With the continued rise in business email compromise and other types of email fraud, enterprises need to develop their own best practices for email security. While there are many technical measures organizations can take to improve email security, educating end users on the importance of email security is just as important.
Technical best practices for email security
Enterprises can offset email threats with a variety of technical solutions that are largely transparent to their users, including the following:
- Antispam and antiphishing approaches can monitor and filter messages that look like spam or phishing attacks.
- Simple Mail Transfer Protocol Secure (SMTPS) can use the Transport Layer Security protocol to encrypt SMTP protocol messages in the same way that web traffic is encrypted using the HTTPS protocol.
- DomainKeys Identified Mail (DKIM), a protocol usually paired with Domain-based Message Authentication, Reporting and Conformance (DMARC), can authenticate email sent from a domain and combat email spoofing.
- Signed email using the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol enables senders and recipients to digitally sign and authenticate email messages.
- Email monitoring can detect and block messages sent from compromised accounts.
- Email filtering can block certain types of attachments that are known to carry malicious content.
- Secure email client configurations can also reduce the risk of malicious email.
Some of these measures mark email as higher risk or as potentially untrusted; some modify the subject line to highlight that the email originated from an outside source.
Even when companies use these best practices for email security, employees should still exercise caution when using email. Recipients must still decide whether opening an attachment, clicking on a link, initiating a financial transaction or taking some other action is appropriate based on the email.
Employee best practices for email security
It's unreasonable to expect people to stop using HTML email, and doing so wouldn't stop compromised accounts from being used for phishing. However, people need to be skeptical about email.
Some best practices for email security for employees include:
- Checking to see if the email address of a questionable message matches the reply-to email address.
- Verifying that URLs in an email go to legitimate websites.
- For emails prompting the recipient to take potentially harmful action, as in whaling attacks soliciting large payments, the employee should use a more reliable communications channel -- such as a phone call or in-person meeting -- to confirm that the request is legitimate.
Enterprises can also train employees on good email etiquette and usage, along with awareness training for any of the technical measures the enterprise is using. As part of a security awareness program, enterprises should develop their own best practices for email security, starting with making sure that users are trained to not click on attachments or links in sensational emails, even those sent internally.
Another best practice worth considering is teaching users how to find and review the full headers of an email or at least contact the enterprise help desk for help investigating to determine if a suspicious email requesting a payment is legitimate.
Many of the same risks related to email apply to other forms of electronic communications, like instant messages, Slack and social media, where the communication channels can be used as a vector to attack an individual.