One of the most common tools used by cybercriminals is email. Using a simple but malicious message, an attacker can deploy malware through a file attachment or a linked page. Phishing campaigns take advantage of email to convince people to share account credentials or other sensitive data, which the attackers use themselves or sell to other criminals. In a report released Wednesday, cybersecurity provider Trustwave looks at email scams prevalent in 2020 and provides advice on how to combat them.
To help you better defend yourself and your organization again email threats, Trustwave offers the following tips:
- Set up an email security gateway. This gateway could be on-premises or in the cloud. But it should include several layers of security, such as anti-spam, anti-malware and policy-based content filtering. Specifically, such a policy should require the following rules: 1) Quarantine or flag all executable files, including Java, scripts such as .js and .vbs, and all unusual file attachments. Keep in mind that you’ll need to create exceptions for handling legitimate inbound sources. 2) Block or flag macros in Microsoft Office documents. 3) Block or flag password-protected archive files and unusual archive types, such as .ace, .img, and .iso.
- Update client software. Many email attacks exploit unpatched software. Be sure to fully patch and update key products such as Microsoft 365 and Adobe Reader.
- Check for malicious or suspicious links in emails. Make sure that such links are checked either through an email gateway, a web gateway, or both.
- Implement anti-spoofing tools. Anti-spoofing technology deployed on your email gateway can detect domain misspellings and other signs of spoofing.
- Tighten procedures for approving financial payments. Phishing emails that impersonate invoices can trick employees into sending money to cybercriminals. To avoid this, have a strong process in place for approving any financial payments received by email.
- Educate your users. Make sure that all users, from the rank and file up to the C-suite, are trained to detect phishing emails. Conduct mock phishing exercises to show them the signs of a malicious email.