Contents:
Since the invention of email, the communication of many companies has relied on it. In time, business email security became vulnerable to a variety of issues that you need to be aware of and prevent. We’ll discuss them in detail below.
Common Business Email Security Threats
The most important – and common – business email security threats are phishing, spoofing, business email compromise, spear-phishing, and whaling. Let’s take a very quick look at them:
Phishing
Phishing is a malicious technique based on deception, used to steal sensitive information (bank account details, credit card numbers, usernames, passwords, etc.) from users. The attackers pretend to be a trustworthy entity (usually by copying the look and feel of a big brand) to trick the victims into revealing their confidential data.
Spoofing
Email spoofing is a method of collecting personal information and data from online users, as well as taking over their accounts, distributing malware, and stealing money. It seems that victims are more likely to open an email that appears to be genuine and from a reputable sender. In email spoofing attacks, malicious actors can make it appear as if an email was sent by a familiar person, such as a colleague, partner, or manager.
Business Email Compromise (BEC)
Business Email Compromise (BEC) is a type of targeted fraud in which a threat actor pretends to be a company executive or high-level employee in order to defraud or collect confidential information from the organization or its partners. The main objective of a BEC scam is to try and convince the potential victim to transfer money or personal data to the cybercriminal while they think they are conducting a legitimate business transaction.
Spear phishing
Spear phishing can be defined as an email spoofing attack that targets very specific and very ‘employed’ individuals. What makes them so successful? Spoofed emails used in the attacks look like they’ve been sent by well-known market actors such as PayPal, Google, Spotify, Netflix, and even Apple Pay.
Cybercriminals use spear-phishing as a method of stealing personal information or installing malware on the machines of specific victims. Spear-phishing attacks are extremely targeted, highly effective, and very difficult to avoid.
Whaling
Malicious actors use whaling phishing to obtain private information about their victims, steal money, or gain access to their computer systems for malicious purposes. Whaling is distinct from phishing in that it primarily focuses on high-profile, well-known, and rich individuals such as CEOs, top-level executives, and even famous people – hence the name “whaling.”
Attacks Consequences
Cyber-attacks have significant consequences for businesses all around the globe, whether we’re talking about start-ups or large corporations:
Intellectual property loss
Business email compromise leads, in general, to leaks of data, trade secrets, customer lists, research, patents or design, and so on. As you can imagine, if sensitive information is caught in the wrong hands, nothing good can happen.
Regulatory fines
Plus, data leaks also mean regulatory fines. Exposing customer and employee data may lead to severe financial penalties.
Reputation damage
Trust between you and your customers or business partners is of paramount importance to any company. Exposed data and regulatory fines will not help you maintain it and, if the brand value decreases, so does your revenue.
Loss of customers
Directly or indirectly, data breaches affect customers, which might start looking for similar products or services that they consider more secure. Apart from customers and, consequently, revenue loss, the affected companies may also lose investors.
Attack Examples
Whether we fancy social media or not, whether we have an account or not, we’ve probably all heard of Facebook – and so did some hackers, which made the American giant company lose over $100 million between 2013 and 2015.
Google was affected back then too. What happened? Malicious actors orchestrated a scheme “that included setting up a fake business and sending phishing emails to employees of Facebook and Google.” They posed as “another company, Taiwan-based Quanta Computer — which actually does business with Facebook and Google.”
The hackers “created fairly convincing forgery emails using fake email accounts, which looked like they were sent by employees of the actual Quanta in Taiwan. They sent phishing emails with fake invoices to employees at Facebook and Google who <<regularly conducted multimillion-dollar transactions>> with Quanta, and those employees responded by paying out more than $100 million to the fake company’s bank accounts, prosecutors said.”
Another example of a business email security breach is the case of Sony Pictures, back in 2014. As ExpertInsights writes,
This is one of the most famous examples of how phishing attacks can catch more than just money. A group attacked Sony after they refused to withdraw a film mocking North Korean leader Kim Jong Un.
This targeted attack used more than just fake emails. Hackers actually gained access to Sony’s building by tricking employees. They impersonated IT staff, then used their credentials to plant malware on Sony’s systems.
This led to the leaks of tens of thousands of employee’s personal information, film scripts and highly confidential personal emails.
How to Stay Safe?
What are the best prevention measures you should adopt in order to achieve great business email security?
Educate your employees
Employee security training is an essential practice for any organization. Each and every one of them should understand the importance of business email security, the value of sensitive data, and the possible consequences of a successful attack.
Implement policies and procedures
As I was saying in my article about CEO fraud emails, you need multiple layers of authorization, proper documentation, and/or verbal approval before any money or sensitive information transfer happens.
Plan for the worst-case scenario
In case a business email account gets compromised, every employee should know who to notify and administrators how to respond to the breach. Clear protocols will help you eliminate confusion and dangerous delays.
Use an email security solution
Installing email security software is a great plus for any business email security strategy. Heimdal™ provides two such solutions, Heimdal Email Security and Heimdal Email Fraud Prevention. The first one can help you detect malware, stop spam, malicious URL, and phishing, while the second one offers high protection against business email compromise and impersonation. Together, the two solutions can work to stop and flag down every type of malicious email communication there is, including the carefully created emails coming from a previously trusted compromised email address.
While each module is available separately, by combining the two email security solutions, there will be virtually no avenue left for attackers to use your email as a gateway to breaching your organization.
Heimdal® Email Security
Wrapping Up
Business email security is a factor that greatly contributes to business email stability since, as we have seen, a data breach affects the revenue, customers, employees, and reputation of any company.
However you choose to proceed, please remember that Heimdal™ Security always has your back and that our team is here to help you protect your home and your company and to create a cybersecurity culture to the benefit of anyone who wants to learn more about it.
Drop a line below if you have any comments, questions or suggestions regarding the topic of business email security – we are all ears and can’t wait to hear your opinion!
This article was originally published by Elena Georgescu in March 2021 and was updated by Antonia Din in May 2022.
Elena Georgescu is a cybersecurity specialist within Heimdal™ and her main interests are mobile security, social engineering, and artificial intelligence. In her free time, she studies Psychology and Marketing. Some of her guest posts on other websites include: cybersecurity-magazine.com, cybersecuritymagazine.com, techpatio.com
