attacks keep growing year over year. The purpose of an attack on email is to either use it as a pathway to a larger data breach or as a targeted data breach of the email account.
Types of Email Attack
There are different types of attack vectors used by hackers to target email systems. It’s important to note that while different attack vectors may employ different methods, they ultimately have a specific purpose when executing the attack.
The most common techniques used to attack emails include identity theft, phishing, virus and spam emails. Let us take a closer look into the common techniques that threaten email security.
Many organizations these days are either using Microsoft Office 365, G Suite, Zoho or similar services to manage their email systems. Other than hosting emails, services like these offer a suite of useful business tools to manage information in one place. Some apps in the suite include added cloud storage space, project management and collaboration tools, Office suite and much more.
Since they are all part of the same suite as the email service, end users do not need a separate set of login credentials to access them. Regardless of whether a company uses the above-mentioned services or their own proprietary service, they all tend to face the same consequences when a hacker manages to get hold of a user’s identity (i.e. login credentials).
Employees usually use the suite to store confidential data which will, in a short period of time, be exposed if an attacker gains a handle on the employee’s email account. Email identity theft can have much bigger consequences than it did a few years ago.
Phishing is one of the fastest growing attack vectors. For hackers, it is a tried and tested method that has been successfully working for more than a decade. In fact, it has been more than two decades since the first reported phishing attack in 1995.
As the internet grew, so did the number of users having a minimum of two email accounts. Hackers now have far wider reach than ever before. According to a recent report by Tripwire, there were 9,576 phishing incidents recorded in 2015, with 916 of them reporting a breach of data.
Phishing as a tactic employs several different techniques. Each type of attack has its own target audience and purpose.
In an attack called Pharming, the hacker changes IP address associated with the website. This redirects the user to the malicious website despite entering a correct domain name in the URL. Deceptive phishing scams the user by posing as a legitimate website and scares them into paying money. Spear phishing uses the same technique as deceptive phishing, except that this attack makes the user hand over their personal data. According to a report by Symantec, spear-phishing campaigns targeting employees increased 55% in 2015. You can read their complete report.
Attacking with a virus through email is another form using email as a vector. Creating a virus and implementing it requires a meticulous amount of planning, an activity more likely to be conceived and executed by a group rather than an individual.
A targeted virus can have one specific or multiple purposes. Regardless of that, email itself is rarely a target, merely the first stage of the attack. If the attack is successful, the virus could quickly spread across the network in a short time and can even have the ability to shut down the complete network.
Even the simplest virus will attempt to lure the end user into downloading an attachment. Masquerading as documents, they are in fact files which if executed could either take control over the host or even lead to the consequence mentioned above.
In a 2015, Kaspersky Lab’s web antivirus detected 121,262,075 unique malicious objects: scripts, exploits, executable files, etc.
Spam is the most commonly known form of email attack. Perhaps the reason is because we all have a “spam” folder within our email accounts where we receive unwanted emails or emails we didn’t subscribe to.
This is likely why even people from non-IT backgrounds know what a spam email is, although they are usually thought of as merely harmless emails which they can directly delete without even bothering to open it.
It is true to some extent that some of those emails really are harmless from the end user’s perspective. Spam emails saw a rise in the last couple of years because of the growth of social media and e-commerce websites. Companies, for example, usually broadcast their “latest news” or announcements over email to large numbers of people who are a part of an opt-in list.
However, with the right kind of planned attack, spamming could prove to be fatal for companies if not the users. If a hacker is somehow able to gain control of an organization’s email, they can send unsolicited emails to even larger numbers of people.
Worse, since the emails are going out from legitimate email addresses, hackers could take advantage of the situation and send emails with a phishing attack or by attaching a virus within an email, hence infecting large amount of users simultaneously.
On the other end, a company could also face some serious consequences such as being questioned by the governing authorities for the spam emails. They risk having their internet connection shut down by their internet service providers, which can bring the company’s operations to a complete halt.
It is always prudent to be careful when using the emails these days, especially in the professional environment. Email is still a very secure means of communication provided you keep an alert eye out for emails asking you to perform activities such as clicking, downloading, updating, etc. When in doubt, it’s always safer to ask for a second opinion.