The Plain English Guide to: Email Security & Phishing

Published
The Plain English Guide - Email Security and Phishing

There are many new and exciting methods of digital communication available to us in 2020; however, email remains an essential tool for business. We use email to send meeting invites, invoices and payment receipts. We use it for marketing our services to our customers, and we use it to complain to our co-workers about that one guy who keeps leaving egg sandwiches in the office fridge.

We rely on email, and we use it so frequently that when we see a message in our inbox, we instinctively trust that it’s genuine. Unfortunately for us, criminals also rely on our trust in email, and if we haven’t taken the right steps to protect our ourselves, it’s all too easy for them to abuse this trust.

Phishing, Spear-Phishing, Whaling – and what on earth this has to do with email

Phishing is a general term used to describe the act of tricking someone into providing sensitive information by pretending to be a trusted person or organisation. This information could be login details, personal identification, credit card numbers or anything else of financial value. Phishing scams are one of the most common email security threats.

An example of a phishing scam could be an email pretending to be from PayPal or your bank. The email will usually have the same layout as it would if it were genuine. It will probably use your bank’s logo. It will often have an alarming subject that will make you want to take immediate action. Perhaps most concerningly, it may even have your bank’s email address shown as the sender.

“Act now to keep access to your bank account”

“Your PayPal payment of £10,000 has been received”

Of course, you’ll wonder what’s going on so you’ll click on the helpful link in the email to log in and find out more. The problem is the link doesn’t lead to your bank’s login page. It takes you to a fake page which looks just like your bank’s but is hosted by the scammer. Once you enter your login details, they’ll have what they need to buy everything on their Amazon wish list at your expense.

Spear-phishing continues the fishy theme and refers to explicitly targeting an individual rather than a more general scam. Instead of posing as your bank, you may receive an email that looks like it’s from your business partner asking you to urgently pay the attached invoice. It’s not too difficult for a scammer to work out who you know from details publicly available at Companies House or on social media and you’re much more likely to act on the email if it’s from someone you know.

Whaling is another variation on phishing, targeting high-profile or senior business people (whales) as they’re more likely to be able to make high-value mistakes.

But how is this possible? Can anyone fake my email address?

The SMTP (Simple Mail Transfer Protocol) protocol that mail servers use to pass messages between each other was designed in the early 1980s when the Internet was a very different place. The focus was on deliverability, making it as easy and reliable as possible to send a message, and giving little thought to the idea that someone would want to misuse this for profit.

Over the years, the number of people using the Internet has exploded, and with it, our reliance on email. But those same idealistic assumptions from the 1980s are still with us. Unfortunately for us, this means the technology behind email has very few checks to verify who a sender is or what they’re sending us and it’s often trivial to fake the sender address of an email

Okay, I’m worried. What can I do?

There are several solutions, both behavioural and technological that can help to protect you from these sorts of threats.

The most important thing to remember is always to approach an email with a healthy level of suspicion, for example:

  • If you get sent an invoice from a supplier that you weren’t expecting – call the number on their website and verify it.
  • If you receive and email from a supplier telling you their bank details have changed, always check by phone. Never trust the phone number in the email, call one that you know is genuine.
  • If you receive a message telling you to take immediate action like open a link or download an attachment to avoid a penalty or claim a prize – find a way to verify the sender before following their instructions.
  • If a trusted colleague asks you to do something out of the ordinary – speak with them first.

It’s also vital to make sure that you’re employing the latest technology best practices so that as few of these threats as possible even make it into your inbox:

Domain Keys Identified Mail (DKIM)

When enabled in your email service, DKIM signs each email you send with a small cryptographic signature. An email server can use this signature to verify that you’re allowed to send an email for your domain name (for example, our domain name is getsupport.co.uk) and that your message hasn’t been modified in transit.

Sender Policy Framework (SPF)

An SPF policy allows a recipient’s mail server to look up a list of servers or services which are permitted to send an email for a given domain. An SPF policy might, for example, describe that email for your domain name can be sent from Microsoft 365 email service and your Mailchimp marketing account but no-where else.

Domain-based Message Authentication, Reporting & Conformance (DMARC)

Yes, it’s a mouthful, but DMARC is a relatively simple technology. It ties together DKIM and SPF and allows an organisation to publish a policy describing how they implement these technologies and advising a server what to do if it receives an email that doesn’t match the policy. e.g. a policy for example.com might advise that “all email will be either signed with my DKIM signature or will be delivered from Microsoft 365. If you receive an email that doesn’t match these requirements, please reject it and don’t deliver it to the user”.

Most large organisations, including almost all of those that are involved in financial transactions, now implement DKIM, SPF and DMARC policies. If your email service is configured to validate and act on this information, then you are well protected from many common threats.

If your provider has also configured these technologies for your outbound email, then it’s infinitely more difficult for scammers to forge email messages from you both internally to your colleagues and externally to your customers or suppliers.

Want to learn more?

When it comes to protecting yourself and your business from email scams, there’s no substitute for common sense, but there are plenty of technologies that can make it easier.

At Get Support we’ll offer you a free expert advice session. A member of our team will personally walk you through the email security options that are available with your current service or help you find a solution that can offer what you need. Fill in the contact form at the bottom of this page to find out more.

Latest From The Blog

Cyber Essentials is changing (again) in 2025. But there’s good news.   

Cyber Essentials is changing in 2025. Get up to speed on the key updates, including passwordless authentication and vulnerability fixes.

Microsoft 365 Copilot Release Roundup: August, September, October 2024  

Discover the latest updates for Microsoft Copilot released during August, September, and October 2024.

What's new with the Windows 11 24H2 update?

Here’s a Get Support guide to the latest Windows 11 24H2 update, including what matters most for small businesses.