Defending Against Email Threats: Demystifying Common Terms
Email, while it has been around for over 40 years now, continues to be a primary vector for cyber attacks. That means anyone who uses email could fall prey to an attack. And, as these attacks become increasingly sophisticated, they’re becoming more commonplace, and more costly to organizations.
These attacks can cost companies millions of dollars in damages as well as reputational damage which is hard to recover from. That’s why individuals and organizations need to be aware of common email threats and have a defense strategy in place that leans on tools and not just based on individual behavior. Configuring the right level of authentication for an organization's inbound email traffic requires analysis and the right configuration, which email platforms are capable of but have to be set up for.
There are a number of terms related to cyber threats, and many of these concepts overlap, which can be confusing. To help you assess whether or not your organization has implemented the right configuration, we will start with demystifying some of the most common terms related to email threats and offer tips on how to effectively defend against them.
What is malware?
Malware, or malicious software, is a catch-all term for any type of invasive computer code or software designed with malicious intent, such as viruses, botnets, worms, spyware, rootkits, trojans and ransomware.
Malware can infect a computer in a number of ways, from a user downloading free software that contains malware, to opening an email attachment or clicking on a pop-up window that starts a malware download. A defense-in-depth approach is the best way to combat malware, using the latest anti-malware technologies combined with user security training.
Use spam filters and email authentication protocols, and stay updated with security patches and software updates.
What is ransomware?
While ransomware falls under the malware category, it’s notable for its increasing pervasiveness in the cyber threat landscape. Bad actors gain unauthorized access to your data and either lock you out of your systems or encrypt your data, and then demand a ransom payment to unlock those systems or decrypt those files.
One of the most prominent ransomware attacks was the Colonial Pipeline attack of 2021, which forced the American oil pipeline company to shut down its operations to contain the attack. The result? A state of emergency was declared in 17 states and the company paid a ransom of US$4.4 million (in Bitcoin) to the DarkSide criminal hacking group to restore its operations.
Google Cloud includes built-in security controls to help protect against ransomware attacks, which includes monitoring, threat detection, data loss prevention and access controls, as well as built-in backup and high availability with regional clusters. Ransomware often spreads through phishing emails or social engineering tactics, so user training is essential in mitigating risk.
What is social engineering?
Social engineering refers to techniques or tactics that manipulate, influence or trick a user into handing over confidential data or providing network access. Often, it comes in the form of email, invoking a sense of fear or urgency that leads the user to click on a malicious link or open a malicious attachment.
For example, in 2019, Toyota was the victim of a social engineering attack in which a hacker posed as a business partner of a Toyota subsidiary over email and persuaded a finance executive to change its bank account information, costing Toyota a total of US$37 million. Google’s AI-enhanced spam-filtering capabilities block more than 99.9% of spam, phishing attempts and malware from reaching your users, but admins can also turn on enhanced pre-delivery message scanning.
Users should also be trained to recognize suspicious emails and avoid clicking on unknown links or attachments.
What is phishing?
Phishing is a form of social engineering in which a bad actor poses as a colleague, acquaintance or organization to lure a victim into providing sensitive information such as login credentials for email, network access or online banking. The lures can come in the form of an email, text message or even a phone call (or a combination).
About 90% of phishing attacks originate from email. While Google scans incoming messages for malware, admins can turn on additional safety features for links, images and attachments. Gmail also warns users before they download a suspicious attachment, and a safe browsing feature helps to identify suspicious or dangerous links in email messages.
What is business email compromise (BEC)?
BEC—also known as email account compromise—is a form of phishing in which bad actors gain a hold of legitimate email accounts. Oftentimes, the attacks rely on official-looking emails from a senior member of the organization or from a respected company, with embedded branding and logos. BEC is the second costliest cyber complaint. For example, in 2021, a BEC scam was uncovered by security researchers in which recipients were tricked into opening an email attachment that looked like an Excel spreadsheet, which then triggered a fraudulent pop-up notification.
The recipient would be told they’re logged out of Office 365 and were required to re-enter their login credentials, which then ended up in the hands of cybercriminals. To prevent BEC scams, the use of two-factor authentication can prevent bad actors from accessing a user’s account—even if they’ve managed to get a hold of a user’s password. You can add or remove security keys for multi-factor authentication in Gmail, or even enforce it across the organization.
What is email spoofing?
Email spoofing is a type of cyberattack that targets businesses by using emails with forged sender addresses. Spoofing is often used in phishing campaigns. To mitigate spoofing and protect the domain reputation, ensure your email and Google group settings in Google Workspace follow best practices, and implement a DMARC policy (see below) that allows you to monitor, quarantine or reject emails from sources that you don’t trust to protect against spoofing.
What is Domain Based Message Authentication Reporting and Conformance (DMARC)?
Domain Based Message Authentication Reporting and Conformance ( DMARC) is an email authentication protocol that provides businesses with a tool for managing responses to the results of Sender Policy Framework (SPF) and Domain Key Identified Mail (DKIM). SPF is an email authentication method designed to help protect the reputation of your domain from senders attempting to impersonate your domain. DKIM provides a unique ‘signature’ to emails originating from your domain, which can be verified and then authenticated by the receiving parties.
Defend against email threats with Pythian
Does your team have advanced knowledge of Google’s email security settings? Are you using all available features in Google Workspace to protect your data? Pythian’s Email Security Deep Dive offering is a fixed-fee service that ensures you’re taking advantage of every security feature available to you in Google Workspace. And our expertise in SPF, DKIM and DMARC applies to any email platform your organization is running.
Ready to get started?
Email us at firstname.lastname@example.org to find out how we can help.