With hundreds of unique threats lurking in the corners of the internet and associated digital services, protecting data has become not just a smart thing to do, but an absolute necessity. If you want to protect your email account, you should be armed with sufficient knowledge about potential threats as well as tools/techniques of mitigation.
With luck, this article will be a helpful resource in your path to securing your emails, alongside an encrypted email account, antiviruses, and any other tools you find suitable for the job.
Spam tends to be low-effort mail targeted to no specific person, but rather thousands of people in an email list. It can serve as a way of marketing a product, disseminating information (often false), but it can also have more malicious intent. Emails that are clearly spam are best left unopened, as they can contain malicious links or attachments, as well as texts individually targeted to your identity or interests.
Large mail providers successfully identify the majority of spam and put the messages in the corresponding spam folder, but if you want to check them yourself, one first step is searching if the domain sending the email is blacklisted by one of the leading organizations (DBL/SURBL/other). Another way is to check SPF record of the email domain. If they have the security protocols enabled, the email domain must be credible.
A hacker that breaks into an email account can cause massive damage – to you, your reputation, employer, even your contacts. That is a good reason to keep your account authentication firmly protected with a strong password and additional authentication factors.
As for the specific ways hackers try to gain access, one popular approach is brute force – automated entry of passphrases until the right one is inputted. A more sophisticated and successful approach is a dictionary attack –using a list of popular passphrases as the first combinations tried.
If your device is infected with a keylogger, this malicious software will record every key inputted on the device and let a hacker pick out the password from the cumulative text.
Phishing is a type of manipulation that tries to fool you into providing confidential details. This could be login details, bank card info, data from personal documents, etc. Phishing can be general in nature or more targeted:
- Spear-phishing: An attack that targets a person or organization based on known information about them. The text of such emails incorporates relatable information to produce a more believable request/message.
- Whaling: A targeted attack on high-profile individuals, such as company CEOs, executives, and stakeholders.
Because most email clients block scripts within emails from being run, attackers tend to use two approaches to distributing malware through email. One is via attachments – files that (once opened) can begin a cascade of malicious actions. For many years, users were warned about executable (.exe) files in emails, but modern hackers have learned to deliver malware through other file types as well, such as images, video, and even Word documents.
If you end up accessing malicious files or content delivered through an email, you may soon find yourself being extorted with ransomware. This is usually software that blocks your access to a system until you have paid the hacker responsible a certain sum or fulfilled another one of their demands. This type of attack can be delivered through other mediums as well, and has become a massive problem for hundreds of companies worldwide.
Imagine that you are working on a task from a folder brought by your boss. Suddenly, they bring you ten more tasks and ask you to do them simultaneously. This is an analogy of a DDoS (distributed denial of service) attack, except there would probably be a hacker sending these requests instead of your employer.
In the context of email, such an attack can involve filling your mailbox with messages until it is not able to save any more, or attacking the servers responsible for sending and receiving your email messages.
A scam is a very generalized term that applies to attempts to fool someone, so several types of threats (including phishing) might fall into this category (depending on who you ask). However, the social engineering tactic in phishing usually involves scaring a person or intimidating through the concept of authority, whereas a traditional scam will offer a sweet carrot instead, appealing to a person’s desire for wealth, fame, status, etc. and promising them positive things.
It is not uncommon for scams to drag on for days, weeks, and months, so facing such an attempt, you may not know what exactly the attacker aims to get (and how) until they are sure you have been ‘buttered up’.
A spoofing attack imitates trusted people and organizations with the intent of using this trusted status to gain access to confidential information and data. Emails can be easily spoofed to look like they came from one address, when they were really sent from a server with no relation to the given person or entity.
An effective email provider will analyze and detect inconsistencies between the specified “from” email address and the routing data of the email. Nevertheless, you can perform this check and comparison yourself by analyzing the email header. It is also possible for the contents of an email to be spoofed, like an image of a web page or document that does not match the original pages, but rather has some unique points that the hacker wants you to notice.
Some hackers like to trick people by initiating or joining a conversation and using it for their own purposes.
Let’s say they have a list with email addresses of employees at a branch office. They could create an email address similar to one employee and ask Mark to resend a document he had previously sent to Martha. Martha might be specified in the CC field, so Mark would think “this person definitely knows Martha” and help with the request.
Another option is for an attacker to be asked to be added to a common mailing list by seemingly replying to ‘previous email’ that everyone on the list was included in.
A zero-day attack is one that is new and unknown to security professionals and you/your company. You have to remember that threats are always evolving and new ideas come up every day, so one day you might face something not on this list, and will have nothing to rely on but your suspicions and knowledge of best security practices.