Gabi Power 25 November 2022 14:48:52 AEDT 17 MIN READ

13 Best Practices for Email Security

Data breaches seem to be the current hot topic of conversation. No matter whether you’re at work, in social settings, or watching the news, it’s all anyone can talk about, and there’s good reason.  

In Q3 of 2022, data breaches increased by 70% on the previous quarter. What’s more concerning is just how many cyber incidents there have been recently where a hacker or bad actor has gained access to a company’s networks through a compromised employee email account. 

On the 23rd of November, The Smith Family, an Australian charity that supports disadvantaged children, disclosed that they had been hit by a cyberattack. In the attack, the hacker used a team member’s email account in an attempt to steal funds, and in the process may have accessed the personal information of almost 80,000 donors.  

In the same week, elite Melbourne boys' school, Xavier College also revealed that they too were victims of a cyberattack. In June, a hacker gained “access to an email account that includes information relating to students’ and families’ finances, admissions, fundraising, scholarships, pastoral care and – for a small cohort of individuals – health information” and is now threatening to publish the data.  

These two events only scratch the surface. With how commonplace and damaging cyber incidents are becoming, there’s no better time than the present to develop your knowledge on email security. Below, we’ve listed 13 best practices for email security, which you can apply in your day-to-day life.  

 

1. Think twice before you click

Bad actors lie in wait, hoping that you’ll drop your guard and click a link or download an attachment without giving it a second thought. In cybersecurity there’s a concept called 'Zero Trust’, and we all need to adopt that same mentality when we’re online or checking email. If it doesn’t seem right, or if you have doubts, don’t click. Here are some basic things to look for. 

Don’t click links on emails that: 

  • Aren’t addressed to you by name, 
  • Are sent to you from a different email address to the one that the sender typically uses, 
  • Appear to be from a legitimate company but use poor spelling or grammar, or that omit details that you would otherwise expect, 
  • Are from businesses or people that you were not expecting to hear from, and  
  • Take you to a website or landing page that is different to what you expected 

 

2. Be wary of shared files and links

One of the first things to look for if you’re unsure if an email is legit, is to check the sender email address to see if the domain that it’s coming from is correct. Be sure to click on the sender address to view the actual sending email account. Scammers will often forge the sender name so that it appears to be the real thing, or taking it one step further, they will register a domain that is similar to the correct domain for the company that they’re spoofing.  

Scammers use links and attachments in emails to share malware or phishing sites. If the link or attachment has come from an untrusted source, or someone you weren’t expecting to hear from, proceed with absolute caution. Click here for a thorough guide on how to test suspicious links without putting yourself or business at risk.  

 

3. Use secure passwords

You wouldn’t put a cheap lock on the door to your house – the same should apply to your email account.  

Make sure your passwords are strong and unique – they should not contain any easily guessed or personal information such as your name or birthday. Don’t re-use passwords or choose ones that are easily guessed or a hacker will find their way in.  

In general, when creating strong passwords, you should always:  

  • Use a combination of uppercase and lowercase letters, numbers, and special characters 
  • Make it at least 12 characters long  
  • Avoid using any words that have personal meaning, such as your name, a pet’s name, dates of births, or anniversaries 
  • Make it significantly different from other passwords (e.g., don’t just change a number or special character) 
  • Use passphrases where possible (e.g., “Thunder&L1ghtning!”) 

 

4. Consider using a password manager

Password managers, like LastPass, are the most secure way of protecting and generating passwords. As long as you remember your master password, the rest are encrypted and protected from unauthorised parties. Ideally everyone in your business should use one, but if not you can use them for your personal credentials as well.

 

5. Mandate Multi-Factor Authentication (MFA)

Implementing MFA is said to prevent between 80-90% of cyberattacks, so it’s essential your business is using at least two authentication factors to protect email accounts. While one-time passwords via SMS or email verification may be convenient, when possible, it’s recommended that you choose biometric signatures. These can include options such as fingerprints, iris scans, facial and voice recognition, which are all far more difficult for scammers to forge or bypass. Find out more about MFA here 

 

6. Educate your team on email threats, like phishing, BEC and ransomware

Thanks to the prevalence of phishing kits, which allow low-level cybercriminals to create professional looking malicious websites and emails, phishing attacks are constantly becoming more and more advanced. Even if you’re confident in your ability to spot a phish, it's worth refreshing and testing your knowledge on a regular basis.

