The 6 Biggest Email Security Risks for Enterprises (2024)

Posted July 15th, 2022

The 6 Biggest Email Security Risks for Enterprises (1)

Non-fungible tokens (NFTs) were the target of a recent hack against OpenSea, an NFT marketplace in New York City. It appears the attackers successfully stole hundreds of NFTs from users, spreading fear throughout OpenSea’s vast user base. A spreadsheet compiled by the blockchain security company PeckShield shows that 254 tokens were seized during the breach, including tokens from the Bored Ape Yacht Club and Decentraland.

According to Molly Whit, author of the blogWeb3 Is Going Just Great, the stolen tokens were valued at more than $1.7 million.

The Foundation of the Attack: Spoofed Email

Ransomware hackers randomly use malware to automatically exploit vulnerabilities, but in the OpenSea attack, the perpetrators used a far more traditional approach: spoofed email. A spoofed email comes from a fake email address, typically one that looks like it belongs to someone with the right to view or receive sensitive information.

Using spoofed emails, the hackers got the victims to sign a partial contract that was mostly blank except for a general authorization. This means the victims essentially signed a blank check. Then, the attackers filled in the rest of the contract, transferring ownership of the NFTs without having to make a payment.

E-mail Security: An Overview of Threats and Safeguards

Mail clients and mail servers are the two main parts of an e-mail system, and they each play a critical role in preventing email threats.

Mail clients:These allow users to read, write, send, and save their emails. If an attacker gains access to a user’s mail client, they can perform all these actions in the name of the real user.
A mail server:This is the computer that distributes, forwards, and archives email.

So that various mail clients and servers can work seamlessly with each other, industry standards such as Simple Mail Transfer Protocol (SMTP), Extended Simple Mail Transfer Protocol (ESMTP), Post Office Protocol (POP), and Internet Message Access Protocol (IMAP) are applied. These enable email processing, formatting, delivery, and display. In other words, they keep the email system efficient. But that doesn’t mean email isn’t prone to risk.

The Most Common Email Threats

Hackers typically leverage the following types of email threats to infiltrate a network or steal information or money:

Social engineering: Hackers often use email to obtain information about a company instead of hacking into a system. They do this by persuading users—typically, employees—to take actions that enable an attack. Email spoofing, mentioned at the outset, is a common social engineering technique. During a spoofing attack, the hacker uses the position or authority of the person whose email they’ve spoofed to manipulate their target.
Malware: Cybercriminals are increasingly using malware, such as viruses, worms, Trojans, and spyware, to attack business systems. Once successful, they take control of workstations and servers to access confidential data, observe user activity, increase their access rights, and carry out other nefarious activities.
Hacker groups with malicious intent: A successful attack on a mail server could allow malicious entities to access resources elsewhere in the organization’s network. They can then impersonate people and launch attacks.
Spam: Usually used as a vehicle to spread malware, email spam refers to unsolicited or unwanted communication sent out in bulk via email. Phishing, which uses deceptive techniques to fool people into replying to emails and providing sensitive information, is sometimes interlinked with spam. When spam and phishing attacks originate from legitimate email addresses, chances are the email servers hosting those addresses have been compromised.
Authorized users who make mistakes:Authorized users may unintentionally email sensitive or confidential information to people who aren’t authorized to view or access them, putting the company at risk of embarrassment or legal action.

6 Biggest Email Security Risks for Enterprises

Attackers use various methods to manipulate email users into divulging sensitive information or handing over money, but the following are the six that organizations should be wary of:

1. Chain Mail

A chain letter, also referred to as chain mail, is another form of unsolicited email in which users forward messages containing false information. Most people are familiar with weird emails that threaten you with “bad luck” if you don’t forward them to everyone you know. These are the types many people simply ignore.

2. Phishing

Phishing involves someone pretending to be someone they’re not to fool users into providing sensitive information. For example, you may receive an email from “Google” asking you to confirm your login due to a recent breach.

These emails can look very convincing at first glance, but if you take the time to investigate the sender’s details, you’ll likely find an odd email address, such as “[emailprotected],” something that Google obviously doesn’t use. Employees should make it a habit to check the sender’s email address and useSPF checkerto make sure the email domain is credible. They should never respond to any email asking to enter their password without explicit approval from IT.

3. Spear Phishing

Spear phishing is a form of phishing but targets a specific person, usually a high-level individual within an organization. The attacker performs prior research on the individual before they send a spear phishing email, which makes spear phishing far more potent than regular phishing that targets random people.

Because the attacker has done their homework, a spear phishing email will use language that dupes victims into believing the sender is legit. In this way, it’s far easier to get them to download an attachment, send money, or provide confidential information.

4. Spoofing

Email spoofing involves tricking someone into believing they’re communicating with a reputable person. For instance, a scammer may impersonate a manager or member of the finance team. If the victim falls for the ruse, they are much more likely to do whatever the attacker wants them to do, such as click on a malicious link to automatically install malware on their device. Spoofing is frequently used as a stepping stone to a much larger attack.

5. Vishing

Vishing is a scam that resembles phishing but uses audio channels instead of text, such as videoconferencing platforms or voicemail. Scammersoften attempt to persuade people into sending money or divulging private information by using fictitious phone numbers or posing as a supervisor or client.

6. Malicious Attachments

Malicious attachments often play a part in phishing schemes. Cybercriminals will send an innocent-looking email with an attachment. To get recipients to open or download the compromised files within the attachment, hackers appeal to their fear, greed, or something they’re interested in.

What Are the DOJ and FBI Doing to Prevent Phishing Attacks?

Although a lot still has to be done, there’s no denying that the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ) have been taking action. Here are some examples:

Filed charges against a criminal group: Just recently, the DOJ filed charges against a cybercriminal gang that managed to steal about $3.4 billion worth of intellectual property. The criminals exfiltrated 31TB of academic data from over 300 universities in 21 different countries.
Seized malicious domains: The DOJ also successfully seized two domains that a cybercriminal used in a phishing campaign that victimized a marketing agency connected with the U.S. Agency for International Development (USAID). The attacker used the domains to distribute malware and for command and control (C&C).
Shut down fraudulent websites: In 2020, the DOJ shut down hundreds of COVID-related websites that scammers used to deliver malware, operate deceptive charity drives, advertise fake COVID cures and vaccines, and spoof government organizations to dupe Americans into entering sensitive information, including their bank logins.

Best Ways for Enterprises to Tackle Email Risks

For as long as people use email, there will be risks. To protect your organization and employees, consider the following:

Use endpoint protection to stop malware that can be introduced through an email-based attack
Conduct regular security awareness training programs to educate users on the most recent threats and what to do if they come across a suspicious email
Encourage your employees to use strong passwords that are hard to guess and frequently update them
Enforce multi-factor authentication across the organization. This forces someone trying to log in to verify their identity by providing other forms of identification aside from their username and password, such as a PIN, one-time passcode, fingerprint scan, etc.

The key is to use a combination of techniques—or a multi-layer defense strategy—to filter out multiple threats.

When It Comes to Email Security, Knowledge Still Rules

In many cases, there’s no need to reinvent the wheel when coming up with an email protection strategy. Strong passwords, security awareness, endpoint protection, and multi-factor authentication, when combined, can stop the vast majority of attacks. Remember that your employees will often be your first—and last—line of defense in the fight against cybercriminals. If they’re aware of the risks and how to avoid them, you greatly shrink your attack surface