Email is the primary attack vector for hacking and fraud, and the situation is only getting worse. From 2017 to 2018, email-based attacks on businesses increased 476%, according to the most recent threat survey by the cybersecurity firm Proofpoint. The FBI reports there are around 14,000 email scams each year worldwide, costing companies $12 billion. And most small businesses don’t believe they could remain profitable if they lost their data.

There are several reasons hackers target email so often:

They work — human error is an unpatchable weakness in any security plan, and email is a perfect medium to exploit people.

— human error is an unpatchable weakness in any security plan, and email is a perfect medium to exploit people. They store lots of data — your email account is a trove of sensitive data, including financial information, contacts, and information that can be used in social engineering schemes.

— your email account is a trove of sensitive data, including financial information, contacts, and information that can be used in social engineering schemes. Email is ubiquitous — everyone uses email, making the number of potential targets in a single organization as large as the payroll.

— everyone uses email, making the number of potential targets in a single organization as large as the payroll. Email is identity — your email account is used to verify your identity, email addresses are often usernames, and a successful account takeover is an entrypoint to further attacks.

Given the stakes, secure email practices must be a priority for your organization. Based on what we know about attacks, implementing this advice can reduce your exposure to email attacks.

Train employees on common attacks

It’s important to create a culture of security awareness in your organization, and email security should be at the top of the list. There are a few areas you should cover:

Phishing

Phishing attacks attempt to trick victims into clicking on links or downloading attachments in emails that appear to be legitimate. A lot of times, phishing emails are obviously fake. But sophisticated ones might spoof the “from” address to look like an official sender and design the email in a convincing way.

For example, the phishing email that exposed Hillary Clinton’s campaign emails looked like this:

When her campaign manager clicked the “change password” button, it took him to a page operated by the hackers, where he proceeded to enter the login to his Gmail account. Other kinds of phishing attacks might result in malware or ransomware being installed on your device or network.

You can prevent phishing attacks by training your employees to be vigilant. As a general rule, they should never click on links or download attachments in unexpected emails without first verifying their legitimacy. ProtonMail provides a number of anti-phishing features, such as report phishing, anti-spoofing, and DMARC protection. If you receive an unexpected email alert from an online service you use, it’s always better to go to the website and log in to your account there, rather than clicking the link in the email.

Fraud

The FBI report cited above focuses on another kind of email attack: scams. You’re surely familiar with the emails from strangers hoping to send you millions of dollars, provided you cover their wire fees up front. Businesses are often the target of more sophisticated scams that use social engineering.

One common tactic is to spoof a manager’s email address (or actually take over that person’s account) and send an “urgent” message to a lower-level employee asking for a quick transfer to a client. Or they might fake an invoice from a plausible vendor.

Employees should be trained to be skeptical of any emails requesting money transfers or sensitive personal or business data. If there’s any doubt, reach out to a manager or IT contact in the company.

Require two-factor authentication (2FA)

Every employee in your organization should use two-factor authentication in any online account that offers it. With 2FA enabled, after entering their username and password, a person then also has to enter a code from a fob or an authenticator app installed on their mobile device. (Email and SMS codes are also common, though these are less secure. Hardware authenticators are most secure). If Hillary Clinton’s campaign manager had 2FA enabled on his Gmail account, the hackers would not have been able to access his account unless they also had control of his smartphone.

Enforce password security

Using a strong, unique password is the first line of defense for all your organization’s accounts and devices, including email. We have previously offered our recommendations for choosing strong passwords, but there are two main points:

Use a different password for each online account.

The longer and more random your password is, the more secure it is.

There is no reason to ask employees to reset their passwords periodically or to require the use of certain kinds of characters. It’s much more important to ensure they are choosing a strong, memorable password or using a trustworthy password manager to help them do it.

Use encrypted email

Some email providers are more secure than others. If you are using an email service that does not use end-to-end encryption, then there is a possibility that a data breach will expose your organization’s emails. For certain organizations, this can also increase your liability for penalties under HIPAA and the GDPR.

Unlike Gmail and other mainstream providers, ProtonMail does not have the ability to decrypt users’ emails and neither do hackers. The only way someone could access messages sent between ProtonMail accounts would be to compromise the end-user or stage an elaborate man-in-the-middle attack. We have also taken measures, such as Encrypted Contacts and Address Verification, to drastically reduce the possibility of one of these attacks succeeding.

Reduce your attack surface

Every email address is an opportunity for an attacker. So if you reduce the number of employees with publicly available email addresses, you can reduce your potential attacker’s options. You should only list essential employee names and contacts on your organization’s website. You can also consider using non-obvious email formulations that are difficult to guess. For example, instead of alice.smith@example.com, you could use as938@example.com.

ProtonMail is committed to providing the most secure email service possible for businesses. Over 10 million users, including thousands of organizations, governments, and small businesses, depend on us to keep their data safe. Learn more about ProtonMail for business.

Best Regards,

The ProtonMail Team

You can get a free secure email account from ProtonMail.

We also provide a free VPN service to protect your privacy.

ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan or donate. Thank you for your support.