Emails: The five biggest security mistakes

by

Reading time: minutes ( words)
The 5 major security misconceptions about e-mails | Allgeier secion

In 1972, a Canadian IT consultant named Ian Sharp ventured a prediction that would go down as one of the biggest miscalculations in computer technology. At the time, Mr. Sharp was rock-solidly convinced that "e-mail was a totally unsaleable product." Today, 50 years later, electronic mail has become the most important digital communications tool of all. More than 200 billion e-mails will be sent in 2022 - and that's every day. But e-mail has not only become indispensable for communication between private individuals or companies; it is also used frequently and with pleasure as a marketing tool. The German economy invests around two billion euros in e-mail advertising every year.

Despite or perhaps because of its long history, e-mail is still surrounded by security myths. In this article, we have summarized the five biggest security errors in dealing with e-mails. Not surprisingly, email is still one of the main gateways for cyber attacks on companies.

Misconception 1: E-mails are only dangerous if you open the attachments

It is widely known that file attachments - especially e-mails from unknown sources - can often hide malicious code that can infect the recipient's computer at the click of a mouse. However, there is a persistent misconception that simply looking at a received e-mail is not dangerous. Unfortunately, this is wrong. Because even in supposedly "harmless" mails without attachments, malicious code can lurk! The problem lies in the convenience factor of modern e-mails. In contrast to pure text e-mails, many e-mails today are sent with HTML code. What makes the recipient happy with enriched graphics, for example, also makes the cybercriminal happy. This is because it is easy to hide malicious code in the source code of an e-mail formatted with HTML, which is activated on the recipient's computer as soon as the e-mail is opened. The HTML format also makes it much easier to send spam e-mails. Small, mostly invisible images - the so-called web bugs - provide spam senders with success statistics on the opening rate. The consequence on opening: even more spam to the affected address.

Solution: Be sure to deactivate the display of e-mails in HTML format in your mail program and accept the less convenient view of the plain text, but play it safe. With trustworthy senders, you can activate the HTML display afterwards with a click and view the contents of the mail with the usual comfort.

Misconception 2: Spam mails can be deleted from the distribution list with one click

Spam mails can be very annoying in everyday life. Whether unsolicited advertising or attempted phishing: countless spam messages flutter into mailboxes every day. Many of the spam mails contain links to delete your own address from the distribution list. If there is no link to unsubscribe, people are happy to reply to the sender - in the hope that with a few lines they will have peace from at least this one spam sender for all time. Unfortunately, both links and replies have one consequence: even more spam.

Solution: No matter what kind of unsolicited and unknown e-mail it is, do not click on the links to supposedly delete the e-mail address under any circumstances! Because with your reaction you signal to the sender that your mail address is being actively used. In the worst case, your e-mail address will be traded in criminal circles. Therefore, it is best to ignore and delete it unread. With spam filters, which are also available as freeware, and a secondary mail address for the use of online services, you can keep your main mailbox mostly free of spam.

Misconception 3: I know the address that is in the sender field of the e-mail. Then I also know the sender!

Current e-mail programs or web services display the name of the sender or an organization for a mail. If the sender is known, of course the mail comes from the named person. This is the common, widespread assumption. Unfortunately, this assumption is completely wrong, because it is extremely easy to forge the sender address of an e-mail! But that's not all: e-mails from known persons can be spam even if the sender is the right one. If a computer is infected by a malicious program, it can automatically use the victim's address book, for example, to send masses of spam.

Solution: If you move the mouse pointer over the name displayed in the mail program, the actual sender is displayed either directly next to the mouse pointer or at the bottom of the screen. If your well-known colleague Mustermann suddenly becomes bgfffurf@spam.ru, all alarm bells should ring.

Misconception 4: Phishing e-mails are easy to recognize!

Phishing is a portmanteau of the term "fishing" and the initial "P" for password. With this form of cybercrime, attackers try to grab your access data to e-mail accounts, online banking or your online stores. One of the most common, widespread methods is the forgery of well-known online services such as Paypal, Amazon or even your house bank. The well-known "prince from Namibia", who wants to give you a few million dollars in broken German if you just follow the attached link, has long since become passé. Instead, modern attackers rely on professionally forged e-mails including the company's logo, "official" signature and, of course, the personal address. It is common to enrich the mail with references to security incidents ("Your account has been hacked. Please update your access data now!"). If you follow the links in the mails, you regularly end up on websites that have also been professionally replicated and, at first glance, do not differ from the originals.

Solution: In the header of the e-mail, the so-called header, the real sender of the e-mail is hidden in many cases. You can display the header in your e-mail program. In the lines marked "Received From" in the header, you will find the sender. But beware: headers can also be faked! Or the sender's address differs only minimally from the original address, so you won't be able to be sure with a cursory glance. Missing or incorrect salutations, which have occurred from time to time in the past, can hardly be used as an indication of phishing e-mails due to the increased professionalism of cyber criminals. In case of doubt, the following principle always applies: Under no circumstances should you follow the links in e-mails that you cannot clearly assign to a known contact. Log on directly to the provider's site and check there whether any action is actually necessary.

Misconception 5: You don't have to encrypt e-mails

Do you regularly send e-mails with personal data and do without encryption? Then you could possibly get a very expensive problem! Because what was already prescribed in the Federal Data Protection Act has become even stricter due to the DSGVO. Whether in the private or commercial sector: e-mails with personal content must always be protected from unauthorized access - by secure encryption. If you do not use encryption, this can lead to high penalties, especially in the commercial sector. And, in addition, to significantly increased expense, because data protection violations must be reported to the responsible supervisory authorities and the affected persons in accordance with the GDPR.

Solution: Every email that contains personal data must actually be encrypted. With encryption gateways that are easily and quickly implemented, data breaches are a thing of the past without any further intervention. By the way, encryption significantly increases the security of your e-mails - after all, it ensures that only you and the intended recipient can access, read and utilize the content.

Link tip: https://www.secion.de/en/blog/blog-details/six-golden-rules-for-enhanced-email-security 

Conclusion

E-mail is around 50 years old - and it still doesn't belong on the siding of communication. On the contrary: almost nothing works without e-mail, especially in the commercial sector. As ubiquitous as e-mail is, the gaps in knowledge are equally extensive when it comes to security. With small measures and the principle "Think first, then click", the biggest security errors can be reliably and permanently eliminated.

Remember: emails are still one of the main gateways for malware and ransomware attacks! Phishing, virus-infected attachments and even spam pose concrete threats to your IT security. The key to a high level of IT security is a security strategy that takes into account all potential sources of danger. This also includes your own employees. With targeted social engineering training and security solutions such as a suitable solution for early attack detection, the level of IT security can be significantly increased.

Need help upgrading your IT security for 2022? Contact us!

By clicking on the "Submit" button, you confirm that you have read our privacy policy. You give your consent to the use of your personal data for the purpose of contacting you by Allgeier secion, Zweigniederlassung der Allgeier CyRis GmbH.

* Mandatory field

Go back