An introductory guide to email account security

Author: David Fleming, Chief Technology Officer

Date published

15 September 2022

Price
Free
Back to Previous

An introductory guide to email account security

Tag
Author
Date published
Price
Blog
Author

David Fleming, Chief Technology Officer

Date published

15 September 2022

Author

David Fleming, Chief Technology Officer

Price

Free

In this blog post, David Fleming, Chief Technology Officer at Mitigo summarises how criminals attack business email accounts and offers insights into the key things you'll need to defend against.

Your business email account is the most common entry point for criminals and is at the root of most successful cyber-attacks. It is not surprising that the most used function in a business is the one that criminals use to exploit. What is surprising, is that the security of a firm’s email system isn’t made a higher priority.

In this summary we will describe how attacks start in order to give an insight into the key things that you need to defend against. We will also describe some common consequences of an attack to help to understand why this subject deserves real attention. Finally, we give ten top tips on how to avoid becoming a victim.

Top 4 attack approaches

Here are the common methods of attack against a business’ email systems.
 
  1. Phishing. The criminals send blanket emails to every address they have acquired from social media, the dark web and website scraping. They pose as legitimate suppliers and trick you into giving away your email login credentials. In our simulated attacks 20% of untrained staff typically fall for this type of attack.
 
  1. Malicious attachments. Emails with fake attachments will tempt you to open them with headings like “missed message”, “urgent invoice”, “bank statement” etc. They will have malicious code that will attempt to get control of your computer in some way.
 
  1. Account hijack. With credentials purchased from the dark web, automatically breaking weak passwords, or tricking you with phishing attacks, the criminals get access to your account. They login as you, with full functionality including access to all your email history.
 
  1. Spoofing. The criminals create their own email accounts and pretend to be you. They are not inside your account but send emails to employees to try and get access to business systems and data.
 
Top 3 consequences

Here are the consequences if the criminals are successful in the approaches above.
 
  1. Ransom. This is the most damaging consequence and can be business ending. The criminals use the access they have gained first to steal confidential and personal information, and then to encrypt your systems. They threaten to release the data if you don’t pay a ransom fee. The average business downtime is now 26 days. The average ransom payment in 2021 was £628,000.  
 
  1. Virus spreading spam email. The most common consequence is thousands of emails being sent from your email to every contact associated with your business. The aim of the email is to contaminate their systems with a view to stealing money from them. We probably don’t need to describe how damaging this can be for a previously trusted business.
 
  1. Payment diversion. The main object here is to get money diverted to their bank accounts by tricking you or a client into sending money to the wrong payee. There is the obvious financial and reputational damage but the conversations with the ICO will not end well if a client has lost thousands of pounds because you didn’t protect their data sufficiently.

 
Top tips to help structural engineers defend against email attacks

Here are the top 10 areas you must address to defend against the greatest cyber threat facing your business.
 
  1. Appropriate business email account. Free and basic email systems are not good enough. You may need to upgrade to get the appropriate level of capability.
  2. Good employee disciplines. Email addresses should be for work purposes only and you need to make this clear to staff. The dark web is littered with business email addresses that have been used on personal accounts (e.g. Amazon, eBay etc) that have then been lost along with passwords and critical information.
  3. Unique, strong passwords and strong authentication. The password should not be a repeat of anything you have used elsewhere, and it is essential that authentication has another factor e.g. a code on your phone.
  4. Inbound filters. Get these expertly set and don’t rely on defaults. If done well it will stop the deceptive emails ever getting into staff inboxes.
  5. Domain records. The end of your email, @acme.com, is called the domain. There are important records that need to be set in the domain control panel to avoid criminals easily spoofing your address.
  6. Staff training and simulation. Make sure your staff get annual training and run simulated attacks to make sure they know what to expect.
  7. Access methods. You need to have a clear policy on how staff access emails e.g. from a laptop, mobile, through a web browser, etc. The more you reduce this, the more access points can be switched off in the security settings.
  8. Payment methods. Make sure that there is a robust process that ensures that changes to payee details have strong challenge processes.
  9. Antivirus & browser integration. Your web browser, email service and antivirus software need to be configured to work in unison to stop attacks. This is the most important retrospective control as it is unwise to rely on staff spotting the criminals’ tricks.
  10. Alerts and blocks. Make sure that the alerting from security systems is properly configured and is going to your technical support and that rules are set to block, not allow.

This guide gives you a starting point and a roadmap. Please invest some time and resources to getting this right, it will be the best money you spend this year.

We have partnered with Mitigo to offer cybersecurity risk management services with exclusive discounts for our members.

For more information visit the Mitigo website, or you can contact them on 020 8191 1590 or email [email protected].

Tags

Blog Other

Related Resources & Events

Blog
<h4>8 vertical extensions you should know about</h4>

8 vertical extensions you should know about

This article collates some of the author’s favourite vertical extensions from across the UK and Ireland to act as inspiration of the potential offered by this construction technique.

Date ‐ 18 May 2021
Author ‐ Charles Gillott
Price ‐ Free
Guidance
<h4>What are you going to do about it?</h4>

What are you going to do about it?

Five leading structural engineers explain why we need to take our professional responsibility seriously and commit to doing things better, starting today.

