What is your most memorable thing about setting up your email? If it is just about a strong password, this article will help you debunk this and some other common myths. Security of your email is essential, but too many solutions and tips build upon prejudice rather than expertise. I am going to review and revise email security policies, solutions, and some red flags too.
Let us touch upon the most common email protection myths one by one.
Myth 1: It is all about password strength
They say, there is no opportunity to hack your account if you cannot guess the password. Is it true?
First off, there is no magic wand that may help you create a password that would stand any attack. Hackers steal and crack both human and machine-created passwords no matter how complex they are.
Evidence-based expertise suggests changing email passwords or passphrases at regular intervals is the best practical solution. The optimal frequency for password updates is three months. This provides you a good chance that you lock your account from cybercriminals in case it gets attacked; at the same time, the updating frequency is quite low.
Despite being a far cry from flawless, this routine, surprisingly, secures your email in most cases.
Further on, there is no such thing as password-only corporate email protection. Business email systems require extra security measures. IT staff of each company comes up with individual sets of tactics and tools. These comprise secure sign-in requirements, compliance with master data management, multi-factor authentication, email filters, secure BYOD procedures and so on.
To sum it up, the password itself is just the tip of the iceberg, as proper email security resorts to a range of factors and tactics.
Myth 2: It is extremely hard to replicate a professionally created corporate website
You may wonder if this has any relation to the security of your email. Phishing is the right clue here. You may have your email secured with advanced authentication solutions, set an extra-strong password, filter file attachments, and potential spam but this does not work against what is called website phishing. The myth says hackers cannot spoof a high-profile website. Do you think this is true?
Of course, it is not true. Government and big-name companies’ websites, be it NASA or Facebook, are not spoof-proof. They are just as vulnerable and exposed to outside tampering as any other Internet resource.
Attackers doing website phishing usually have advanced tools and skills. They hardly have anything in common with wannabe hackers who use a phishing kit for dummies purchased on Black Friday. Social engineering, psychology, website development, and programming are fields where modern phishers have solid experience and knowledge.
These criminal professionals know how to detect and exploit website vulnerabilities. Once they find your website is good for them, developing its clone and publishing it on the web is a matter of hours.
I have been monitoring website phishing cases long enough to admit a good deal of the clones is really flawless. Victims see no reason to suspect a scam. Read this CSO article on twin websites to see the variety and artfulness of phishing attacks. This proves any page, including a high-profile or institutional website, can be exposed to spoofing.
Beware of such cases and provide for tactics ensuring a website you log into is genuine. Apply vigilance, forethought, check website certificates, carefully inspect the website URL and be sure it corresponds to the genuine website. Under no circumstances download and install any content or enter your login credentials simply because this familiar page asks for it.
Actually, it is better to bookmark in your browser all important websites and open them only using those verified bookmarks.
Myth 3: Most risks can be avoided by training employees to deal with email securely
Most of us have gone through an employee onboarding routine. This usually takes a new staff member to read some rules, procedures, getting acquainted with other staff members and leadership, watching tutorials, etc.
Many businesses apply significant effort to make their staff security-savvy. The next myth is as follows: investing in staff digital awareness significantly reduces email risks. Is this just a myth or reality?
I am sure it is not a myth. If your staff members get trained in email security by studying real-life cases, their skills and habits will change. A well-trained employee can tell a genuine email from the one concocted by crooks, detect attempts to fake a corporate email or website, identify malicious file attachments, as well as notify proper units of any irregularities.
The training must not be a snore-fest. Encourage trainers to use plenty of video and audio tutorials, real phishing email messages, and spoofed websites. Engage the audience as much as possible. Entertainment cannot substitute learning entirely but facilitates and enhances it dramatically. And, of course, launch fake (prepared by your IT staff) phishing attacks against your organization.
Myth 4: Web browsers inform about all insecure websites
If you check the SSL certificate once your browser loads a website, it means you are fully aware of the visited page security properties. As for the myth, it goes like this: my browser always flags any insecure or phishing pages. Myth or reality?
It is only a myth. There are two warnings browsers usually show for a website visitor. If your browser believes the site is secure, you are going to see a padlock. An exclamation mark appears if there are certain security remarks.
In the wild, even a site marked with a padlock is not necessarily safe. Cybercrooks use shady certificate authorities or submit false info to obtain a valid website certificate. However, ordinary users usually do not dig so deeply. If they see a padlock on the page, they think that everything is OK.
On the other hand, sometimes sites flagged as insecure might prove safe. A few errors in the website’s code can make the difference. Tech glitches may also happen. So, although browsers do their best trying to secure users, we still should not blindly trust the padlock icon.
Anyway, If, while examining the SSL certificate, you see that some fields are empty or contain irrelevant data, the best response would be to leave the site and report malicious or suspicious behavior.
Myth 5: Blacklisting active malicious websites provides immunity to further attacks
Suppose you know that some websites, like, for example, Search Baron described here, will redirect you to bogus offers or a phishing site. What are you going to do next? Are you going to add the website to your blacklist? Some people believe that if they block several malicious websites, they are safe from further attacks. True or false?
This is a false belief. Even if you blacklist a dozen malicious websites, hackers still have a countless number of new URLs to set a phishing trap. Did you know that registering and establishing a new website takes just several hours? You can block one domain; they register another lickety-split. It is a cat and a mouse game.
The same happens to antivirus vendors. They constantly detect and quarantine new viruses and malware, but malefactors create new ones again and again.
Blacklisting a phishing URL is a good idea. Meanwhile, it is but a halfway solution. Your job is to learn how to identify such websites by their behavior and characteristics.
Email security is all about the parties involved. The weakest link is a human factor. The five myths I have reviewed show the utmost importance of security awareness training.
If you consider relying on software solutions for email security, it should cover all attack vectors, including vendor email compromise, worms, macro viruses, etc. At the same time, it should help to minimize risks caused by the human factor.