How to Protect your Business against Malicious Emails

August 31, 2022 | BankingFocus-Banking Focus | BankingFocus-Financial Tips

We hope you have been able to enjoy the nicer days and also beat the heat during the recent hot days we've had this summer! Email is a vital tool in our business, and it likely is useful in your business as well. A recent report indicated that so far in 2022, nearly 3.5 million emails are sent throughout the world every second. However, not all of those emails are sent by people with good intentions. This month's article gives some pointers on how to protect your business against malicious emails.

Although phishing has been a problem for years, phishing emails have increased by an estimated 600% over the past two years. Phishing continues to be a go-to source for hackers.

Because of the mass number of phishing emails targeting victims every day, it is more important now than ever to remember The Golden Rule of Email. This modern version of the well-known principle is to treat every email as if it’s a phishing attempt. 

To help fix this recurring problem, organizations should consider modifying their training approach to focus on building habits versus one-off lessons. Focusing on building a repeatable process can have a more significant impact. It’s not the security awareness training alone that makes the difference, but the repeated steps taken.
 

Implementing The Golden Rule of Email

There are three steps to implementing The Golden Rule of Email concept in any organization:  
Step One: Introduce and Apply the Concept Company-wide
The first step in implementing The Golden Rule of Email is establishing it as part of onboarding techniques and general practices, similar to how employees comprehend the mission or values of a company.

Ultimately, the rule would be adopted by leadership and management teams and woven into training and educational tools to be mastered by every employee.

Step Two: Build Phishing Awareness Skills

Once the initial concept of the rule is adopted across the company, it's time to start building the skills necessary to support the rule and act against any suspicious activity.

A crucial step in helping employees steer clear of phishing emails is asking the Three Ws - who, what, and why. You should consider questions similar to the following for every email received:

Who?

• Do I know the sender?
• Is this someone I usually communicate with?
• Is the email sent to an unusual group of people?
• Is the email address spelled correctly?
• Does the email address match the email in the signature?

What?

• What action does the sender want me to take?
• Does the email contain bad grammar, odd styling, or typos?
• Is the email written in a style consistent with the sender?
• Is the action something you’d expect from the sender?
• Is it an urgent request?

Why?

• Why do they want me to click on a link, download an attachment, or send information?
• Are they presenting a sense of urgency?
• What is the consequence they are threatening if no action is taken? Is it something I should expect?
• Have they presented an unusual situation? Is it something I should expect?

Verify

• If you've gone through the who, what, and why questions and you have any doubts, you should verify the email by contacting the sender via phone or in person. Do not reply to the suspicious email asking for verification.

It’s also important to be wary of different phishing types:
• Email phishing – Emails using fake domains to collect private and financial information.
• Spear phishing – A more malicious email targeting specific people. Hackers typically have private information about the person, like their name, job title, and email address.
• Whaling – Emails targeting senior-level staff and management.
• Smishing and vishing – Instead of emails, this form utilizes texting and over-the-phone conversations where scammers pose as fraud investigators warning individuals of “breached” accounts. 
• Angler phishing – Hackers use social media to gain sensitive information and download malware. They can also use data from social media to create more advanced and targeted attacks.

In addition to warning employees of the various ways to phish, organizations can put technical controls in place to help filter down phishing emails and implement security controls to ensure emails are coming from valid sources.

Step Three: Take Accountability

The final step in the process is taking accountability. Each employee should know exactly what steps to take when they spot a phishing email. Also, anyone who accidentally clicks on a phishing email and realizes it should immediately report the incident to their respective IT or security department(s) for faster identification and quicker response times.

The goal is for The Golden Rule of Email - treating every email as if it’s a phishing attempt - to become second nature for everyone. It becomes more than just another rule to follow; it’s a habit backed up by a process.
 
________________________________________
Written by: Nick Podhradsky
Executive Vice President - SBS CyberSecurity, LLC