Email in the age of Cybercrime
The internet security landscape has changed dramatically over the last few years. Statistics show that cyber-attacks in South Africa have increased by 22% in 2019 compared to the same quarter in 2018. Amin Hasbini, head of global research and analysis for Kaspersky in the Middle East, Turkey and Africa, equates this to 13 842 attacks per day. 1 With numbers like this, internet security, and email security in particular, must be made a priority.
Why is emphasis placed on email security?
In business, email is used more often than any other communication medium. Email is used for its convenience and speed, as well as for its capacity for keeping communications sent and received on file. However, email is communication that occurs over the internet, and as cybercriminals get smarter, the chance of a breach increases.
How do cybercriminals get my information?
There are many ways for cybercriminals to gain access to your information, including:
- An anti-virus program that fails to detect malicious software, is not up-to-date or is bypassed to open a file or a website.
- A user visit to a legitimate website that has been compromised.
- Users clicking on links in emails or running programs that were downloaded from or on the internet.
- Users are deceived by phishing scams that are engineered to trick them into providing sensitive information. Email phishing typically directs a user to a fake website from a link in an email that appears to be from a familiar institution or individual.
- Brute force attacks on mail servers to obtain email passwords.
When a malicious program finds its way onto your computer, your information, including usernames and passwords, is compromised. If your email password is compromised, cybercriminals can setup your email and send and receive email from your email address. It is also possible for cybercriminals to intercept user emails, forge email headers and pretend to be you. This is called email spoofing and is a common technique for executing phishing scams.
How do I protect my company from email scams?
It is worthwhile mentioning that email security requires a multi-tier approach; namely, technical, policy, and user awareness. Technical considerations may include DMARC (Domain-based Message Authentication, Reporting and Conformance) which is an email authentication, policy, and reporting protocol. DMARC implies the use of technologies such as SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Message), which, if simplified, are intended to combat email fraud such as spam, spoofing and phishing. It is, however, important to note that DMARC does not protect against all types of attacks. For our purpose, an explanation of these technologies will not be explored, however, an excellent description of DMARC and other protocols is available on the FAQ page at http://dmarc.org. On the other hand, policy is intended to provide clarity to a company’s internal approved procedures, and user awareness requires email users to be vigilant and to be adequately trained to recognise email scams.
A quick guide to email security
1. Mitigate the chance of a malicious program finding its way onto your computer with the following:
- Never bypass an antivirus program to open an email attachment.
- Be wary of attachments with certain extensions; for example, .htm, .html, .exe, as well as .xls or .doc extensions containing macros. Java attachments should also be considered suspicious. However, any attachment with any extension can be a malicious program, even a PDF.
- If you receive an attachment and the password to open the attachment in the same email, do not open the attachment with the password. If the email is malicious, opening the file may execute a malicious program.
- Never use unknown external devices that are lying around at the office. An external device could contain a malicious program.
2. Be vigilant
- Never accept change of banking details via email or on an invoice attached to an email. Verify banking details by, for example, calling the sender on a known number (do not use contact information that appears in a suspicious email) or by verifying banking details in person. Methods and platforms for verification of sensitive information will depend on a company’s personal preference and the technologies available to them.
- Be cautious of emails that suddenly demand payment not already noted by the accounting department as outstanding. Take time to investigate whether monies are in fact outstanding.
- Be cautious of emails that require you to click on links to “update” or “verify” sensitive information, especially to avoid some kind of account termination or account expiry or other consequence. Requests such as these are designed to look urgent and to frighten users into providing sensitive information fast.
- As a precaution, always hover over links before clicking on them to check what URL the link will take you to. However, nowadays reputable companies and institutions will not require users to take any action from a link in an email.
- Be cautious of emails that open with generic greetings, such as, “Dear User” or “Dear Subscriber”.
- Be cautious of email that is written with bad grammar.
Always take special note of email header information. Verify that the header description (the name of the person sending the email) and the actual email address correspond. Joe Jones
If the email address does not appear next to the sender description, hover over the description or select it so that the email address is displayed. If they do not match, the email may be spoofed.
When in doubt, ask an IT security specialist for advice.
What can companies do to mitigate the chance of email fraud?
- Implement a policy. For example, do not allow users to keep email or other passwords where they are visible outside the company or to other users, require users to have complex passwords that are changed frequently, and do not allow the same password to be used on more than one platform.
- Ensure a clear policy for verifying bank details and presenting company bank details to clients and institutions is in place. The policy should include the company’s approved procedure for verifying banking details and prohibit email verification of sensitive information.
- Do not rely on email communication for sensitive tasks. Try to make use of secure platforms that require two-factor authentication for access.
- Ensure that your IT service provider is competent and has a good reputation.
- Company staff are the last line of defence. Invest in user awareness training and education.
Article by Network and Computing Consultants
Established in 1994, Network and Computing Consultants (Pty) Ltd (NCC) is the trusted Information Technology, Cloud Computing, Networking, Telephony and Internet Solutions provider in Central South Africa. NCC specialises in the development, configuration and optimisation of network security and monitoring tools. NCC can be contacted at www.ncc.co.za http://www.ncc.co.za
1. Smith, C, 2019, Major spike in SA cyber attacks, over 10 000 attempts a day - security company, Accessed 22 October 2019, Available at