Email contains a host of threats that every user should learn and be mindful of. The dangers come in the form of malicious email messages or spam; this article outlines the recommended security measures for an email account and the dangers of spam.
Hackers and other malicious users can see when you open an email! As an email user (pretty much everyone) there are several security concerns in your mailbox to be aware of. The biggest risk to email accounts are malicious users. These are technology users attempting to steal login credentials, launch spamming/phishing campaigns, or steal some sort of information.
Email is a utility we all use for communication. Whether it’s for social interaction, business, or storage, email plays an important part in our lives. Unfortunately, the risks of email use are many; this article describes the risk factors in an email account and security tips.
Spam and phishing are the two most common ways an email account can be a hub for security risks. Opening a phishing email that contains spam can open the system up to all sorts of threats including malware. Next, we will go over what spam and phishing are and practical ways to spot indicators.
What is spam and phishing?
Spam messages are junk mail; email advertisements that may appear legitimate but will almost always lead to a malicious redirect upon clicking hyperlinks in the message.
A lot of spam gets filtered by your email provider and can be viewed in the junk or spam folder (although not recommended).
Phishing is an email message intended to steal login credentials, propagate malware, or download a malicious file. There are several types of phishing:
- Phishing is an email sent in bulk to many addresses usually by a mass phishing campaign. The email won’t be addressed to anyone, it will say “Dear user, or hello” or some non-formal greeting.
- Spear phishing involves sending a phishing email that is tailored to a specific individual. Some social engineering may be used to gain as much information as possible about the target. This email may say, “Dear Michael S., please confirm your Citi Bank account credentials.”
- Whaling works by targeting a CEO or high-level individual at an agency/organization. The main goal here is to gain access to login credentials say for an important web application portal that an attacker can steal company data from.
Whaling targets are considered “big fish” because of the data they have access to. This makes them prime targets for a skilled attacker.
There are several indicators to spot if a phishing (any kind) email has been sent:
- Email verbiage should be reviewed for inconsistencies in that user’s native language. For example if the user is American, he/she would pay attention to the sentence structure and spelling. If the attacker was foreign or sloppy with their email then the indicators can be easy to find
- Sender’s email address is a good indicator of a non-legitimate address. You can see this by simply looking at the origin email address towards the top of the email message. The address may sound somewhat legit like “firstname.lastname@example.org.” By glancing at quickly you may not notice it but this clearly isn’t a legit email address.
Another thing to look out for is the email suffix. These is the characters after the ‘.’ that specify what type of domain it is like a .net or .com. If the suffix is a country code like “.ru” or “.cn” those are foreign domains from which the phishing/spam originated from. Here are a few of the email country codes:
- Hover over any links, pictures, or content and pay attention to the link preview at the lower left hand side of the email window. The real link that you will be taken to is displayed here. Example below:
You will want to pay attention to that link and make sure it sounds legit and if you are ever unsure, don’t open the link. Instead, do some research or copy the link and do a “malicious site scan” with Norton, AVG, or another safe site checker online.
These indicators are important to learn. Understanding the dangers in an email message will help you develop good cybersecurity best practices. Next, we will go over the ways attackers can get into email and other accounts.
How can a malicious user gain access to your accounts?
There are several ways a malicious person can gain access to your accounts. These include a mixture of passive and active techniques. Here is a list of the common threats that your accounts face.
- Packet sniffing
Capturing of network traffic that can be examined for data such as account credentials, session cookies, and IP address (just name a few)
- MITM attack- OR man in the middle attack
This describes the attack in which an attacker places themselves in between the client and server. This allows them to see all traffic that the user is sending back and forth to the server.
For example, a user’s ARP cache has been poisoned and the user is logging into yahoo mail, that traffic routes through the attackers network interface before it goes to the mail server, effectively handing the login credentials to the attacker. Protect yourself from this type of attack by using a virtual private network (VPN)
To learn what a VPN is and how to choose one go here
- Password cracking
An attacker performs password guesses using a software tool and a wordlist. Some account providers have caught onto this attack so they sometimes implement account lockout after a number of login tries.
There are different types of password cracking: brute force, hybrid, and dictionary. The brute force will test every possible password combination. The dictionary attack tests the password using dictionary words. The hybrid attack is a mix of brute force and dictionary.
Although there are far more than on this list, these attacks/techniques can usually be mitigated using proper cyber best practices which are outlined below.
How to secure your email and other accounts
Understanding how to secure one’s accounts including email needs to be a goal of every technology user. Not only are user accounts at risk of attackers stealing data from them, but also inserting data. If an attacker wants to make the most out of an intrusion into a user account, they may insert malware somewhere; let me explain.
An attacker, upon gaining access to your account, has the goal of deploying a keylogger or RAT (remote access trojan) for the victim. This is going to be embedded into a clickable or downloadable link/file. Upon activating that attack, a victim’s machine will become infected with the malware.
Now the attacker has effectively gained access to bigger fish; this being the victim’s physical machine. The attacker’s motivation all depends on the goal of that attack. If it is just to steal credit card numbers, then an account intrusion would suffice.
If the attacker wants to gain access to potentially sensitive data stored on the user’s machine then they would deploy some sort of malware which they can use later.
In closing, here are some useful user account security tips you can use!
- Enable 2FA on your accounts
Enabling two-factor authentication will allow for traditional username/password login along with a third authentication method. The third part of logging in can be in the form of an email, phone call, or pin sent to a secondary device.
2FA enabled accounts are much harder for attackers to penetrate. Yes it can be a pain but how important is your data? You will sometimes get a prompt to set up 2FA; alternatively you can go to the security settings and set it up there.
- Disable auto-login on computers that you don’t frequently use
Upon logging into pretty much any account you will be prompted in the browser if you would like to save your credentials for future use. If you don’t trust or the machine isn’t yours, don’t hit yes.
- Use a different password for every account
We know it is a giant pain, but choosing different passwords for every account is the secure method. Reusing passwords is considered a lazy and dangerous practice. There are password recommendations such as: using at least 8 characters, a mix of numbers/letters/symbols.
- Don’t use sensitive information as part of your passwords
For instance, don’t make your password ‘jenny1996.’ This is one of the easiest passwords for an attacker to recover. The name is easy to guess, research, or grab from a word list. 1996 could be a birthdate which again, is easy enough to find.
Another example of what not to set your password as would be phone, social security, or other sensitive number combinations.
- Try making passwords stronger for accounts that store sensitive information
For example, you might make a 6 character password for a free casual learning website that has no payment or sensitive data on it. In comparison, setting a stronger password for a website that verifies military service and social security information would be wise.