Malicious emails can be used to trick your staff into divulging their password or other sensitive information (Phishing), manipulate them into performing a task such as making a bank payment (Social Engineering) or as a way to deliver malware such as Ransomware into your organisation.
With an estimated 90% of cyber attacks starting with a malicious email, it is important that you understand how to protect your business from this ever-present danger.
Email has been a vector for malware right from the beginning, and as our technology has gotten better at finding and removing malware the cyber criminals have found new ways to get the malware onto computers, often by persuading users to bypass the security controls that are in place to protect them.
The age-old advice of not opening attachments from unknown sources is still valid today, but with so many hacked mailboxes we can’t fully trust attachments from sources we do know.
Phishing attacks strive to extract (or fish) login credentials from your staff. Most phishing emails will impersonate an organisation like Microsoft, Google, LinkedIn etc. and will require them to click a link in the email to perform some task (such as cancel a service they didn’t request or access a file sent by a colleague). Once the user clicks the link they will be presented with a login for which looks just like the real thing, but whatever credentials are entered are sent to the attacker so they can be used to breach the victim’s account.
Social engineering is the buzz-word used to describe fraud. By impersonating someone else, the cyber criminal will trick an employee into doing something for them, normally to the detriment of the business.
Social engineering scams have included changing the payment details on invoices or purchasing a large quantity of gift cards.
This is by far the hardest kind of attack to stop because it is the employee, rather than the computer, which is being manipulated.
The first line of defence is technology. We recommend an Advanced Threat Protections (ATP) system which scans emails when they arrive for malware and other malicious content. The system we recommend scans over 100 billion emails a day and uses Artificial Intelligence to identify never-seen-before malware, phishing and other email attacks.
Another layer of defence is Multi-factor Authentication. Although MFA cannot stop malicious emails, if a member of staff falls for a phishing attack it will prevent the attacker from being able to use the credentials they steal.
Phishing and Social engineering emails are particularly hard to stop so it is essential your staff know how to spot and avoid these emails. Staff awareness training can help by making staff aware of the threats and giving them the tools they need to identify them, but unfortunately not all staff benefit from this kind of training.
A simulated phishing or malicious email campaign can ensure staff engagement by delivering harmless emails which appear to be malicious to their inboxes. If they are taken in by the email and click the links they will be delivered a warning, helping them to avoid that kind of email in the future.