Essential Email Security Tips for Employees: Preventing Phishing Attacks

Email security is often overlooked or simply ignored because of time reasons until disaster strikes—and dude, it does strike! It strikes so bad that even huge companies got attacked and lost Millions just because an employee opened an Phishing Email. Imagine the chaos at a major corporation, where a single phishing email led to a data breach that compromised the personal information of thousands of employees. Such breaches not only hurt the company's reputation but also resulted in millions of dollars in losses due to identity theft, data theft and fraud. Getting the data stolen is one thing, but imaging this data is also encrypted. Imagine this company has no Backups in place. All of its customer data is gone, code is gone, maybe even their Databases are away. Imagine this is your Company or the Company you are employed at. Imagine you have to tell your customers that their sensitive data is now for sale on the black market, just because you clicked a link or opened a file. I do not want to do that, and I’m pretty confident that you feel the same about it. So keep on reading, we will go through the steps on how to prevent you from such situations. Some minutes spend here can save you Millions.

The Anatomy of a Phishing Attack

Phishing is a type of cyberattack where scammers or hackers use emails to trick people performing actions that are good for them. They make their emails look like they are from someone you trust, like your bank or a coworker, to get you to click on a link or download something harmful. In the past, most of those emails were pretty easy to uncover as phishing mails. But with the rise of AI, they become very hard to uncover. Hackers or Scammers can copy the tone of your CEO, a business partner or your bank, Social media or similar. They can copy the layout of those emails also with no effort. An example that shocked me, about a year ago, was a LinkedIn notification that someone sent me a friend request. It looked like all the other LinkedIn notifications with the footer in place etc.

I trusted the E-Mail, so I wanted to click on it and see what happened. Fortunately, I took a step back and figured out that it was on my work E-mail. I signed up with my private E-mail. Since then, I never directly click on platform links. Instead, I manually go to the platform and see what's new if an E-Mail notification got my interest. Also, a first learning is to never click a link in an email without double-checking if it is legit.

Steps in a Phishing Attack:

1. Choosing the Target: Scammers pick who they want to trick. They might pick Managers, System Administrators or founders, since they have the most access privileges. But also customer request addresses like office or help@company.com can be good targets since those emails must be taken serious. It is easier to mimic a customer request that trick the CEO or CTO.
2. Making the Email: They write an email that looks real, using the same logos, style, and language as the real company would. They often say you need to act fast, making you feel rushed. Or they write an email that looks like a customer request. Maybe he has some extra wishes that he tells you in an attached PDF or an example attached with a link.
3. Sending the Email: The fake email is either sent to many people at once. If it's a huge scam, thousands might get the email. Since impersonated those scams are normal easy to uncover with the tools i give you. Harder are the emails that are targeted to a specific person in a company.
4. The Trap: The email usually has a bad link or a harmful file. If you click the link, it might take you to a fake website that looks like a real one where you normally enter your password. Or it downloads a file infected with malware.
5. Stealing Information: If you enter your details on the fake site, or if the file you downloaded contains malware, the disaster makes its turns.

Understanding that the email looks real but is actually a trap can help you stay safe. Next, we will look at different types of phishing attacks and show some examples to help you see how these scams happen.

Types of Phishing Attacks

Phishing comes in several forms, each designed to trick you in different ways. Let’s take a look at the most common ways hackers try to get you into the trap:

1. Spear Phishing: Unlike broad, random attacks, spear phishing targets specific individuals or organizations. These attacks are highly personalized, often using information that makes the emails seem particularly credible. For example, a spear phishing email might appear to come from a trusted colleague or boss asking for confidential information.
2. Whaling: This type of attack targets high-profile individuals like CEOs, CFOs, or other executives. The goal is often to steal large sums of money or sensitive information. Whaling attacks are sophisticated and involve emails that are meticulously crafted to look like critical business correspondence. Unfortunately, with the rise of AI, the bar for these attacks gets lower and lower. By making use of Email Spoofing, which changes email headers in a way that it looks like it came from a different address, powerful attacks can be performed. Like the Attack on FACC. The attacker there sent an email to an employee claiming to be the CEO who wants to buy a StartUp. The Employee was instructed to send 50.000.000€ to the given account. The money was gone and both the employee and the CEO lost their jobs. Since there were no internal systems for preventing such a fraud. So, also think about that and work on internal systems as simple as a four-eye principle for huge transactions or simply not trusting such emails and double-checking with a short call.
3. Pharming: Here, attackers redirect users from legitimate websites to fraudulent ones. This can be done by infecting a computer with malware or by exploiting vulnerabilities in the DNS server settings. Users think they are entering their information on a secure site, but it's actually controlled by cybercriminals.
4. Clone Phishing: In a clone phishing attack, a legitimate and previously delivered email containing an attachment or link is taken and used to create an almost identical or cloned email. The attachment or link within the email is replaced with a malicious version and then sent from an email address spoofed to appear to come from the original sender.
5. Vishing (Voice Phishing) and Smishing (SMS Phishing): Vishing involves phone calls, where attackers pretend to be from a bank, technical support, or even the IRS, asking for personal information. Smishing, on the other hand, uses SMS messages to lure victims into providing personal data or downloading malware.

