Cybersecurity Awareness Month: Email Safety
By Alex Colcord
October is Cybersecurity Awareness Month and each week this month I’ll be offering a column with tips and strategies for staying safe online. I hope you find them helpful! This week’s column is about email security and safety.
Back in the 20th century, there were many predictions about how digital technologies and devices would transform society. Now we’re here in 2021 and a lot has changed, and while we are living in an increasingly digital world, its benefits are not without risk. In any area of human endeavor, criminals seek weak points in a system that can be exploited. This has been true of computers and computer networks since the 1970s, and every day there are new threats to security. But while there will probably always be risks to digital activity, there are also easy ways that you can increase your safety.
Now, let’s talk specifically about emails. Since the 1990s, email has been a familiar part of our communications infrastructure. Today 90% of Americans who use the Internet use email, and while it doesn’t have the immediacy of texting or the workgroup features of newer messaging solutions like Slack or Discord, it’s very simple to use, lends itself to thoughtful discourse, and is generally a reliable way to exchange messages and data.
Unfortunately, email has also long been a common security attack vector for the uninvited. When an email is a vector, the attack can take the form of malicious spam. You’re probably already familiar with regular email spam in the form of unwanted advertising, also known as unsolicited commercial email (UCE). Malicious spam may have a dangerous file attached, or it may contain an attractive offer and a tempting link for you to click on that will likely take you to a hazardous website.
Another type of email attack is phishing, where you receive an email that seems to be legitimate but is, in fact, an attempt to trick you into giving away your personally identifiable information (PII); this can include your username, password, phone number, social security number, bank account information, credit/debit card information, etc. These attacks have become quite sophisticated over time as ever-resourceful criminals have developed more effective and compelling messages. The most seductive messages commonly appear to be coming from a trusted source such as your bank, your co-workers, even your friends. There will typically be a link for you to click on that will take you to a facsimile of your bank’s website. In fact, the ruse may be so clever that without close inspection you may be fooled into entering your bank account number or password into the fake site’s login page. Once the thieves have this information (or your credit card number and security code), your assets will definitely be at risk.
How can you avoid falling victim to one of these email attacks? While there is no such thing as 100% perfect security, there are some steps you can take to better protect yourself as you communicate through emails.
Befriend your spam filter
Most people send and receive emails using either a client program, such as Microsoft Outlook, or a web browser client, such as Gmail or Yahoo Mail. These days you may not have to do anything to set up your spam filter, as your email client will automatically filter spam and junk email into a separate spam folder. Even so, you can and should familiarize yourself with your spam filter settings, especially if you start to see spam showing up in your inbox. You should also periodically check your spam folder since the automated filters are not infallible and can sometimes remove legitimate emails from your inbox. Your email client also typically has a way to report spam to your provider and this will also help train the spam filters to recognize that email as spam in the future.
Protect your inbox
If you receive an email that seems legitimate but is making an unusual request, you should always be suspicious. For example, if you receive an email that appears to be from your bank informing you that you must click on the provided link and login or provide your account information, be wary! One very easy way to test for legitimacy is to examine the link in the email. Place the cursor over the link but don’t click on it. Is that your bank’s website? Look carefully, as attackers can configure a malicious website address to appear almost identical to a real one. For example, if your bank’s website is “mytrustedbank.com”, an attacker might fool you with “mytrustybank.com” or “mytrustedbank.info”. See the difference?
I have seen enough people lose control of their assets that as a general rule, even if my bank sends me an email message that is completely legitimate, I never click on any links and always open a new browser tab to directly login to the bank’s website.
When in doubt, throw it out
Another possible phishing email may include a funny image, or a file marked “important” (it may seem to be from your co-worker for instance), or it may purport to be some kind of free offer or coupon. However, downloading these attached files could immediately put your system at risk of compromise, perhaps by ransomware or some other type of malware. The safest approach to an unusual email when you cannot verify its legitimacy is to delete it. If your company or organization has cybersecurity or IT personnel, you could also forward a suspicious email to them for further investigation before deleting it.
Keep everything updated
It’s important to ensure that your computer, phone, and tablet undergo regular software updates. These may already be configured to occur automatically, or you may need to set them up. Installing the latest updates for your device ensures that you have the latest security patches that will help protect you against current threats.
Lock down your logins
It seems hard to believe that but many people still use the same login for all their accounts but it happens, and of course, this makes an attacker’s job even easier since they can fairly quickly gain access and compromise your privacy.
You may be reading this and thinking that these are all basic steps that you already take to safeguard yourself, and that’s great! The reality is that these attacks continue to happen and criminals continue to profit from them because many people don’t take these basic cybersecurity measures to protect themselves.
While it seems surprising that anyone would be unaware of these basic precautions, many people fall under the misapprehension that they are already sufficiently protected. However our digital world is constantly changing, and new threats emerge every day. Cybersecurity awareness begins at the level of each individual user, and that’s exactly why we in the cybersecurity community need your help to get the word out this month so that we can all become more cyber-aware.
You can find more information about Cybersecurity Awareness Month over at the National Cybersecurity Alliance.
About the author:
Alex Colcord is Director of Operations and a cybersecurity analyst at Cover6 Solutions.
Connect with Alex: @alexcolcord on Twitter