Microsoft outlines the 5 most commonly ignored security threats to email

Kareem Anderson


Increasingly, people who use the Internet realize access to their email inboxes is just as cherished as access to their social security information or home addresses. Hackers and Internet trolls with malicious intent are increasingly finding treasure troves of information and business data sitting just beneath a thin veneer of email security.

With Microsoft’s stake in email and business productivity, the company is witnessing several trends that users may be unaware of when communicating through email. Fortunately, for users, Microsoft has taken the time to highlight a few of the most commonly overlooked security threats that exist with email communication.

  1. Social engineering schemes that use your mobile number—Did you know that attackers only need your mobile number to trick you into giving access to your email? Essentially, they’ll send you a text posing as your email provider (e.g., Outlook) and tell you you’re about to receive a code to ensure your email account is secure. This text will then ask you to reply with the code to confirm. Then, they’ll trigger the password reset process, you’ll receive a real message with the unlock code—and if you send it to the attackers unknowingly—they’ll use it to reset your password without your knowledge. Check out this video if you want more specifics on this scheme.
  2. Sharing your access credentials with others—It’s common for some employees to share their credentials—including their password—with a fellow employee or manager when they’ll be out of the office, whether on vacation or during short-term or long-term disability. If organizations don’t have defined security policies for these situations, a lack of accountability could lead to compromised email security.
  3. Loss of a phone with pertinent information—Password management applications are wonderful tools that help you keep track of all the passwords for all of the email accounts you undoubtedly have. But if this application is installed on a phone that is lost or stolen, that can be a problem. Of course, it’s important that your phone is also password-protected, but organizations should take security one step further when it comes to work or personal devices that carry business data or information. Specifically, a business should standardize acceptable use policies regarding the local storage of files, remote wipe capability and network connectivity.
  4. Lack of email encryption—Just because data is passed via a secure email server doesn’t mean it’s 100 percent safe. To add an extra layer of protection, companies should invest in an encrypted email service, which seals email messages and ensures only those with a decryption key can read and access sensitive information.
  5. Crypto-ransomware—Ransomware is nothing new, but it’s a nasty way for hackers to operate. They essentially take the files on your computer or devices hostage until you pay a ransom to have them released. Crypto-ransomware is even nastier, as the hackers encrypt your computer’s files and will only surrender decryption keys upon payment. How is this related to email? These attacks are typically triggered through the opening of some sort of email attachment (e.g., an invoice, energy bill, image, etc.) and they often look legitimate. According to Symantec’s 2015 Internet Security Threat Report, attacks of this nature are highly profitable (bringing in approximately $34,000 per month for one group alone) and growing in popularity.

As more email users are noticing, between phishing schemes and attachment or link embedded malware attacks, their personal email is now under attack more than it’s been in previous years. Keeping an eye on trends, patterns and staying up to date on the latest email security tools should help mitigate much of the danger lurking online. Unfortunately, personal awareness can only go so far, businesses and corporations also have to take the time to invest in the latest and most secure email services available as well. However it is diced, email is essential to not only user communication, but to information and data thieves as well, so protecting it should be just as important.