E-mail remains a major telecommunication tool for individuals and businesses around the world with over 3.93 billion users and 293.6 billion e-mails sent/ received per day in 2019 (Radicati). It also serves to store data that are perceived as valuable to us and potential criminals, for example:
The steps we take and culture we instill regarding e-mail security can help us better protect our data and the data of our friends, family, businesses and clients.
There is a vast array of methods that malicious actors can take to infiltrate your e-mail. This segment will only look at the most common methods.
Phishing is perhaps the most common method used to gain access to someone’s e-mail/devices. It usually involves a ‘bad actor’ sending an e-mail, text or call trying to sway the victim into taking an action that leads to the sharing of valuable data or the opportunity for the ‘bad actor’ to make use of a vulnerability in the systems used by the victim.
Brute force is an attempt by the ‘malicious actor’, through trial-and-error to gain access to your e-mail/devices. It usually involves the use of a software that attempts a variety of different passwords to gain access to the system. This method is less common nowadays due to security measures that e-mail providers have taken to limit the attempts. Although it is important to note that it still happens, especially due to individuals creating passwords that are too simple or due to actors willing to ‘take their time’ and/or finding exploits within the e-mail provider’s systems.
Network Exploits are usually derived from individuals connecting to unsafe networks. The network can be unsafe due to systems used to monitor the data, whether implemented by the owner of the network or ‘bad actors’ that have managed to infiltrate the network.
Physical Threats involves someone gaining direct access to your device (e.g. cellphone, laptop) which allows them to then get into your e-mails. This threat is usually tied to the theft of the device or mismanagement of the device by its owner. An example would be for a person to leave their laptop unlocked while they go out to get coffee, meanwhile a bystander uses this chance to steal the electronic.
There are a variety of ways that phishing can catch you off-guard, this section will only look at some key areas. Although there has been a decline in phishing levels concerning prior years, the number remains staggering. One in every 3,207 emails are used for phishing (Symantec) and, in the public sector, phishing is used in 74% of cyber-espionage cases (Verizon). GPetrium encourages everyone to get further engaged in this issue to ensure that individuals, teams and organizations are better prepared to deal with phishing attempts. Below are a few examples
In organizations with limited resources, leaders should take it upon themselves to create a phishing awareness communication (via email) to employees. Cybersecurity is a cumulative process that requires the continuous dedication of every employee to ensure organizational safety.
To increase the difficulty of an actor using brute force, take steps to increase the difficulty of your password by:
An example would be to have a password like this: //S3c()r1tyW1ns. This password contains three numbers, 2 uppercase, 4 symbols and 13 characters in total and is relatively easy to use and remember. To those interested in following governmental guidelines, please refer to NIST’s ‘Digital Identity Guidelines’. Also, ensure that your passwords are not the same across various platforms, otherwise, if one provider database is breached, all providers with the same login & password may be breached. To help manage multiple password, software such as 1Password, KeePass and LastPass can be used.
Do not attempt to connect to your e-mail account and other key systems when using an unsafe network. Always consider the environment you are in, some actors will attempt to act as if they are a trusted service provider, while others will simply give you the chance to connect to their service. Even when you read the rules associated with a service provider of very well-known brands, they will tell you that the service may be monitored. The quality of security can vastly differ from each provider, consider that before connecting. If there are no other options, take steps to increase security by using SSL (Security Sockets Layer) in your browser, use the HTTPS:// prefix, keep your device up-to-date and use a Virtual Private Network (VPN). Afterwards, you are encouraged to change your password to limit the risk of infiltration at a later date.
To decrease the risk of a physical threat to your devices and consequently your e-mails, take your devices with you wherever you go. If this is not an option for a laptop or computer, ensure that you have a physical lock you can use to attach it to a piece of furniture and always remember to lock the software. For example Windows users should get accustomed to pressing Windows + L to lock the device every time they are away from it.
Threats are becoming more sophisticated and harder to track, therefore it is essential for everyone from the network provider, to the e-mail provider, your friends and yourself to take steps to become ‘tech mindful’ and create a culture that follows suit. This will ensure a safer environment for personal and business use.
For those interested to further their cybersecurity capabilities, please refer to other articles such as ‘Tips for Increased Cyber Security’, ‘Increase your Browser Security’ and ‘Increase your MS Office Security’.