To help businesses detect phishing attacks, MailGuard writes about the more sophisticated attack attempts that we see on a day-to-day basis. Many replicate well-known companies in an effort to steal personal information, account credentials and credit card details. We also have a “Can you spot a scam?” quiz, and there are a number of services which test employees ability to detect phishing attacks in real-time, by sending fake malicious emails for education purposes. 

7. Don’t reveal too much in your ‘Out of Office’ reply 

‘Out of Office’ (OOO) replies are helpful in alerting team members or other contacts that you’ll be unavailable for an extended period of time, but they can also pose a serious cyber risk. Avoid including too much information in your OOO, such as specific dates of leave, where you’ll be going, if you’ll be entirely unreachable, or who your manager is.  

Keep it basic – say that you’re unavailable rather than explaining why and where you are, and if necessary, provide a general company email or phone number in case of emergencies. Providing too much information can equip a cybercriminal with all the details they need to impersonate you in a targeted BEC attack. Find out more about OOO best practices here 

 

8. Limit what information you share online

If your account isn’t private, hackers can quickly find out sensitive information such as your birthday, mother’s maiden name, best friend’s name, pet names, and sometimes even your home address.  

Even worse, think twice before completing a fun online quiz promising to predict your future, or to tell you what personality type you are. Cheap and seemingly innocuous quizzes and surveys are often a front for cybercriminal organisations that are trying to gather information that will help them compromise your accounts. “What are your pets names? When were you born? What’s the name of the street that you first lived in? Enter your email address and we’ll send you your rockstar stage name!”     

And, when viewing and sharing your own profile, most social media sites give you the option to view it as a member of the public, so you know exactly what information is visible.  

 

9. Avoid using your business email for personal use  

This should go without saying, but it’s critical you keep business and personal emails separate. If you’re using your professional email address when creating accounts, subscribing to newsletters, or making purchases online for personal use, it may make it harder to distinguish between a legitimate email and a phishing attempt. On top of this, the more your professional email is used online, the greater chance there is that it could be sold to a third-party or compromised in a data breach, putting your business at risk.  

 

10. Never reply to scammers

As tempting as it can be to hit ‘Reply’ when you receive those emails explaining that you’ve inherited $200 million from an aunt you never knew about, whether it’s out of amusement or frustration, it’s important you never do. Replying to scam or spam emails can verify to the cybercriminal that your account is active and that they’re being delivered to your main inbox (or at the very least that you’re checking your junk folder). This may lead to an increase in scam emails, and while this attempt may have been laughable, the next one may be less obvious.   

11. Don't use free public Wi-Fi

When you’re out in public, it’s best to avoid using free Wi-Fi. Aussie Broadband explains “Since public Wi-Fi usually requires no authentication, it offers a tempting avenue for would-be hackers to obtain access to unsecured devices using the network. Malicious attacks through the network can result in your data being stolen” or expose you to malware. If possible, hotspot from your mobile or from someone you trust.   

12. Log out of your email account

While it may not be the most convenient, it’s best to get into the habit of logging out of your email account at the end of the workday. Although the people in your house may not be too concerned with what’s on your emails, if you’re travelling to and from the office, on a holiday, or even working from a café, if you leave your device behind by accident, you don’t know who could access your emails nor what they’ll do with them. This is particularly important if you’re on an unfamiliar device!  

13. Invest in a multi-layered email security approach

Prevention is always better than a cure, and the best defence is to boost your company’s cyber resilience levels to avoid threats landing in your inboxes in the first place. Even if you’re using Microsoft 365 or Google Workspace, you should also have a third-party email security specialist in place to mitigate your risk. For example, using a third-party cloud email security solution like MailGuard. 

Nine out of 10 cyberattacks start with an email, so you need to ensure that your inboxes are secure. Cybersecurity experts refer to it as a ‘defence in depth’ or ‘multi-layered’ approach. Like having a lock on your front door and a latch, if one fails to stop the intruder, the second one will.  

 

While some of these tips may come as second nature to you, ensuring you're practicing them and continuing to build on your cybersecurity knowledge could be what it takes to prevent a successful attack. 

 

Fortify your defences

No one vendor can stop all threats, so don’t leave your business exposed. If you are using Microsoft 365 or G Suite, you should also have third-party solutions in place to mitigate your risk. For example, using a specialist cloud email security solution like MailGuard to enhance your Microsoft 365 security stack. 

For more information about how MailGuard can help defend your inboxes, reach out to our team at expert@mailguard.com.au.      

Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates with the button below. 

We’re on Facebook, Twitter and LinkedIn. 

Keep Informed with Weekly Updates