Cybercriminals are exploiting uncertainty and fear around the COVID-19 pandemic, with phishing emails targeting individuals and institutions — utilizing spoofed identities to evade detection. This is an even bigger concern at a time when most people are working from home (WFH) — far away from direct IT support and with an even higher reliance on email.
Recently, for instance, the FBI warned people to be on the lookout for fake CDC emails and other coronavirus-related phishing attacks. Valimail has found evidence of threat actors sending email from domains that look like the CDC, such as cdc.agency. (The actual domain, cdc.gov, can’t be spoofed because it’s protected by DMARC at enforcement.) Attackers sending coronavirus-themed phishing emails and exploiting an open redirect on the Department of Health and Human Services’ website to spread malware. And the World Health Organization is warning people about scams where phishers have impersonated WHO officials.
Complicating the problem is the fact that companies suddenly have many employees working remotely, thereby increasing both the volume of email and the risk that someone who is stressed, tired, or distracted will click on a phishing email by mistake.
The response to these risks does not have to be complicated, but organizations need to take deliberate steps to ensure that they are protected.
11 Work-from-Home Email Security Tips
1. Mandatory MFA
Maintain good security hygiene, as usual, by mandating multifactor authentication (MFA) for email accounts as well as all corporate applications. This greatly reduces the risk of account takeover in the event that an employee does get successfully phished and clicks on a malicious link.
2. DMARC enforcement
If your domains aren’t already protected by DMARC enforcement, now is a good time to prioritize that project. Keep in mind that simply publishing a DMARC record will give you visibility, if it’s correctly configured, but it won’t actually stop phishers from spoofing your identity until you configure an enforcement policy. You need to configure SPF and DKIM properly, and then configure DMARC with an enforcement policy to stop these damaging impersonations.
To help you get started, Valimail offers free DMARC visibility with Valimail DMARC Monitor, which can simplify the process for many organizations.
3. Build a layered defense
Look into solutions that protect against email attacks based on validating the identity of the sender, not just the contents of the message or its context (when it was sent, to whom, etc.). Content-centric email security solutions can often miss the most devious phish, which contain no malware or malicious links, but pretend that the sender has an existing relationship with the recipient and therefore can be trusted. It’s also important to not solely rely on traditional email protection that uses historical data (signature-based detection, social graphs, behavior, etc.) to detect and stop phish. In fact, over 80% of all phish use sender identity fraud as their attack vector, and over 2/3rds of daily phish have never been seen before. Those phish can only be effectively caught by solutions that validate sender identity.
4. Audit email-sending platforms and servers
The average enterprise uses dozens of cloud-based services for nearly every business and IT function under the sun. Many of those services are able to send email on behalf of the company, whether that’s a payroll system sending notifications to the staff or a marketing platform sending emails to prospective customers.
Companies we work with are constantly surprised to discover that there are two or three times as many services sending email on their behalf as they expected. If you find services that aren’t being actively used or which don’t actually need to send email, shut them off to prevent them from being used as a phishing conduit.
The same goes for email servers. Despite the shift to the cloud, Valimail has found that most companies we work with still have a few orphaned mail servers still actively sending out messages, sometimes in unexpected places, like that fax machine in your Hong Kong office. If mail servers aren’t being actively used for a legitimate business purpose, turn them off.
You can’t protect or control if you don’t audit your email ecosystem.
5. The role of training
Anti-phishing training is important, partly to teach people not to click on obvious phish, but also to educate employees about what to do when they receive an email that looks suspicious to them. Employees should never wonder what to do or how to respond when they see a suspicious message. Make it easy for them to report phish.
A related point: Provide a feedback channel for those reports. This can be as simple as an email address monitored by your IT team, or as complex as a cloud-based system that integrates into your email so employees can mark suspicious messages with the click of a button. Regardless of the method you use, you will want to collect these messages as an important confirmation of whether your existing defenses are working, what’s getting through them, and how you might need to adjust your defensive strategy or email policies.
6. Use Email Filtering Solutions
Deploy advanced email filtering solutions that use AI and machine learning to detect and block suspicious emails before they reach your employees’ inboxes. These solutions can identify patterns and anomalies that traditional filters might miss to provide an additional layer of protection.
7. Regularly Update Software and Systems
Keep all email-related software (including your email client, servers, and any integrated security tools) regularly updated with the latest patches and security updates. Cybercriminals frequently exploit known vulnerabilities in outdated software to gain unauthorized access or deploy malware. Regular updates not only close these vulnerabilities but also improve the overall performance and security features of your systems. Implementing an automated update schedule can help maintain consistency and minimize the risk of human error.
8. Conduct Regular Security Audits
Perform regular security audits of your email infrastructure to identify potential vulnerabilities and areas for improvement. These audits should include a review of your email authentication practices, email filtering effectiveness, and overall security posture. Include a thorough review of your email authentication practices, such as SPF, DKIM, and DMARC configurations, to double-check they are correctly implemented and enforced.
9. Build a Culture of Security Awareness
Encourage a culture of security awareness within your organization by regularly communicating the importance of email security. Conduct ongoing training sessions and workshops to educate employees about recognizing phishing emails, avoiding suspicious links, and reporting potential threats. Share tips, reminders, and updates on emerging threats to keep security top-of-mind for all employees. Consider recognizing and rewarding employees who demonstrate strong security practices.
10. Require Strong, Unique Passwords
Mandate that all employees use strong, unique passwords for their email accounts and change them regularly. Strong passwords should be at least 12 characters long and include a mix of letters, numbers, and special characters. Encourage the use of password managers to generate and store complex passwords securely, reducing the risk of password reuse across multiple accounts.
11. Monitor for Compromised Accounts
Even the best security protocols will fail sometimes. Implement monitoring systems to detect unusual login activity or behavior that might indicate a compromised account. This includes monitoring for logins from unfamiliar locations, rapid successive login attempts, or changes in user behavior patterns. Swiftly respond to any signs of account takeover by locking the affected account, investigating the breach, and taking corrective actions to prevent further damage.
Protect Your Email Infrastructure with Valimail
Follow these strategies, and your email infrastructure will be far safer from phishing attacks. You’ll be protecting not only your employees, but also your customers and partners, from one of the most commonly used vectors for cyberattacks. And you will be ensuring the safety and reliability of one of the most ubiquitous, robust, and effective means of communication available to businesses today: Email.
Find out more about how Valimail’s zero-trust email security platform can help protect your employees from phishing, BEC, and email identity scams.