Email, unfortunately, is one of the least secure ways to send data across the internet and has been around for years longer than most other modes of communication, making it ripe for exploitation by scammers.
This guide will fill you in on all you need to know about email threats and how you can protect yourself.
What we cover on this page
If you have a particular issue or a question about email security threats, then use the jump links below to get a quick answer to your question.
What is an email security threat?
Some scammers try to exploit technological vulnerabilities to hack into a given network or device, filling it with malware or stealing sensitive information.
Others use social engineering techniques, which involve tricking humans into making certain decisions – or taking certain actions – that reveal the information the fraudster wants.
Email security threats are often examples of the latter – they are full of malicious links, often nestled in between lines of copy designed to convey legitimacy to the recipient and get them to click through. But this isn't all.
Some statistics about email security threats
Email security should be of paramount concern to individuals, families, and businesses, and attack victims can end up shelling out thousands to right the wrongs caused by their perpetrators. Here are some facts to consider:
- In the USA, there is a hacker attack every 39 seconds.
- 95% of online security breaches were a result of human error.
- 43% of cyber attacks target small businesses.
- The FBI reported a 300% increase in cybercrime since Covid-19.
- Annual spending on cybersecurity will reach $6 trillion this year.
This goes some way to illustrating precisely why it's so crucial to keep yourself up to date on the cybersecurity threats that are out there.
Why is email so insecure?
Email is, unfortunately, an inherently vulnerable channel of communication specifically because it does not provide end-to-end encryption as other mediums do, or indeed encrypted protection of any kind.
A popular platform to exploit
Although a hosting service like Gmail does have encrypted email options, this will only matter if the account you're sending them to also has implemented the same encryption measures as you have. As soon as you send an email to someone using a different provider, for instance, your emails will be sent across the STMP (Simple Maile Transfer Protocol), which isn't encrypted.
There's also a problem vaguely similar to the one Windows suffers with regard to malware. Windows is the most widely used operating system in the world, and because scammers want to make viruses that can hit as many people as possible, the statistically optimal thing to do is always create viruses for windows phones. It's the same with email – it's the most popular form of legitimate business-based communication, so it's a no-brainer for scammers.
Human error
Another problem with email is there's a lot of room for human error. It's unlikely that people make errors on email more than they would a site like Facebook, but it's the form of communication many people use to send their most important files and conduct their work-related correspondences on whilst also being the medium people use the least.
This is why there are examples all over the world of people clicking send to the wrong person, forwarding the wrong emails, and various other mistakes that could be put down as 'human error' that have had major financial consequences.
The most common types of email security threats
There are a number of other email security threats it's useful to be aware of. Because phishing has become a broad term that refers to many different practices – you might see some of the methods listed below as categorized as phishing elsewhere.
This is just a different way of splitting them up so they can be easily understood and you have the best chance of spotting them before it's too late.
Ransomware attacks | Commonly delivered through email, ransomware infects a device and demands the user pay a fee for it to leave or it will delete all their data. |
Spoofing | Like phishing scams, the scammer will pose as a legitimate company – but it's a well-known brand. They can use this to gain entry points for malware or personal information. |
Pretexting | A scammer will spend time creating an elaborate and detailed persona or story, and use this trust to obtain personal information, often by asking targets to confirm personal information. |
Conversation Hijacking | Some scammers have been found to compromise the email security of an organization, learn about its business practices, and then masquerade as employees or trusted partners via impersonating an email domain. |
Cache Poisoning | This technique is initiated by uploading bad data into a DNS server, which means scammers could hijack an email and redirect it to a rogue server, or something similar with a website. |
Directory Harvesting | Scammers use this attack to gain access to the internal email addresses of a business or network through brute force. They can then send malicious links to those email addresses. |
APTs | Advanced Persistent Threats are attacks typically carried out on a network of a large business or corporation over an extended period of time. This is usually a coordinated operation that looks to exploit a vulnerability in a network – which can be human. |
Types of Email phishing threats
Phishing is by far the most common type of email security threat and is designed to obtain sensitive or personal information from an individual or company. There are a number of different types, and being able to spot all of them will give you the best chance of staying safe. We have categorised the types of phising scams below.
