By now, most people are well aware of the dangers of malicious emails. However, we’re still falling for the scams—and cybercriminals are still profiting from our ignorance.
Part of the problem is that encrypting email messages is difficult at best. Even the most security-driven companies using advanced encryption technologies find it difficult to keep up. Another issue is that cybercriminals target those who use these encryption technologies, meaning that efforts towards encryption are often too little, too late.
Where it all began
In the beginning, the world’s email was controlled and managed by a tiny network of technicians. It was originally developed as an internal communication tool for universities and the military, but as it began to spread to the rest of society, it was a new, wild frontier characterized by a lack of privacy and authentication.
It was easy for anyone to forge an email signature or spoof an email address, so there was no real way to tell whether or not a message was bona fide. Additionally, administrators running the servers could read or intercept messages at any time.
When you think about it, not much has changed in the 45 years since email first came to be. Email clients—the tools that allow us to send and receive messages—have changed, but the underlying problems that created the security issues in the first place have not.
The concept of cryptography keys was introduced in 1976, but it was commandeered by governments and the military for their own purposes. By the time email became widely available to the public in the 1990s, cryptography was still a classified technology that was not to be freely shared. This made email a space ripe for disruption.
In 1991, a man named Phil Zimmerman changed the course of email privacy by offering the first known privacy-as-a-service company: Pretty Good Privacy, or PGP. PGP allowed the ability to encrypt and sign emails in such a way that the source could be identified by a cryptographic key.
This sparked somewhat of a revolution on the web, and eventually, cryptology became common, helping us assign trust not only to email, but to news sources, online merchants, and any other place on the web that might request, use, or collect our personal information.
PGP soon had some competition from the creators of MIME (multi-purpose internet mail extensions), which by 1995 had evolved to become s/MIME. This technology allowed email users to attach third-party documents to emails and instruct the receiving computer what to do with those files. As the web entered common space, MIME standards allowed email to morph into web browsers, calendar apps, chat, personal online profiles, and so on.
The current email risk climate
Today, email hackers take full advantage of the fact that your email client thinks it’s a browser. Malicious instructions can be hidden carefully in HTML code, primed to execute with a simple action: you reading an email.
It goes something like this: a forged email lands in your inbox. It looks totally legitimate, perhaps even containing perfectly believable and recognizable images from your bank, your ISP, a colleague, vendor, supplier, or even your best friend.
You open the message. You click a link. And depending on the code contained in the message, you could be leaving yourself—and your company—open to attacks.
When you open an email, you are inadvertently asking the email client to run whatever the sender intended—for better or for worse. It could be a simple text message…or it might be malicious code designed to infiltrate your systems and gain access to your network or personal information.
What can be done?
These attacks are highly prevalent today and are built upon the vulnerabilities of our email systems. Until the inherent design of email clients changes, we must continue to be aware of the potential for danger.
While you may have advanced protections enabled from the network level all the way down to each individual device, these protections will not prevent an email attack from happening if it is opened and the intended action is initiated.
The best way to protect yourself and your company from email hacks is simple: educate! When you know what to look out for, you can help prevent the risk of email cyberattacks.
Typical signs of malicious emails include (but are certainly not limited to):
- Non-personalized greetings. The major businesses that you deal with, like banks and retailers, already have your information—including your name. Form letters from institutions that you’ve already given your info to should be treated with suspicion, especially when those emails ask you for your personal information.
- Odd-looking links. Typically, websites strive to have simple, clear links—especially when those links are being sent to customers. Hover over the links in your email to see exactly where they’re taking you. If the addresses look like a lot of mish-mash, or if they don’t quite seem to match where the text claims it’s sending you, they may not be safe for you to click.
- Attachments you can’t immediately identify. This includes sudden, unexpected invoices from somewhere you haven’t been in a while, or emails that claim to be urgent while conveniently skimping on details. Hackers count on you opening those to launch malware, so before you do, take a moment to decide if the strange bill you just received is legitimate.
Protect yourself from email cyberattacks
Knowing what to be aware of may be one of the most effective ways to protect yourself from email cyberattacks, but it’s not the only way.
If you do business in Arkansas and would like to learn more about what you can do to prevent malicious emails from taking your company down a treacherous road, reach out to Business World today to set up a consultation.