Email Security Best Practices in 2024
The first quarter of 2024 registered a 28% increase in the average number of cyberattacks per organization as compared to the fourth quarter of 2023. While this surge is the aggregation of all types of cyberattacks, the contribution of unsecured emails as a means of exploitation has been massive.
Emails are used everywhere, from e-commerce companies sending details of customers’ orders in transit to vendors raising invoices to companies. Billions of emails are exchanged daily, and many senders, domain owners, and companies don’t follow security practices.
The newer and more sophisticated techniques of email attacks demand regular audits of email security so that CISOs can make sound adjustments and adopt more relevant tools to combat phishing and spoofing.
So, to address this concern, here are 10 email security best practices that are efficient in 2024.
Turn off Auto-Downloads
Turning off auto-downloads for incoming emails ensures nothing gets on your computer without your consent. Hackers often drop maliciously injected payloads concealed in attachments. Here’s how you can disable auto-downloads in Microsoft Outlook and Gmail:
Microsoft Outlook
On Desktop:
- Open Outlook.
- Go to “File” > “Options.”
- In the Outlook Options window, select “Trust Center” from the left-hand menu.
- Click “Trust Center Settings.”
- In the Trust Center, select “Automatic Download.”
- Check the boxes next to “Don’t download pictures automatically in HTML e-mail messages or RSS items” and “Don’t download pictures in encrypted or signed HTML email messages.”
- Click “OK” to save your settings.
On Web:
- Go to Outlook.com and log in.
- Click on the settings icon (gear) in the top right corner.
- Scroll down and click “View all Outlook settings.”
- Select “Mail” > “Compose and reply.”
- Scroll down to the “Inline images” section and uncheck the option to “Always download external images.”
Gmail
On Web:
- Go to Gmail and log in.
- Click on the settings icon (gear) in the top right corner.
- Select “See all settings.”
- Under the “General” tab, scroll down to the “Images” section.
- Choose “Ask before displaying external images” to prevent automatic downloads.
On Mobile:
- Open the Gmail app.
- Tap the three horizontal lines in the top left corner to open the menu.
- Scroll down and tap “Settings.”
- Select the email account you want to configure.
- Tap “Images” and select “Ask before displaying external images” to prevent automatic downloads.
Use VPN
Using a VPN for email security never goes outmoded, as it encrypts internet traffic and masks a user’s IP address, securing their conversations from potential eavesdroppers. VPN makes it difficult for threat actors to intercept or monitor your emails.
Image sourced from nordvpn.com
So, if you access your work emails remotely using a VPN, the data exchanged on your device will be encrypted. Apart from this, VPN helps bypass geo-restrictions and firewall limitations. This added layer of protection ensures that sensitive emails remain confidential and secure during transmission.
Use Multifactor Authentication
Multifactor authentication adds an extra layer of security above the standard password. Using it disallows hackers from accessing your email account despite cracking the password.
MFA usually needs a combination of something you:
- know-like a passcode or PIN
- have- like a smartphone or hardware token
- are- like a fingerprint or facial recognition
For email accounts, this might mean entering a password and then providing a code sent to your phone or using a biometric method.
So, if you receive an OTP to log into your account, but it isn’t you who is trying to log in, then you can immediately know of a potential breach and change the password.
Hover Over Links Before Clicking
Hovering over a link helps you see which website you will be redirected to if you click it without actually clicking it. Do this, especially if an email comes from a new or unknown sender or when a URL looks suspicious and doesn’t match the context.
Malicious links can direct you to sites designed to steal your information, distribute malware, or trick you into giving away sensitive data. Hovering helps you verify the link before potentially exposing yourself to these risks.
Password Hygiene
Password hygiene includes several habits, and we are enlisting the non-negotiable ones-
- Your password should be at least 12-16 characters long and include a combination of uppercase and lowercase letters, numbers, and special characters.
- Don’t set passwords that are too obvious to guess- like your pet’s name, street name, birthdate, favorite food, etc.
- Don’t use the same set of passwords across devices and accounts. If one account is compromised, others can take a toss too.
- Use password managers to generate, store, and manage complex and unique passwords. This way, you don’t have to put effort into remembering too many complicated passwords.
- Periodically change your passwords.
- Never share your passwords with others, including friends or family. If you need to grant someone access to your account, use official delegation features if available.
- Ditch the habit of writing passwords on paper.
- Instead of using single words, use phrases; this way, the password will be easy to remember for you yet difficult to crack for threat actors.
Log Out
We can’t emphasize enough on how important it is to develop and preach the habit of logging out of your email accounts when you are away from your computer or not using it. Otherwise, anyone can send fraudulent emails posing as you or get their hands on confidential data lying in your emails. It will take them no time to forward the sensitive files to another email address and delete the logs.
Use Gateway Email Content Filters
Gateway email filters are software that link the internet and your mail servers. These filters intercept incoming emails, scan them for malware and other injectables that can pose threats to your cybersecurity, and place them in primary inboxes or spam folders.
You can also configure them to enforce organizational policies concerning email content, like blocking certain unsafe file types (such as executables) or flagging inappropriate language.
Educate Yourself and Others
You can spend all the money on bringing-in technologies and tools to strengthen your technical infrastructure and still remain highly susceptible to cyberattacks if you fail to educate yourself and your team members. Humans are the weakest connection and can be fooled easily through social engineering. Moreover, the integration of AI is ramping up social engineering instances, intimidating companies to be wary of an untrained workforce.
Apart from educating your employees on email security best practices and red flags of fraudulent emails, establish a proper mechanism to report these incidents. Let your employees know who they should reach out to if they suspect something.
Take Confirmations Through Other Means
If you receive an email asking to make financial transactions or share sensitive data, confirm by calling, SMSing, or meeting that person. There is a chance that someone got unauthorized access to their email account and wrote you that email.
Use Email Authentication Tools
SPF, DKIM, and DMARC are three email authentication tools that domain owners must implement so that nobody sends fake emails on behalf of their company. Here’s a brief about them-
SPF
SPF stands for Sender Policy Framework. A domain owner or administrator creates an SPF record that includes all the IP addresses and mail servers that are officially allowed to be used for sending emails from a specific domain. Any email sent from an IP address or mail server not mentioned in the SPF record is regarded as unauthorized by the recipient’s mail server.
DKIM
DKIM is short for DomainKeys Identified Mail. It verifies the authenticity of the sender’s domain and the integrity of email messages. So, when an email is sent, the sender’s email server signs the message using a private key associated with the domain. This sign is then matched with the publicly available key linked to the domain. If they match, the email is considered legitimate; otherwise, it is illegitimate.
DMARC
DMARC, or Domain-based Message Authentication, Reporting, and Conformance, is built on SPF and DKIM. With DMARC, you can specify how you want the receiving email servers to handle messages that fail SPF and DKIM checks (e.g., reject, quarantine, or allow).
DMARC also provides reporting features, allowing domain owners to receive DMARC reports on email messages using their domain. This helps them monitor and enforce email authentication practices, improving the domain’s email security and helping maintain the reputation of legitimate emails.
We at DuoCircle can help you exercise the practice of deploying and managing email authentication protocols to establish a defense mechanism against spear phishing, ransomware, impersonation, and other targeted attacks. Let’s talk more.