Date ‐ 9 November 2021
Price ‐ Free
The Structural Engineer
Manufacturing workshop

Held to carbon account: the end of 'bog standard' new build?

As the climate changes there will be ever-increasing social and economic pressure to reduce carbon dioxide emissions, with focus turning to the embodied carbon in products which has thus far been eclipsed by operational values.

Date ‐ 2 January 2020
Author ‐ Muiris Moynihan
Price ‐ £9
The Structural Engineer
<h4>Reuse, build less, build lean: low-carbon design for 22 Bishopsgate, London</h4>

Reuse, build less, build lean: low-carbon design for 22 Bishopsgate, London

22 Bishopsgate was erected on the site of an abandoned project, reusing 100% of the existing foundations from three previous buildings, and incorporating more than 50% of the basement built for its predecessor. This article describes the approach to reusing the existing foundations and basement, as well as the focus on material efficiency in designing the superstructure and transfer structures.

Date ‐ 2 September 2021
Author ‐ Diego Padilla Philipps
Price ‐ £9
Guidance
<h4>Circular economy and reuse: guidance for designers</h4>

Circular economy and reuse: guidance for designers

This new guidance is an essential read for any built environment professional developing new (or reusing existing) structures today. Across four principal sections it explains why the adoption of circular economy principles is critical.

Date ‐ 1 February 2023
Author ‐ P Gowler et al
Price ‐ £32.50
The Structural Engineer
<h4>What can you do if you are convinced a structure will work but can’t prove it to code?</h4>

What can you do if you are convinced a structure will work but can’t prove it to code?

The article explores ways to justify reuse of existing structures through a thorough understanding of the original building structure, and engineer’s intent.

Date ‐ 1 June 2021
Author ‐ Jessica Foster
Price ‐ £9
The Structural Engineer
<h4>An introduction to refurbishment. Part 1: Identifying opportunities at the feasibility stage</h4>

An introduction to refurbishment. Part 1: Identifying opportunities at the feasibility stage

Stephen Fernandez discusses ways in which engineers can explore the potential to refurbish existing buildings instead of demolishing and building anew.

Date ‐ 16 November 2020
Author ‐ Stephen Fernandez
Price ‐ £0
Guidance
Blue abstract blocks

Questioning and influencing the brief

Advice for engineers who are trying to lower carbon in a brief.

Date ‐ 2 November 2020
Author ‐ Shalini Jagnarine-Azan and Victoria Martin
Price ‐ Free
The Structural Engineer
Dozen people sat at desks classroom style

Viewpoint: A curriculum for the climate emergency: what questions should we be asking?

Oliver Broadbent and James Norman call for a rethink of engineering education to meet the needs of an industry adapting to the demands of the climate emergency.

Date ‐ 2 September 2020
Author ‐ Oliver Broadbent and James Norman
Price ‐ £9
The Structural Engineer
<h4>Kenneth Severn Award 2020: How must structural engineers respond to the climate crisis?</h4>

Kenneth Severn Award 2020: How must structural engineers respond to the climate crisis?

In his winning entry to the Institution’s Kenneth Severn Award 2020 – an annual essay competition for young engineers – Will Rogers-Tizard argues that structural engineers can help tackle the climate emergency by making better use of materials, understanding carbon values and questioning industry norms.

Date ‐ 2 September 2020
Author ‐ Will Rogers-Tizard
Price ‐ £9
The Structural Engineer
<h4>Persuasion and influence in a climate emergency</h4>

Persuasion and influence in a climate emergency

William Algaard presents ways in which structural engineers can help shape the direction of a project by confidently and constructively sharing their expertise in a language that client and architect will understand.

Date ‐ 2 September 2020
Author ‐ William Algaard
Price ‐ £0
The Structural Engineer
Timber roof structure of Macallan Distillery

Time for a structural change?

To design more sustainable buildings, big decisions need to be made early in the design process. Could laying out the structure to a 300mm planning grid reduce embodied carbon, enable the circular economy and still retain the uniqueness of design, asks David Treacy.

Date ‐ 1 August 2020
Author ‐ David Treacy
Price ‐ £0
The Structural Engineer
Graph showing evolution to build nothing

How can we create an engineering industry while building nothing?

James Norman, Tim Ibell and Oliver Broadbent examine the challenges engineers will face in persuading clients to repurpose existing buildings in place of building new ones.

Date ‐ 1 July 2020
Author ‐ James Norman, Tim Ibell and Oliver Broadbent
Price ‐ £0
The Structural Engineer
Crossed out excavator demolishing building

Nothing is better than something

Tim Ibell, James Norman and Oliver Broadbent challenge structural engineers to steer their clients away from a presumption of a new building.

Date ‐ 1 June 2020
Author ‐ Tim Ibell, James Norman and Oliver Broadbent
Price ‐ £0
Training
<h4>Minimal intervention: less is more</h4>

Minimal intervention: less is more

Hear from the engineer behind the Structural Award-winning Newquay Harper Footbridge project - and get into the mindset of only doing what is necessary.

Date ‐ 27 April 2020
Author ‐ Tony Parasram
Price ‐ Free