While security is everyone’s responsibility, it’s not always easy to get right. Our “Security Best Practices” blog series will provide simple tips that enable users to improve their online security. These articles aren’t for pros, but for those trying to get their basics down.
Even the most sophisticated cyber attacks can begin with a relatively simple email compromise. Only last week, we learned that attackers had crafted fake email invitations to deliver information stealing malware to guests attending a Palo Alto security conference in Indonesia. The attackers cleverly used screenshots of genuine conference invitations sent by Palo Alto to deceive the unsuspecting attendees.
With this in mind, here are some of our simple tips to help make your email more secure, without the need to set up a private email server.
1. Check your email sources
Always check who the email came from. Attackers use many techniques to try and appear legitimate, such as using domain names which look almost identical to a genuine domain in order to trick you into visiting that site. This is known as typo-squatting – for example, www.go0gle[.]com might be used to direct users to malware. If it’s an address you’ve never seen before, try searching online for the email domain to see if it’s from a registered company.
2. Don’t click on links
Don’t directly click on links in an email. Instead, hover over the hyperlink and make sure the URL matches the page you actually want to visit. Attackers are becoming savvier, and they often hide fake URLs behind linked image buttons or text links, such as “click here”.
3. Don’t open unsolicited attachments
Files aren’t always what they appear to be. Malware or a virus could be masquerading itself as a seemingly benign text or image file. Now these types of emails aren’t always that easy to spot, and they won’t all be from a Nigerian prince claiming to hold the key to your long-lost second cousin, twice removed’s “peanut dust” fortune. Some might try and lure you by claiming to represent a legitimate company, such as a supplier, and will attach documents purporting to be invoices in the hope that you’ll take the bait.
Figure 2: Too good to be true? If in doubt, forward all such requests to Dragon’s Den
When dealing with email attachments, be extra careful if asked to enable macros. Macros are bits of code embedded within documents. Though not always bad, they have historically been used to deliver malware. To help combat this, you should avoid enabling macros in email attachments, and ensure any built-in macro security features are always turned on.
4. Use separate accounts and enable two-factor authentication
We know it’s tempting to simply use one email account across all the online services you are active on, but in doing so you’re playing straight into the hands of an attacker. If someone manages to break into that account, then they can probably gain access to all other services using that address (especially if you use the same password). Consider having separate accounts for different activities: such as an account for work emails, one for personal use, and another one for sites which bombard you with marketing material.
To top it all off, make sure you enable two factor authentication to make it harder for anyone trying to compromise these accounts. For more tips on better password security, check out our previous blog in the series.
5. Limit how widely you share your email address
Always think twice about what information you’re posting online. An exposed email on Facebook or a particular forum might be all the invitation someone needs to target you with phishing emails. As well as this, when you sign up for a service or post your email to a public site, your address can be copied or shared to be used by spammers.
So if you have to share your email address publicly, try and avoid using emails which link to important services – such as Facebook or your online banking.