10 Ways to Protect Your Email Communication
According to Verizon's 2019 Data Breach Investigations Report, 94% malware was delivered via email and phishing attacks accounted for more than 80% of the reported breaches
Email is one of the most prevalent modes of communication in our personal and work lives. It was initially designed with message deliverability in mind, and ever since then, it has been playing catch up in terms of security. Though we’ve come a long way from the initial text-based SMTP communication to today’s interactive and responsive emails, efforts to block phishing campaigns, malware, spoofed emails, or spams are far from over.
Tips to Secure Your Email Communication
Let’s take a look at some ways to keep you away from ill-intended messages or inadvertently downloading malware onto your systems.
1. Opt-in for two-factor authentication with your email service provider
All popular email service providers have the security feature to apply two-factor authentication to access your mailbox. Essentially, even if the account password for your mail gets compromised, hackers will always need to provide additional proof of authorization to get authenticated to access your account. SMS code as a second factor isn’t the most secure, so consider using an app like Google Authenticator, which generates a time-dependent 2FA code.
2. Avoid clicking on links in emails, if you can help it
Received a link to change your password or read an interesting article? Can you instead hop over to the site and find the right page or type the address into your browser’s address bar manually? If yes, then there’s no good reason why you must click on a link that may potentially phish your credentials or install malware. If no, at the very least, hover over links before clicking on them to check if the URL looks legitimate. Clicking on links, including the unsubscribe link in spam emails, is never a good idea.
3. Refrain from downloading any attachments, unless you trust the source
As a general rule of thumb, if you receive an email containing an attachment from someone you don’t know, steer clear of opening it. According to Verizon’s 2020 Data Breach Investigations Report, email attachments, unsurprisingly, are one of the top vectors in malware associated breaches. Moreover, email addresses can be spoofed, and just because the address looks familiar, it’s not automatically a guarantor of trust.
4. Connect over a secure link, use VPN, and avoid using public Wi-Fi
Staying connected at all times might be convenient, but doing so at the expense of security over an insecure connection (such as using public Wi-Fi at airports or coffee shops) is unadvisable. Attackers can sniff the network, carry out man-in-the-middle attacks to steal any information that you transmit while connected to unsecured public networks. If you still decide to use free Wi-Fi, at the very least, connect to a network that has some form of authentication and route all your traffic via a VPN.
5. Scan your devices for viruses and malware
Use trusted software that screens all your attachments and messages for any malware and quarantines such messages.
6. Learn to examine the email message headers
A simple Google search will tell you how to see original message headers (usually not displayed by default) based on your mail client. Inspect the SPF and DKIM headers to verify if the message passed these checks. The “Received From” field reveals the path of the email and the IP where it originated. If you receive a suspicious email, compare the displayed ‘from’ with the ‘mail from’ field in the message header to verify if they match. Additionally, you can use a reverse lookup tool to trace the email.
7. Use secure SMTP ports
Port 587 is now used as the default port for submitting email messages with SSL/TLS encryption, while port 25 is used for relaying between mail servers.
8. Employ email signing certificate for end-to-end encryption
SMTP mail is inherently insecure. It is here that end-to-end encryption standards (like S/MIME or PGP) and identity verification via digital signatures step in to do away with any ambiguity. Email signing certificates assert the identity of the sender and verify that the message has not been tampered with while in transit. However, though they encrypt the message, they don’t secure the communication channel itself. To do so, you’ll need an SSL/TLS certificate.
9. Use spam filters to stop unsolicited messages or block suspicious IPs
Spam filters may come with several features, such as blocking marketing emails with a certain phrase to show up in your inbox or stop messages from specific IP addresses. Some of them can automatically remove junk mails and block system information tracking.
10. Configure your DNS records with security in mind
DNS records (SPF, DKIM, DMARC), if correctly configured, can be used to determine if an email is spoofed or legitimate. While SPF maps IPs to domains, DKIM is useful for authenticating the identity of the sender. Failed SPF or DKIM checks could be indicative of fraudulent email. DMARC works along with both of these records to define what actions the server should take if a message fails these tests.
If you look at how SMTP was developed and how it has gradually evolved to incorporate authentication and encryption, there’s no denying that we’ve come a long way. However, according to reports from Barracuda Networks, 467,825 cases of spear-phishing attacks have been recorded between March 1 and March 23 March this year. One of the best ways to maintain security is to stay informed through self-education, employer-sponsored cyber awareness training, etc. about security best practices that can be adopted and implemented to protect our communication.