Email Risk Is Big for SMBs

While cyber attacks targeting large corporations often make headlines, small and medium sized businesses (SMBs) are also highly targeted. Understanding the risks these SMBs face and taking measures to safeguard them can significantly lower risk.

Because of businesses' increased dependence on cloud email, lack of IT staffing and funding and rushed deployments of vulnerable cloud platforms since the COVID-19 pandemic, this environment has provided cybercriminals with the ideal opportunity to run sophisticated campaigns designed to steal confidential business information and large amounts of money.

Small businesses are at a significant disadvantage: they often lack the resources and the staff needed to keep pace with emerging threats, and email risk is disproportionately large for these companies as a result.

Awareness is the first step in mitigating cyber risk. To help you and your business stay safe and successful, we’ve put together an overview of some of the most common tactics cybercriminals use, namely phishing, ransomware, and personal email account or business email compromise (EAC and BEC, respectively), along with tips and advice for securing business email against them.

Threat #1: Phishing

Email phishing is one of the most widespread cyberattack methods. In a phishing scam, cybercriminals pose as reputable individuals or organizations to send fraudulent emails with malicious links designed to steal sensitive data or infect systems with malware.

Phishing campaigns begin when cyber criminals gain control of an email account and use it to send fraudulent emails from it.

Actions You Can Take:

• Phishing emails often come from fake email addresses that are very similar to legitimate ones. But, by hovering over the display name in email, you are often able to see what email address it has actually been sent from. If the email address is not one you recognize, or seems strange in some other way, then it has likely been spoofed.
• Phishing emails often contain spelling and grammar errors. Legitimate emails from companies usually don't contain these errors.
• Before clicking on a link in an email, hover over it to see where it leads. If the link doesn't match the text in the email, it's likely a phishing attempt.
• Phishing emails often contain unsolicited attachments. If you're not expecting an attachment, it’s best to be cautious and not open it.
• Be aware that phishing emails often use urgent or threatening language to scare you into clicking on a link or providing personal information.
• Legitimate companies will never ask you to provide personal information via email. If an email asks you to provide personal information, it's also likely a phishing attempt.

Threat #2: Ransomware

Ransomware is a costly type of malware designed to block access to a computer system until a specified ransom demanded by the criminals is paid. The average ransomware demand is $84,000, with one-third of victims paying the ransom.

Ransomware attacks occur when users receive a malicious attachment in a phishing email and download it, installing ransomware onto their system that encrypts files - rendering them inaccessible for the user. The individual then receives a note from the attacker, demanding a ransom payment in untraceable bitcoin in exchange for the restoration of the locked files.

Actions You Can Take:

• Make sure that all software used in your business is updated regularly with the latest security patches and updates. This can help prevent vulnerabilities that ransomware can exploit.
• Install and regularly update antivirus and anti-malware software on all devices used in your business.
• Restrict access to sensitive data to only those employees who need it to perform their job duties. This can help prevent ransomware from spreading throughout your network.
• Regularly backup important business data and store it in a secure location. This can help you recover quickly in the event of a ransomware attack.
• Your employees need regular training on how to recognize and respond to ransomware attacks - this may include how to recognize suspicious emails, report any potential attacks and avoid clicking on suspicious links or downloading files with suspicious attachments.

Threat #3: Email Account Compromise (EAC) / Business Email Compromise (BEC)

Business email compromise (BEC) is a sophisticated and highly targeted email scam in which an attacker compromises or impersonates an executive’s email account with the aim of obtaining access to sensitive business information or other key assets. Cybercriminals employ various techniques for this attack, including malware, phishing and brute-force password spraying. Once an account is compromised, cybercriminals can exploit it for sending spam email campaigns, accessing sensitive data or engaging in further criminal activities.

In a BEC attack, a cybercriminal compromises or spoofs an executive email account and then sends fraudulent transfer instructions to a finance employee from this account. In a successful scam, the recipient is fooled into transferring funds to an account controlled by the perpetrator and the attacker gets paid.

Account compromise, also known as Email Account Compromise (EAC), can happen to any email account outside of executive emails, as well. The tactics used to compromise these emails are the same, so making sure to keep all emails protected, both personal and professional, is paramount.

Actions You Can Take:

• Always make sure to verify any wire transfers that are being requested through email, especially when being asked to initiate one that you weren’t expecting to.
• Implement multi-factor authentication (MFA) for all email accounts to add an extra layer of security. This can help prevent unauthorized access to email accounts and reduce the risk of email compromise
• Use email authentication protocols such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) to prevent email spoofing and impersonation. These protocols can help ensure that emails are coming from legitimate senders.
• As stated before, regularly educating and training employees and board members on best cybersecurity practices is one a company’s most effective defenses against cyber threats. Encourage them to verify the authenticity of the email with the purported sender before responding to any email request.
• Critically important: Implement a comprehensive, adaptive cloud email security solution.

Guardian Digital EnGarde Cloud Email Security: Enterprise-Grade Email Protection for SMBs

Guardian Digital recognizes the heightened risk that small businesses face, and acknowledges that securing email accounts can be a challenge for small companies. Guardian Digital uses resources from around the world in ways no other provider can to protect its customers against the latest phishing and zero-day attacks identified worldwide. Through this unique and beneficial approach, we are able to offer flexible, cost-efficient protection to SMBs and enterprises alike. While other email security providers promote frequent patches and updates in an effort to keep up with rapidly evolving threats, our solution, EnGarde Cloud Email Security, automatically stays a step ahead of the latest threats, constantly updating in real-time as opposed to relying on patches.

At Guardian Digital, we view email security as a process, not a product. We build a relationship with each of our clients, taking ample time to learn about their key assets and specific needs. Our scalable, fully-managed solution seamlessly integrates with businesses’ existing email infrastructure and is accompanied by the expert, ongoing support required to keep your business secure and productive, while extending limited IT resources. By preventing attacks leading to security breaches, minimizing downtime and safeguarding your operations, businesses can expect to see a positive impact on their bottom line and a rapid return on investment (ROI).

Keep Reading About SMB Email Security

Email-borne attacks are more problematic for businesses than ever, and SMBs are a primary target among cybercriminals due to the fact that these organizations often lack adequate resources and expertise devoted to cybersecurity. 

Luckily, with proper awareness, training, and a comprehensive, fully-managed cloud email security solution in place, you can rest easy knowing that your business is protected around the clock with threat-ready email vigilance, whether you have a business size of 50 people or five.

• Learn about SMB email security mistakes and how to overcome them.
• Learn why over 90% of modern cyberattacks begin with a phishing email, and how to safeguard your users and key assets.
• Learn how to improve your email security posture to defend against attacks and breaches by engaging in best practices.
• Get the latest updates on how to stay safe online.