Email phishing remains a constant problem for businesses. Whilst implementing an email anti-spam/anti-virus solution can cut down on the amount of phishing emails your staff might receive, some will still slip through.
This leaves your staff as the last line of defence. They need to know how to spot phishing emails – by looking at the address it was sent from, the wording etc. Our new online training course can help with this and has a lesson dedicated to email security.
The majority of phishing emails are sent from addresses that are:
- random (email@example.com)
- throwaway (firstname.lastname@example.org)
- have one or more letters changed (email@example.com)
Staff can spot these with some training – especially if the wording in the email causes suspicion.
But some emails are sent from an address that looks genuine – firstname.lastname@example.org for example.
There are a couple of ways this can happen:
- criminals gain access to a staff member’s email account
- criminals spoof the email domain
These phishing emails can be very hard to spot – especially if they have been received from a trusted business partner. I’ve seen a number of phishing emails received by my clients that appear to come from suppliers. They were from people in organisations the clients trusted, and so they clicked the links. When it was discovered that they were phishing emails, it caused some concern about the security measures in place at the business partner, and whether the client’s information was safe with them.
Whilst receiving phishing emails is a constant risk, you certainly don’t want to be in the position of appearing to have sent them (or to have actually send them because an email account has been hacked). That would certainly damage your reputation.
Thankfully there are ways that you can protect both your business and your clients from these types of emails. Before I go into what you can do, I’ll quickly explain the technologies involved.
- Two factor authentication – most people should know what this is (I’ve written about previously). Its main use is to protect remote access to email accounts, remote desktop servers and web applications. Once you enter a correct username and password, you need to enter a code from your mobile phone (or click an app)
- Sender Policy Framework (SPF) – this lists the email servers that are authorised to send email on your behalf
- Domain Keys Identified Mail (DKIM) – this adds a secret encrypted key to the email to prove it came from your business (or someone you have authorised – MailChimp for example)
- Domain-based Message Authentication, Reporting and Conformance (DMARC) – this tells the receiving email server what to do if an email it receives fails the SPF or DKIM checks – either report it to you (monitor mode), put it in the recipient’s junk folder (quarantine), or block it entirely (reject)
Many organisations use DMARC, DKIM and SPF to authenticate the emails they send – including BNZ, Xero , PayPal, ANZ, Westpac and IRD
Emails you receive
- Make sure your email server is set to check and act on DMARC rules for the emails it receives (most email servers do this)
- Make sure your suppliers / trusted partners have implemented two factor authentication for remote access to their email. This should form part of the security standard you ask them to agree to.
- Make sure your suppliers / trusted partners have implemented SPF, DKIM and DMARC for the emails they send out. Once again this should form part of the supplier security standard
Emails you send
- Make sure you have implemented two factor authentication for remote access to your email (do this for any remote desktop servers as well). This is really becoming an essential part of IT security for a business
- Implement SPF, DKIM and DMARC for the emails you send out. You need to make sure you have thought about all of the parties who send email on your behalf – including marketing programs, scan to email devices etc. You should set DMARC in report mode for the first month, which will allow you to see if there are any emails that would fail the checks, and why. Once you are happy that genuine email would get through, then set DMARC to reject mode
Implementing the above is not hard and significantly reduces both the risk to your business reputation and the risks from your suppliers.
If you’d like to discuss this area in more detail, please get in touch.