You may be familiar with some version of an all too common nightmare email story. A trusted manager receives an urgent email requesting immediate action. Their superior is traveling, does not have cell service, and is unable to connect to the financial accounts or systems. An important payment to a partner, missionary, or vendor is due immediately. So, the manager is directed to wire money or make some other type of payment for the superior at once. Although the email directive looks legitimate and appears to have come directly from the superior, it is in fact a hoax that will result in the loss of a lot of money.
Or maybe you’ve received an unsolicited DocuSign email stating you need to sign some important documents immediately that appear to be sent by someone you work with. Everything looks legitimate, and you have responded to emails of just this sort before with no consequences. Perhaps you have been directed to use a link to log in to one of your bank or credit card accounts to update or confirm your information. Unfortunately, the genuine-looking email is actually a phishing attempt designed to steal from you.
Almost all users of email have encountered a message similar to these at one point or another whether at the office or at home. The problem is growing, and the approaches are becoming more sophisticated.
Why Email is such a Target for Cybercriminals, Hackers and other Bad Guys?
In a world where we hear much about Facebook, Twitter, Instagram, Snapchat, etc., email is still the dominant form of electronic communication. Regardless of what other platforms one may use, if they are online, they use email. As such, it is easy to see why this is the preferred method of hackers who desire to steal information, money and access. The Radicati Group, a technology market research firm, estimated the number of consumer and business emails sent per day in 2018 was more than 281 billion! In second and third quarters of 2018, 52% of all emails sent were designated as spam. The cybersecurity firm Kaspersky reports that in the third quarter alone its anti-phishing system blocked more than 137 million redirects to known phishing sites. That number was up 30 million from the previous three-month reporting period. These are staggering numbers that point to a significant problem.
While almost anyone these days knows how to both send and receive an email, the same cannot be said for understanding how, where and from whom that email was sent or received. The beauty of email is its ease of use. You do not have to understand or be able to identify how it was sent or received to enjoy the functional benefit of email. Therein lies its biggest weakness.
Email is designed such that anyone can send an email to anyone else provided they have the intended recipient’s email address. This gives us the ability to communicate with anyone, anywhere, at any time but it also gives the ‘bad guys’ access to our inboxes 24/7/365. That is why robust email security has become a non-negotiable. And educating users about important email security practices is the most effective way to help them defend themselves from the myriad of threats directed against them on a daily basis.
How Do These Guys Use Email to Hurt Me?
Let’s start with identifying some terms that are commonly used when discussing email security. When assessing your current email security policies you must consider the areas described below.
- Spam – Spam is defined as unsolicited, typically commercial messages sent to a large number of recipients or posted in a large number of places.
- Phishing – Phishing is a scam by which an internet user is baited and tricked into revealing personal or confidential information which the scammer can then use for destructive purposes.
- Malware – Short for “malicious software,” malware refers to software programs designed to damage or perform unwanted actions on a computer system.
- Encryption – Encryption is the process of converting data into an unrecognizable form that can only be recognized by an authorized party that has the “keys” to decipher the data. It is used to protect sensitive information so that only authorized parties can view it. But it can also be used to hold a user’s data for “ransom” until money is paid to provide the keys to unlock the data and make it usable again.
Spam is an unavoidable reality in today’s world. While not particularly threatening, it still has negative effects on organizations. How much productivity is lost just by having to sort, clean, and delete unwanted and unsolicited email? While spam does not generally pose a significant security risk, dealing with it can pose quite a headache if you are receiving lots of it.
Phishing and malware attacks constitute the primary email threats in today’s world. To protect your network resources and data, you must be able to defend against these threats. In the past, viruses were used as the primary email threat. With this method, the attacker attaches an infected file that the intended recipient must open in order for it to “work.” While this certainly still exists, it is no longer the most common form of attack. Today, attackers commonly try to bait users into clicking on what looks like a legitimate link to a known ‘good’ site. However, they are directing you to a carefully designed fake site that only looks legitimate – in reality, it is a dangerous guise. Once on the site, you may be prompted to enter credentials, or the page may automatically download malware to your machine in the background without your knowledge.
The last few years have seen a huge increase in the amount of targeted phishing attacks using a technique known as “spear phishing”. Spear phishing is the fraudulent practice of sending emails appearing to be from a known or trusted sender in order to induce the targeted individual to reveal confidential information. These spear phishing campaigns can look very legitimate and are the number one threat that email users are facing currently. Spear-phishing attackers are often successful because they are able to target victims who put lots of personal information on the internet. From scanning social networking accounts, they can gain a lot of information – a person’s email address, friends list, geographic location, trips they have been on, items they have purchased, etc. With all of this information, the attacker would be able to act as a friend or a familiar entity and send a convincing but fraudulent message to their target.
What Can I Do to Protect My Church or Myself?
Now that we have discussed the magnitude of the threat and some of the ways that cybercriminals are using email as a means to take advantage of technology users, let’s review some recommended “best practices” you can implement to defend yourself and keep your church and personal email communications secure.
The first and most important recommendation we will make is very technical in nature. You must ensure that your organization has properly published SPF, DKIM and DMARC DNS records. While each of these records works differently to authorize and authenticate identity, they work in tandem to verify that email communications for your organization are coming from trusted locations. Your network administrator should be able to confirm that this has been done properly, and if not, to correct the problem.
A secure email solution should also include policies to filter both spam and phishing attempts. It should be configured to provide reporting and action based upon the type of message received and the threat that it contains. Advanced reporting based on real-time threat analysis against global email threat databases is a powerful feature that can keep you up to date on cutting edge threats that are “out in the wild.” Anti-malware detection is also a must-have for any secure email platform. Finally, email message encryption has become necessary due to the volume of sensitive data exchanged with trusted third parties.
Another key feature of an enterprise email system is the need for email archiving, backup, and disaster recovery. The way we tend to use email today is more like a filing cabinet than strictly a messaging system. This fact, combined with varying compliance requirements, can dictate how long you need to retain organizational email. Robust email archiving policies are a must to accommodate the various scenarios and requirements that your church may encounter.
When it comes to backup of cloud email platforms such as Office 365 or G Suite, some organizations may ask “Why do we need backup? Isn’t it in the cloud and being backed up by the provider?” The answer is yes, it is being backed up by the respective cloud provider. However, in most cases the only restoration the cloud provider will provide is of the ENTIRE organization to a point in time. This of course can be problematic if you only need to restore content from a single mailbox or a handful of items in a single mailbox. Enable has flexible options on backup strategies for cloud email providers that can accommodate almost any scenario that you encounter.
If you need any help assessing where your organization currently sits with regard to your email security policies or backup and disaster recovery plan, please don’t hesitate to reach out to us at [email protected]! We would love to help your organization navigate what can sometimes be a complex process.
Written By: Phil Brewer, Senior Engineer, Enable Ministry Partners