Spear Phishing Real-World Example: IKEA Reply-Chain Email Phishing Attack

In December 2021, IKEA fell victim to a sophisticated spear phishing attack known as a 'reply-chain attack.' Cybercriminals hijacked the companies E-Mail servers. They then hijacked email conversations and made recipients download malware by inserting emails into these threads containing zip files with a spreadsheet in it containing some “important” data and visualizations. This technique made the phishing emails appear as legitimate parts of existing discussions, thereby increasing their effectiveness. The malicious emails as mentioned before often contained links or attachments labeled in innocuous ways, such as ‘charts.zip,’ which, when opened, would prompt users to enable content that activated malicious software like Qbot and Emotet Trojans. The dangerous thing was that attackers watched the conversations and added attachments the recipients would trust. These Trojans are particularly dangerous as they facilitate further network compromise and can even lead to ransomware deployment.

IKEA's swift response included warning employees about the specifics of the attack, such as the characteristic ending of the malicious links and the temporary disabling of the ability to release emails from quarantine to prevent further spread. This case underscores the importance of vigilant email practices and ongoing cybersecurity education within organizations.

With educated employees, even attacks like this can be prevented, so let's break down where to look at and how to may prevent them.

• First of all, enable Exchange Server Malware Protection.

  • It will scan automatically all attachments except password protected ones for malware and filters them out if one was found.

• Zero Trust E-mail Policy

  • Do not open Links or Attachments without double-checking their legitimation
  • Ask your college why he sent you such an Excel in a zip (not via email)
  • Ask your colleague why you need to give it execution permissions
  • I think you got the point(s)

Best Practices for Email Security

Email remains a primary communication tool in the workplace, internally it can be easy replaced with slack or Teams. For external communication, the simplicity of having a simple public address where you can receive all messages is unbeaten. Unfortunately its strength is also a major vulnerability, it is open to everyone, so everyone can send you everything. Paired with a weak protocol makes your inbox the most dangerous place of the internet. Here are essential email security best practices every employee should follow to protect themselves and their organization from cyber threats:

1. Zero trust email Policy:

   • Always verify the sender's email address before clicking on any links or downloading attachments, especially if the email requests sensitive information or urgent action. If it looks suspicious, use another communication channel like Slack to contact the sender. Do not forward suspicious Emails to other Employees or your Boss!

2. Use Strong, Unique Passwords:

   • Always use complex passwords that combine letters, numbers, and symbols. Avoid using the same password across multiple accounts to prevent a single breach from compromising all your accounts.

3. Enable Multi-Factor Authentication (MFA):

   • Wherever possible, activate MFA. This adds an extra layer of security by requiring a second form of identification beyond just a password to access your accounts.

4. Regularly Update and Patch Software:

   • Keep your email client, web browsers, and operating systems updated. Cybercriminals often exploit vulnerabilities in software to gain unauthorized access, most of the exploits will be fixed pretty soon after becoming public. So regular updates can reduce the risk of a cyberattack dramatically.

5. Educate Yourself on Phishing Techniques:

   • Participate in training provided by your employer and stay updated on the latest phishing tactics. Keep your eyes Open, my top tip is if you hear from a company you know getting hacked, inform yourself about the incident. Try to understand how it happened. By that, you learn from it and know what to look for next time. You will get better and better regarding phishing attacks. Understanding what phishing looks like and how it evolves will help you better identify suspicious emails.

6. Use Email Encryption:

   • If you need to send sensitive information via email, consider using email encryption. The recipient will need the private key matching your public key that you used to encrypt the message. Otherwise, he can not read it. This is like the HTTPS for email. If your company runs on Office 365, consider switching on Microsoft 365 Message Encryption for internal email communication. By using this, an incident like the IKEA one may, would not even be possible or harder to do since the attacker requires the key to read and manipulate emails.

7. Be Wary of Email Hyperlinks and Attachments:

   • Before clicking on hyperlinks or downloading attachments, hover over links to see the actual URL and scan attachments with antivirus software. For some extra security, check it with VirusTotal. A free tool scanning for malware or evil domains. If in doubt, contact the sender through a different communication channel to verify the content.

By implementing these practices, employees can significantly reduce their risk of falling victim to email-based cyberattacks and help secure their organization’s digital assets.

Conclusion

In the digital age, email is not only an essential tool for communication but also a prime target for cybercriminals. The stakes are high, as seen in sophisticated attacks like the IKEA reply-chain email phishing incident, demonstrating that no organization is immune to these threats. However, by embracing robust email security practices, both employees and organizations can significantly shield themselves from the risks posed by cyber threats.

It's crucial for everyone to be proactive about email security. This means consistently applying the best practices outlined, such as being skeptical of unsolicited emails, using strong passwords, enabling multifactor authentication, and educating oneself about the latest phishing techniques. Additionally, the implementation of technical safeguards like regular software updates, email encryption, email security tools, XDR protections and secure backups are vital steps in fortifying your email systems.

Remember, the cost of prevention is always less than the cost of recovery after a security breach. By taking these steps, you can not only protect your personal information but also contribute to the overall security culture of your organization, making it a less attractive target for cybercriminals.

Stay alert, stay informed, and take action to ensure that your email interactions remain secure. Let's all work together to build a safer digital world.

Stay Safe & Secure,

Alex