Email has always been a big attack vector favored by cybercriminals. It’s exposed to the internet and has historically bad security — and it’s easy to manipulate inattentive users with specifically crafted spear phishes. No wonder it’s a favorite target. However, there have been a lot of improvements in email security, so you can make it harder for attackers exploit your email system.

Next steps

  • Use a cloud-based email system: Legacy, on-premises email systems require maintenance and security patching — something many organizations struggle to do promptly. If you’re still using an on-prem email system that you need to maintain, it’s time to move to a cloud-based, SaaS enterprise email system like Microsoft 365. The cloud provider takes care of the platform and handles security patching so you don’t have to.
  • Utilize MFA: If you’ve been reading these tips closely, you know how strongly we feel about multi-factor authentication. It’s critical that you enforce this on your email accounts to help combat credential attacks that let attackers take control of your email account.
  • Implement email authentication: Three technologies — Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting & Conformance (DMARC), and Domainkeys Identified Mail (DKIM) — all work together to help make it harder to deliver fraudulent emails to potential victims. If you’re not familiar with these technologies, work with your email provider or an experienced administrator to enable them in your environment.
  • Enable external email warnings: Email systems should be configured to alert message readers that emails originated outside of the organization. This is critical to helping users identify when a cybercriminal is impersonating the CFO and she’s not really directing you to wire $75,000 to an escrow account. It’s especially important to enable these on mobile email platforms where the apps just display the sender name and don’t show you the full email address by default.
  • Train your users to detect and question spear-phishing attempts: Security awareness training is table stakes. We have to be educating users on how to detect suspicious messages. Moreover, we need to be training them on how to respond accordingly. Whether it’s forwarding to IT or verifying the request with out-of-band authentication, train your users on how to respond, and create a culture of professional skepticism when reacting to phishing emails.