How to Stop Hackers from Invading Your Inbox—and Infrastructure

S/MIME

Imagine trying to run your business or get through a day without email. It’s almost as scary as surviving a day without a venti double shot extra hot latte, or whatever your preferred caffeine fix. We hit send on nearly 113 billion business emails every day according to Radicati.com. That’s a lot of emails and a huge gaping hole for hackers to exploit—and they do with gusto.

Source: Statista.com

The Statistics Are Sobering

The proof of email attacks is everywhere but, just in case you’ve been on a desert island and cut off from all news sources, here are some facts to drive home the point that it’s time to take email security seriously.

  • 71 percent of cyberattacks begin with spear-phishing emails Source: Symantec
  • 92.4% of malware is delivered via email Source: Verizon 2018 DBIR
  • On average, employees receive 16 malicious emails per month Source: Symantec 2018 ISTR
  • 53% of employees have received unencrypted, risky corporate data via email or email attachments Source: SilverSky
  • 22% of organizations experience data loss through email each year Source: Osterman Research, Inc.

Email Enables Widespread Reach

We’ve become somewhat numb to hearing about daily email and infrastructure breaches. A short trip down memory lane might remind you about the massive damage these attacks can inflict.

One of the most devastating hacks on record that’s still making headlines is the 2016 Democratic National Committee (DMC) email leak. The incident involved emails stolen by one or more alleged Russian intelligence agency hackers operating under the pseudonym “Guccifer 2.0“. The reach of this attack spanned 9,252 emails and 8,034 attachments from seven key DNC staff members. The leaked emails revealed information about the DNC’s interactions, including “off-the-record” correspondence with the media, Hillary Clinton’s and Bernie Sander’s campaigns, and financial contributions.

Another well-known attack was the W-2 scam that targeted payroll and tax records. It not only hit businesses hard but messed with the financial welfare of more than 29,534 taxpayers. In one incident, as reported by Salted Hash, hackers sent a spoof email pretending to be one of the company’s owners (which, by the way, is a common ploy for hackers). What employee is going to say no to providing information to the top brass? And, it didn’t stop there. The hackers followed up the first hit with a wire transfer scam, causing some companies to lose both employee’s W-2s and thousands in wire transfers.

Why is Email Such an Easy Target?

For starters, just look at the sheer numbers. Despite earning mission-critical status, email is often overlooked when it comes to disaster recovery and everyday security measures. We all know how well how relying on employees to spot malicious emails is working—or not.

Then there are misinformed assumptions about what’s protected and what’s not. For instance, core email protocols don’t authenticate email origin or sender identity, so it’s tough to differentiate a spoof email from a legitimate one. Also, encrypting email servers with digital certificates ensures users connect to the right mail server, but doesn’t protect the emails themselves.

Let Us Count the Ways

How exactly are they getting in? Hackers are a creative bunch, so it should be no surprise they’ve cooked up a variety of ways to crack into your infrastructure via your company email. Here are the most common:

  • Launching a Business Email Compromise (BEC) attack. BECs are a focused variation of spear phishing with a very specific target. The hacker forges an email pretending to be a top exec requesting specific data. BEC attacks are big business. According to Sectigo, companies were hit with 78,000 BEC attacks between October 2013 and May 2018, causing more than $12 billion in losses.
  • Intercepting unencrypted emails to steal sensitive information
  • Bombarding employee inboxes with malware and phishing attacks to gain access to company assets

BEC attacks are particularly dangerous because they exploit the internal trust a company has worked hard to establish. Hackers are now sophisticated enough to match the style of the person they’re impersonating making it harder to spot fake emails. 

Incoming email aren’t your only problem. Ensuring your outbound emails aren’t flagged or mistaken as spam is just as critical. According to Return Path, one in five commercial emails gets filtered out or flagged, so it never reaches the intended destination. What if the one undelivered email happens to be a million-dollar proposal?

Documents Don’t Get a Free Pass

It’s not just your emails that are under attack. Attachments are fair game, too. According to DMR, 2.3 percent of emails have a malicious attachment. That might not sound like a lot but, with the average office worker receiving 121 emails and sending out 40, that means potentially four malicious attachments per person per day. And, Microsoft Office documents are common carriers. Think of the damage it’d cause if a malicious third party intercepted your personal identifying info (PII), company financials, sales data or contracts. E-signatures can be easily forged and don’t require two-factor authentication. That’s why some industry compliance regulations and corporate policies dictate that documents have digital signatures.

Improve Your Email Security with a Few Simple Steps

In today’s digital world, proving our identity has become standard procedure. Answering security questions and confirming you’re not a robot are part of our everyday experience.

When it comes to making sure emails and documents are trustworthy, you need a two-part solution that includes encryption and digital signatures. Both can be conveniently and affordably accomplished with S/MIME certificates.

S/MIME Certificates in a Nutshell

Much like SSL/TLS certificates use a combination of private and public keys to secure data in transit, S/MIME certificates digitally sign and encrypt email communications using the industry-standard Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol. Let’s take a closer look at each of these components.

Encryption

  • Ensures confidentiality, so only the sender and recipient can read the message
  • Content is encrypted using a public key and can only be decrypted with the private key
  • SSL/TLS provides an encrypted tunnel through which the email is sent
  • Maintains integrity by verifying the content wasn’t altered during transit

Digital Signature

  • Authenticates sender and recipient are who they say they are and ensures non-repudiation
  • Generated with a private key and authenticated using the public key
  • The public key/certificate is transmitted with the S/MIME protected email
  • When the recipient opens the email, the public key verifies the signature

Document Signing

Many S/MIME certificates also include document signing to protect sensitive and confidential documents. These digital certificates:

  • Facilitate document sharing by authenticating the sender to prove ownership
  • Ensure the document hasn’t been tampered with or changed by an unauthorized third party
  • Create a unique digital fingerprint, or hash, using an algorithm. The hash is encrypted using the signer’s private key. The encrypted hash and signer’s public key are combined into a digital signature, which is appended to the document.
  • Microsoft Office, or whatever digital signature-capable program the document is opened in, uses the public key to decrypt the hash, confirms the document hasn’t been altered and validates the public key used belongs to the signer

Securing Email and Documents Individually or at Scale

Just as with SSL/TLS certificates, managing volumes of S/MIME certificates can be time-consuming and prone to error. Deployment and management can be streamlined with a Managed PKI (MPKI) solution that lets you automate the entire certificate lifecycle from a centralized dashboard.

UKBSS Ltd is here to help you communicate safely and with complete confidence. We offer S/MIME certificates that are easy and affordable individually or in bulk, as well as smart automated options to save you tons of time and money.

Whether you need one, a handful or hundreds of certificates, contact us  to find out how we can help you ensure your email and documents communicate immediate trust and stay secure.


Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email