Around 319 billion emails are sent and received daily and this figure is expected to increase to 376 billion by 2025. That’s a lot of emails! But let’s be honest despite this staggering number, email is, and will remain, a key function of your business. All it takes is one interception for an attacker to steal your login information, or place a link or malware to compromise your business.
Common Types of Email Phishing Attacks
Let’s look at four of the most common types of email phishing attacks that could affect your business:
What is Email Bombing?
Email bombing is a tactic used by cybercriminals when an account has been compromised, for example, the perpetrator acquired your login details during a breach. A victim’s inbox will be flooded with countless amount of emails quickly filling their inbox. The real attack will be hidden, such as confirmation emails of financial transactions using your account.
What are phishing emails?
Phishing emails are a type of attack that trick people into taking action from emails and messaging services. It is done with malicious links or attachments.
Also read: How to identify and avoid phishing attacks
What is Spear Phishing?
Spear phishing is a specific type of phishing attack that is more advanced and aimed at specifically targeted users. Cybercriminals impersonate a trusted entity to obtain confidential information or steal money.
What is Business Email Compromise (BEC)?
Business Email Compromise (BEC) is a specific type of phishing attack that uses social engineering and human vulnerability to gain access to sensitive data and information. The BEC typically targets senior executives, CEOs, or managers in HR or finance departments.
Also Read: Business Email Compromise (BEC): The Billion Dollar Threat
How to protect your emails against cyberattacks
There are several ways to defend your business against cyberattacks, but we will explore the following; implement a multi-layered security approach and digitally sign and encrypt your emails.
Implement a multi-layered security approach
A layered approach can improve your resilience against phishing while minimizing disruption and maximizing the number of opportunities an email attack could be detected.
Start by preventing attackers from reaching users by implementing anti-spoofing controls, then filter or block incoming phishing emails. You should also consider publicly available information through tools such as your website or social media.
Next, you should help educate users and employees on how to identify and report suspected phishing emails and what to do if they suspect an email is malicious in nature.
The third layer should be to protect your organization from the effects of undetected phishing emails through the use of multi-factor authentication, regularly backing up important files and data, and reviewing processes that could be exploited.
Finally, respond quickly to incidents. Create an Incident Response Plan (IRP) and practice it so people are aware of their responsibilities.
Digital signature and encryption of your emails
Typically, this would fall under the third layer, protecting your organization. But let’s look at this a little deeper. At the end of an email, you sign with your name and your primary business details (website, phone number, etc.). But how does the recipient know it’s you? And if you send important information by e-mail, how does it stay intact?
In short, no.
This is where a protocol called S/MIME, or Secure/Multipurpose Internet Mail Extensions, comes in.
S/MIME is built on Public Key Infrastructure (PKI) technology and relies on two cryptographic functions; digital signatures and encryption.
- Digital signatures – content is digitally signed with an individual’s private key and is verified by the individual’s public key
- encryption – content is encrypted using an individual’s public key and can only be decrypted with the individual’s private key
Implementing S/MIME can automatically bring a host of security and administrative benefits to your business and address key email attack vectors without requiring extensive user training or IT resources for deployment and management.