Security awareness

The Ins and Outs of Email Security Awareness

Infosec Institute
July 26, 2017 by
Infosec Institute

Email has been used as a medium for remote communication even before the World Wide Web and other technological breakthroughs came into light. Though email security seems unglamorous and old hat on the surface, keeping email secure is perhaps more important now than it has ever been. An online survey of 400 white collar workers in 2016 by Adobe Systems found that they spent an average of six hours a day sending and responding to emails. The amount of attention email receives, especially in workspaces, has made it an ideal target for cybercriminals to gather sensitive data through social engineering attacks such as phishing.

So the question is: How safe is your email? Most important of all, are you aware of what makes an email “safe” and what level of “security” is required?

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

The Email Threat Landscape

A large part of the email we receive in our inbox is spam. This fact is supported by country-wise spam rates mentioned in the June 2016 version of Trend Micro Global Spam Map, with the spam rate being 41 percent in U.S and 84 percent in China. Fortunately, email gateways of today are capable of filtering out generic spam. But the real threat to enterprises lies not in dealing with “Win a Free Air Ticket” and “Get Rich Quick” kind of scams, but rather in dangerous scams that land into their inboxes disguised as legitimate emails.

Phishing Scams

Perhaps the easiest and most common way to target a user through email, phishing scams are carefully written emails that lure the receiver into providing their personal information or clicking on a malicious link. Clicking the link redirects users to spoofed websites that try to take their financial or personal data by impersonating as legitimate websites or infect the PC with malware and dig in to get their sensitive information. Phishing scams make use of social engineering techniques to make the reader consider the email a legitimate one.


Email malware is destructive code delivered as an attachment. If downloaded, it can turn the victim’s computer into a remote-controlled slave, part of a so-called botnet, which can cause serious loss of personal or financial data. One of the rising threats in malware attacks is ransomware, which also makes its way through email in many cases. When a user downloads an attachment infected with ransomware, the screen may get locked or their files may get encrypted until the user pays ransom.

Email Security Awareness

Email service providers have a multitude of security issues to watch out for and a number of threats to protect against. Similarly, email users need to be aware of security threats that lie in wait whenever an email is being sent or received. Whether you are using your personal email account at home or operating an official email account, it is important to observe caution and follow best practices when sending or opening an email, in order to minimize security risks.

Training and Education

Even if you use all email security mechanisms to protect your system, in the end it always comes down to how the users handle their email. Most of the time, human error is the cause of security breaches that take place even after a multitude of security measures are in place. Email users who have knowledge about email threats and safe email usage are less likely to open attachments from unknown users or carry out any other risky actions. More importantly, awareness must be given about phishing scams and how they can and have led to data breaches even in very large enterprises due to lack of awareness.

Below are some useful suggestions that every email user needs to know about in order to follow safe email usage practices.

Ensure that the Incoming Email is Valid: As a service provider of a large-scale email system, the key security focus has to be the detection and prevention of spam, while at the same time allowing valid email messages to pass through. Spam detection and control is a critical issue, as unwanted traffic can hamper the function of messaging services like email and voicemail and make them highly unattractive especially for users at the receiving end.

Luckily, since the issue is largely prevalent, many products and services are available for spam control. One of the most common approaches to block spam is a three-fold mechanism; first, it limits IP addresses that are allowed to send email to a system by blocking IP addresses other than the allowed ones; second, it includes software that automatically filters email messages by checking their content for malware and removes suspicious messages identified as spam; and third, it uses a number of other rules and functions to help catch and block unwanted traffic from the user’s inbox.

Choose Security Features: Nearly all major email clients provide phishing filters, antispam tools, and other security features designed to identify and block potentially dangerous email messages. Users need to explore all these security features and enable them to get maximum protection from malware-laden messages.

Use Firewall: A firewall plays an important role in bolstering email security by filtering and rejecting malware-infected attachments and any other suspicious messages that do not meet the preconfigured requirements.

