What’s the first thing you remember about creating your email account? If “choosing a good password” was your answer, then you’re in the right spot. After careful thought and consideration and perhaps several cups of coffee, I have decided to tackle the most common and uncommon myths surrounding email security. So, in today’s article, we’ll be talking about passwords, privacy, best practices, dos and don’ts, and some misconceptions about email security. Let’s get started.
Myth #1. All you need is…a strong password
The myth goes like this: to make your email address totally unbreakable, it’s enough to set a strong and unguessable password. True or false?
First of all, there’s no such thing as a set-and-forget password or passphrase. Common sense (and cybersecurity experts) dictates that a password, regardless if it’s associated with your Spotify account or email address should be changed every three (3) months. There’s a reason behind that educated guess: should your account become compromised, by changing your current password, you can lock out the hacker.
This isn’t always the case but works most of the time. Second, a strong password is not enough. If you’re the owner of a corporate email account, your IT Department will decide the best way to go about this. Usually, it involves some sort of secure login policies, mandatory password rests & changes, MDMs, black- or white-listing BYODs, and, of course, multi-factor authentication. In essence, the myth according to which a password is more than enough to keep your account safe is ‘faker’ than Washington’s all-wooden dentures.
Myth #2 Institutional Websites are impossible to duplicate
You’re probably asking yourself right what does this have to do with email security. Heard about phishing? That’s your no. 1 concern when it comes to the ‘locktightidness’ of your account. So, the myth goes like this: there’s no way someone can waltz in and duplicate an institutional website. True or False?
Just because the xyz.com website belongs to NASA or the DOD, it doesn’t mean that it’s completely secure and impervious to outside tampering. A website by any other name would have the same issues, vulnerabilities, and exposures as any other website out there.
Now, bear in mind that these hackers are not just some random dudes, wearing hoodies and V for Vendetta masks, messing around with a potato computer in their mom’s basement. Most have hands-on experience in website design, PR, social media, and yes, even NLP. If they do manage to get inside an institution’s website, there’ nothing stopping them from cloning it and putting it out there in the open.
And believe me, some of the clones look even more real than the real thing. Check out this article by CSO’s Roger A. Grimes about look-alike websites to see for yourself what true deception looks like. To sum up: an institutional website can be cloned. It’s your job to figure out if a site you’re on is real or fake. Don’t get sidetracked, don’t get distracted, and never ever download and install things on your machine just because a website asks you to.
Myth #3 Drilling your employees in email security significantly reduces security risks
Does the word “on-boarding” sound familiar to you? Probably most of you have been through some form of on-boarding: reading tons of educational material, meeting the crew, watching videos, getting acquainted with department heads, and so on. Well, for some companies, digital awareness is part of their onboarding curriculum. As for the myth, it goes something like this: will spend thousands of bucks on cybersecurity drills make any difference in the long run?
Frequent cybersecurity drills, with real-life scenarios, will certainly increase awareness among your employees. Trained employees will learn to make the difference between a legit email and a fake one, recognize business email compromise attempts, and report any unusual occurrences to the right department.
There’s no right or wrong way when it comes to setting up these drills – most business owners prefer designating someone from inside the company to deliver these presentations, while others chose to work with independent contractors.
My advice to you: don’t make them boring. Leverage any kind of resource you can get your hands-on – audio, video, flashcards. You can even attempt roleplaying (not that kind). The purpose here is to make it memorable, fun, and, of course, educational.
Myth #4 Malicious websites are flagged as unsecured in your browser
What’s the first thing you look at when you land on a new website? If the SSL certificate status was your answer, it means you really know your way around a webpage. Here’s the riddle: is it true that all malicious and phishy websites are flagged unsecured by default?
Browsers display either a padlock if the site’s secure or an exclamation mark if the website’s security is not up to speed. In most cases, sites flagged as insecure have a high probability of hosting malicious code andor applications, but that’s not always the case. The cassette can easily be changed with a few lines of code. And who would bother to investigate the website’s SSL certificate if there’s a padlock icon next to its URL?
Lesson learned: don’t believe anything you see. Should the padlock icon appear, go ahead and click on it and inspect the website’s certificate? If it was issued by a verifiable authority, then you’re in the green. On the other hand, if all the fields are blank or filled with nonsensical information, then you would do well to close that tab and report the website.
Myth #5 Blocking a single phishing URL protects you from future phishing attempts
This is one of my favorites – let’s say that you somehow managed to figure out that the link you’ve just discovered points to a phishing website. Naturally, the most sensible thing to do would be to block that link. According to this myth, if you block a phishing URL you’ll be safe from future phishing attempts. True or false?
Blocking one or two or three or even twenty phishing links won’t stop hackers from sending you additional ones. Do you know how long it takes to create and register a new domain? Less than a day; probably even faster if you skip things like content, digital certificates, social media, privacy policies, etc. Basically, within a single day, you can be phished twice, from two different domains.
Of course, no one’s stopping you from blocking phishing domains, but that only solves half the problem, the other half being your ability to recognize the tell-tale signs of a phishing domain. Bear in mind that most phishy links are found in email bodies received from apparently legit sources.
Parting thoughts and additional recommendations
Before I scoot, I’ll leave you with this (very) old saying: “there are always three sides to a story: yours, theirs, and the Truth.” Don’t know who wrote it, but I find it quite relatable. As you’ve probably guessed, there are many more email security myths out there than I could possibly cover in a single article.
Now, as a recommendation, I would advise you to get ahold of a hands-on email security solution that is capable of covering all attack vectors.
Heimdal™ Security’s Fraud Prevention is possibly the best defense against business email compromise, vendor email compromise, macro viruses, worms, and type of malware that uses email comms to move around. As always, stay frosty, stay safe, and shoot me a comment if you have further questions on the topic.