Standard phishing | The scammer poses as an employee of a legitimate company. They use threats and inject a heightened sense of urgency into your actions to blur your thinking. Messages are usually generic and sent en masse. |
Spear Phishing | The scammer targets a specific person in an organization (e.g. the finance manager) and creates a highly customized email. This is easy considering the information available about businesspeople online. |
Whaling | The scammer targets the head or CEO of an organization. This could be used as a way to obtain specific, high-level information or a route to easily obtaining a large amount of employee data. |
Lateral Phishing | The scammer compromises a genuine, personal account, like an email address, and uses it to spread malicious links to the people closest to the victim. |
Clone Phishing | The scammer creates an identical copy of a legitimate message from a genuine organization – such as an out-of-office reply – and simply switches out a clean link for a malicious one. |
Examples of some common Phishing techniques
There are several techniques used to acquire information through phishing (don't worry – we look at the telltale signs of phishing further down).
Many phishing emails deploy shortened URLs, for example, a tool born out of the need to be space-efficient with social media character limits that is utilized by scammers make malicious links look genuine.
Others will use real brand logos and 'trust badges' to confer legitimacy, whilst some deliberately place malicious links next to a flurry of genuine ones to give users a false sense of assurance.
In more sophisticated attacks, scammers might take actions such as sending out a huge number of emails in order to return 'Out of Office' replies that will give them a template to work with.
A word on phishing...
Phishing is by no means a technique confined to email, and the last few years have in fact seen a dramatic rise in phishing on other channels of communication.
Malicious documents placed on iCloud servers are becoming more common, whereas smishing – the SMS equivalent of phishing – has grown in popularity amongst scammers during the pandemic. Vishing – voice phishing – is now also something you need to watch out for on your phone.
How to spot an email security threat
As aforementioned, spotting phishing can be hard, but there are a few commonalities to look out for that could really make a difference. Never click on links in an email that:
- Is littered with spelling mistakes and grammatical errors.
- Includes threats of punishment, fines, or imprisonment.
- Tries to inject an outsized sense of urgency or fear.
- Claims to be from a known brand, but the design and colors clash.
- Requests sensitive information be handed over via email.
- Have no salutation, or don't address you by your name.
- Has shortened URLs that look suspicious when hovered over.
If an email is claiming to be from a company that you have a pre-existing relationship with – such as your bank – you can always ring them to confirm the correspondence is legitimate. If it's from a business you don't have a relationship with, on the other hand, then it's probably not worth clicking opening the email even if it is legitimate.
These are all indications, not confirmation, that an email is malicious or contains malicious content. Emails without personalized salutations aren't, for example, always malicious. A phishing attempt may display one, two, or five of the above warning signs; it might not display any.
All in all, though, it's better to be safe than sorry – there's no punishment for caution or double-checking, nor is there for ringing a company to double-check.
How to Protect your business from email security threats
Let's say you own – or work for – a medium-sized business that is concerned about online security threats. What steps do you take?
The main priority should be educating staff on what to look out for. There are tell-tale signs that an email is a phishing email – and there are formats that come and go – so it's important to keep records of attacks to your system (successful or not) notify employees about attacks and encourage them to report suspicious messages they receive on their work addresses.
You should also make sure you have security technology like an email security gateway or, alternatively, a security tool like Barracuda's API-based box defense, which uses data from historical email communications from individual employees to determine 'normal' email traffic. Naturally, you should also install up-to-date anti-virus software to combat attacks if your perimeter is breached.
Making sure you have the latest versions of the software you use is also vital, as some scammers exploit vulnerabilities in older iterations of popular software programs that are subsequently patched in updates.
You should also likely be operating on a 'principle of least privilege' wherever possible, which is essentially only giving people access to the parts of a given network that they need to complete their job duties. If they do happen, this makes attacks a lot easier to isolate and contain.