Use Updated Anti-Virus: All leading anti-virus software programs are generally good at identifying and removing viruses, spyware, worms and Trojans from incoming mail.

Use a Good Spam Filter: A good spam filter is designed to differentiate between genuine email and those containing spam, relieving users from the hassle of cleaning up overloaded email inboxes time and again. But if a spam filter is not properly configured, or if it is configured with extremely strict security settings, it can also stop legitimate emails from making their way to the receiver’s inbox. Improved technology in spam recognition is now resulting in more accurate spam filters.

Encrypt all Messages: Encryption is a common way of safeguarding outbound emails, as it makes messages unreadable for unauthorized individuals who may eavesdrop in the hope of gathering some valuable information. Encryption can be done with the help of a firewall or by using dedicated software.

Use Multi-factor Authentication to Protect Your Account: Though stopping spam is very important from security point of view, it does not provide complete assurance to email providers. If an outsider gets access to a user’s mailbox, it will not only be troublesome for the account holder but will also cost the email client its reputation. Using multi-factor authentication and secure web page tools, such as security questions and captcha can help add an additional layer of security to protect email accounts. But tools like captcha have been broken by hackers in the past and cannot guarantee complete security. Also, users that follow bad password discipline are easy targets for hackers. Proactive reporting helps users know that operators are aware of user activity and can help track any suspicious activity if any logins take place from unusual locations.

Avoid Using Unsecured Wi-Fi: This has to be followed strictly all the time. Since unsecured Wi-Fi connections serve as open invitation to cybercriminals, your system can be accessed publically and any traffic you send or receive is viewable. This actually implies that your account can be accessed by a hacker who is connected to the same unsecured Wi-Fi connection as you are.

Sender Policy Framework (SPF)

Nearly all spam email messages today are sent from fake addresses. The actual owners of these addresses have to suffer from the consequences, as they are held liable for sending messages they have not originally sent. Sender policy framework helps discourage sender address forgery by specifying a technical method that protects the envelope sender address used for delivering messages.

Both sides have to play their part for the SPF technology to work. The domain owner has to describe its mail sending policy, such as the mail servers used when sending email. It then publishes this policy in its SPF record in the DNS zone. The receiving server can then check if an incoming message claiming to have come from that domain complies with the stated policy of that domain. If the message does not comply and appears to come from an unknown server, it will be considered a fake.

URL Scanning

URL scanning analyzes the content of an email for embedded URLs to check for known malicious links. Even websites that seem harmless on the surface can have hidden “drive-by downloads.”

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Abiding by Professional Expectations when Handling Email

Besides the aforementioned email security practices, professional email usage has some additional expectations specific to organizations. Using your professional email outside your work premises can land you into trouble if it results in breach of privacy. So what exactly does your employer expect when you are using your professional email account? Although every organization can have its own email usage policy, there are general guidelines that should be followed when handling official email.

As an Employee:

  • Do not use personal email accounts for official work. This means not using it while on the job as well as sending official documents to your personal email account. The former is necessary because it can expose your personal email to your employer, since they have the right to monitor all incoming and outgoing traffic. The latter is essential, as you can be held accountable to legal action if your company suspects you of misusing sensitive corporate data.
  • Always assume that your email is being spied upon by your boss. Because all the communication you make on your professional account is viewable, do not send or accept to receive anything that can land you in trouble.

As an Employer: You need to maintain access to and visibility of existing and past traffic.

  • All accessible records of relevant email communications and log information should be retained.
  • All internal and external sensitive messages should be copied or archived.
  • Messages that violate email security should be intercepted to avoid potentially damaging incidents, and to take remedial actions.

It is also important to recognize that not every email message contains sensitive information, and not everything needs to be encrypted or archived. It is, therefore, important to classify and determine what needs to be archived or encrypted and for how long a particular piece of information should be stored. Email threats will continue to haunt us for as long as organizations and people use email messaging services. As email volume continues to grow around the globe, so will the types of tools and practices used for email security.

Infosec Institute
Infosec Institute

Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training.