E-mail Security  

E-mails are a part of our everyday life, we use them to keep in contact with people all around the world, use them to monitor online shopping and much more. Several technical measures can be implemented to reduce the amount of spam received into your inbox and reduce the likelihood of a phishing e-mail being fallen for. Detailed below are several controls that should be applied:

• Sender Policy Framework (SPF) is a way for the recipient of e-mails to confirm the identity of the sender of the e-mail. This makes it much more challenging to spoof (fake) the e-mail address.
• DomainKey Identified Mail (DKIM) is a protocol that allows a message to be verified through cryptographic authentication (MD5 hash) by the mailbox provider. This is used to confirm that the e-mail address was sent by the individual/person it states it came from.
• Domain-based Message Authentication, Reporting, and Conformance (DMARC) allows policies to be applied to e-mails. For example, if an e-mail does not have DMARC, SPF or DKIM authentication, this e-mail address will automatically be moved to the spam folder.

A Spam filter is a piece of software that is used to detect unwanted e-mails from reaching the users inbox folder. Common spam filters search for word patterns or frequency. This can often be configured by the individual and should be to an appropriate level to reduce the number of spam e-mails.

What are Phishing e-mails

Phishing attacks use social engineering techniques used by someone with malicious intent to deceive users to steal valuable information. This is generally achieved through impersonating a trust-worthy party, for example, impersonating a bank to try and obtain credit card information.

There are two main types of phishing approaches:

• The first uses an email address that is untargeted but is sent to multiple companies to extract data, this type will generally have a lower success rate.
• The second is a targeted attack which will be used to deceive employees, often by posing as a trusted party, to extract data.

For untargeted attacks, spam filters are often quick to identify this mail as it is not specific to the company, is often worded very poorly, and does not look legitimate. However, a targeted attack can be more difficult to identify as it will usually pose to be an individual, inclusive of their email address, writing style, signature.

Dealing with phishing emails  

If you receive a phishing email, do not click on the link that is provided in that email. This could redirect you anywhere across the internet and potentially to a malicious site. An easy way to check where the link is taking you is to hover over the URL, if it is one that is not familiar be extra careful before entering any sensitive data.

If you are unsure, then contact the official companies email and write to them to see if the email that they sent is legit.

Phishers want you to act fast, so they create a sense of urgency, don’t let it influence careful review of the email.

Training should be integrated as a practice which covers different aspects of cyber-security. It is recommended that example phishing emails and genuine emails are given to employees to improve their criticism of fake emails and improve awareness. Employees which are unaware of social engineering attacks could be the weak link within the company and potentially infect devices on a network.

If you are a business looking to get involved with the Professional Advisor Programme, follow this link to register and find out more –  Business Advisors – Worcestershire Growth Hub