Email security is likely the #1 place where small businesses could spend a little more to get a lot of protection for their company. Cyber-attack statistics over the past few years show that most of them originate through email (https://www.sophos.com/en-us/medialibrary/PDFs/factsheets/Sophos-Phish-Threat-Datasheet.pdf). Malicious emails can contain links to sites that try to harvest login credentials, get users to download something that will infect their computer, or exploit security holes in the web browser to infect the computer without even having to download anything. They can also be phishing emails that attempt business compromise by convincing employees to do something the attacker wants, usually a wire transfer, by impersonating a superior. All of these kinds of attacks can lead to thousands or hundreds of thousands of dollars in losses.
Why do phishing and other malicious emails work?
The primary problem is that people can be manipulated into thinking that an email is legitimate when it really isn’t, and people are six times more likely to click through a phishing email than a legitimate marketing email (https://www.sophos.com/en-us/lp/games/play-spot-the-phish). People don’t check the reply-to address in an email, they just look at the display name, subject, and body of an email. If it looks close enough to something the display name would send, it’s generally given a pass. It’s easy to make all three of those parts of an email look legitimate. Cybercriminals can lift whole pages from legitimate websites to make their emails look like they come from the business they’re pretending to be. People also don’t think clicking on something in such an email is all that dangerous and don’t inspect the links before clicking them. When an attacker is targeting a business specifically, they’ll spend the time to gather a lot of data about the internal workings of a business, their employees, and details they can find on the internet to compromise someone low on the security tree first, and then use that email address to attack up the chain.
So what should a small business be doing to better protect themselves from such attacks?
First and foremost, adding advanced email filtering to scan all emails as they come in and/or while they are in mailboxes for anything malicious to block them from ever being seen by an employee in the first place. While not a cure-all, such filtering does a very good job and cuts the number of times an employee could fall victim to a scam by a large percentage. Since it’s not perfect, adding user training is also recommended, especially ones that send out fake phishing email campaigns to catch those users that consistently fail to notice bad emails (https://www.sba.gov/business-guide/manage-your-business/stay-safe-cybersecurity-threats). In larger organizations, labeling all inbound emails that originate outside the organization can be a big help as well. Finally, having good baseline security at the network and endpoint (computer/server) level can help catch things that make it through.
Forge IT Consulting is well versed in all these methods to protect businesses from malicious emails. We work with a variety of partners that are leaders in this area and can find the best solutions for your business. Call us today at (407) 318-2671.