[BreachExchange] Bad Email Habits Die Hard
Audrey McNeil
audrey at riskbasedsecurity.com
Fri Oct 21 10:04:30 EDT 2016
http://opensources.info/bad-email-habits-die-hard/
As much as we try to instill good email habits in the workplace, one slipup
can lead to a security breach causing confidential information to get in
the wrong hands. It’s one thing to email the wrong colleague a link to your
favorite YouTube video, but it’s another thing to inadvertently share W-2
forms, company credit card information, or discover you’ve been caught by a
phishing scam.
One fatal click on “Send” can result in the loss of thousands or millions
of dollars for a company. To err is human, but to identify red flags and
understand how to avoid common email mistakes in the workplace is divine.
1) Getting tricked by phishing scams — The worst email habit by far is
assuming a sender is who they say they are. This is especially true when an
unexpected email lands in your inbox and asks you to provide sensitive
information or claims to update you on a shipment you never made.
This is a phishing attack, and it’s one of the more common email scams
today. Phishing attacks are email messages designed to trick you into
giving up information, either by asking you to complete and submit a form
on a look-alike website or to respond to the sender with sensitive or
confidential information.
Thankfully, phishing emails have a few telltale signs. First, check the
email account associated with the sender in the “from” section. You can do
this by hovering over the sender’s name. If the email address is off,
includes an ending similar to “.ru.su.com,” or has an
accounting.yourbank at office.com alias, it’s possible that it is a phishing
attack. Other signs include mismatched URL addresses in hyperlinks, urgent
calls-to-action or attempts to intimidate you through email. Believe it or
not, poor spelling and bad grammar are other telltale signs as well.
2) Lack of awareness on the latest internet threats — Phishing attacks tie
into a larger problem with email security today, and that’s a lack of
awareness of internet threats. Cybercriminals have so many ways to
compromise an organization through email that simply knowing common threats
can put you at an advantage.
An attached image from a stranger could compromise your email account. An
infected .PDF file sent by a “co-worker” could be a ransomware attack.
Knowing to never, ever, open suspicious files from strangers on the
internet is a solid step towards a better email security posture. If a
co-worker sends you a file unannounced, connect with them on chat or in
person to make sure the email is legitimate.
Additionally, cybercriminals frequently compromise public, hotel and café
wireless networks. That’s why you should always use a virtual private
network (VPN) to protect your connection if you ever find yourself working
away from a secure network. Ask your IT department about VPN connections
for more details.
3) Using personal email for work activities and vice versa— Using personal
email for work is insecure and potentially damaging to your organization.
Businesses provide employees with their own work email accounts because
they know — to an extent — that their email service, their server and their
content are secure. They know next to nothing about your Gmail account.
Your personal email account may be secured by a weak password, like
“password,” or, even worse, by a password previously compromised in another
security breach. Additionally, some organizations require you to use their
email solution because not doing so could be a violation of the law —
especially if the organization in question receives frequent Freedom of
Information Act requests, is regulated by HIPAA or deals in sensitive
information.
While we’re on the subject, never use your work email for personal
activities. This bad habit has landed a lot of people in trouble over the
years, especially those who thought it was a good idea to use their work
email as the login address for shady websites like Ashley Madison.
4) Accidentally selecting reply all — This bad habit is so common that it’s
become a cultural joke, but the consequences of sending a “Reply All” email
to the wrong people is no laughing matter.
The risks go beyond simply annoying everyone on the thread or offending or
confusing the receivers: there’s always the chance that you could relay
confidential or protected information in a response intended only for the
original sender. Take the time to make sure you don’t hit Reply All by
accident.
5) Relying on email autocomplete — Finally, we have autocomplete. Long
considered to be one of the more useful tools in modern email, autocomplete
helps speed up emailing by automatically filling an email address for you.
The problem with autocomplete, though, is that it’s easy to assume you have
the right recipient. That’s not always guaranteed. And, when you’re sending
sensitive documents, one wrong email could constitute a data breach. In
fact, in 2010, a police department in the UK accidently leaked a
spreadsheet of criminal record checks to a news website because someone
relied too much on autocomplete. In 2014, one unfortunate U.S. Army officer
accidently sent an email detailing a shipment of Patriot missiles to
Israel. So always double-check where your email will be going.
Despite the rising popularity of platforms like Slack, email is still king
when it comes to business communications. That means the elemental
features of email — and its vulnerabilities— will stay with us for a long
time. But it’s not all bad news: new progress in data monitoring, phishing
detection and file scanning show promise in blocking most modern email
attacks. But we’re still a long way from worry-free email. Regardless of
whether we’re sending important presentations, gossiping on the latest news
or testing the waters with the latest email program, we’ll always need to
keep good email habits in mind.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161021/e3a3699f/attachment.html>
More information about the BreachExchange
mailing list