Email Security Introduction
Don't imagine that small players are exempt from the attentions of cybercriminals.
"According to a 2016 report...43 percent of cyber-attacks are targeted against small businesses..."
(Australian Cyber Security Centre)
"In 2018, employees of small organizations were more likely to be hit by email threats - including spam, phishing, and email malware - than those in large organizations.""The FBI's 2019 Internet Crime Report...indicates that email is among the most common entry points for fraud."
(Symantec Internet Security Threat Report 2019)
(The SSL Store)
When it comes to cybersecurity, prevention is far, far better (and cheaper) than cure. Learn what you can about safe email and Internet practices. Then apply what you learn.
TIP One of the best protections for your business is to train staff and principals about cybersecurity, and do regular refresher training.
The Australian Cyber Security Centre has very good materials on online safety for businesses of all sizes, online learners and home Internet users. You can also subscribe to their Stay Smart Online emails, which alert you to new and growing threats.
Set up TLS
Like your website, your emails can be protected in transit from hackers and snoops via secure encryption. The technology commonly in use is TLS encryption (also referred to as SSL - the older version of this technology - or SSL/TLS).
TLS encloses the email in an encrypted 'outer layer'. It's something like your email travelling inside a safe with impregnable walls and a complex combination lock. Using current technology, it could take longer than a human lifetime to break in. (When quantum computing arrives, security geeks will have to up the ante; but that's not yet.)
SuttonNet urges all our email hosting clients to use TLS encryption for every mail account. There's no cost and much to gain.
- We supply instructions for the right configuration that works with our server.
- Apply our recommended settings carefully in the Account Settings area of your mail software.
- This needs to be done on each device (phone, computer) that you use for email.
- We guide you through the process if you need help. Some mail programs are tricky.
Don't rely on TLS alone
Setting up TLS encryption at your end is vital, but there are sections of the email journey which neither you nor your mail host has control over.
- For your outgoing mail, this is from the recipient's mail server to their own device.
- Your incoming mail could come from an email address that doesn't use TLS. It is unencrypted and vulnerable for most of its Internet journey.
- Some mail servers store emails unencrypted. You have no control over security of the 'other' mail server.
- An email which is encrypted by TLS could contain some very unsafe content. Cybercrooks can set up TLS encryption just like you can.
Spam, phishing and all that
Email spoof: You've been spoofed when someone else sends out email as if it's 'from' your email address. It's easy to do and it's hard for the spoofed one (spoofee?) to prevent. You can guarantee the emails will be criminal, crooked &/or embarrassing.
Compromised password: Worse case is if someone obtains your email password and really does send their spam out using your mail account. They could read your incoming mail too.
Spam: Spam is email that you didn't invite into your mailbox, often sent out to many equally reluctant addressees in bulk. Its purpose may appear to be selling (or giving away) stuff. Its real intent may be:
- to rob, rip off, deceive, annoy, frighten or distress recipients; or
- to install malware on their computers/phones.
Sending spam is illegal in Australia and many other places in the world.
By the by, in Australia it's illegal to send ANY 'unsolicited' business email, spammy or not. You can only send a marketing email to someone if:
- they have invited you to do so, by showing an interest in your wares and providing their email address; and
- they have not asked you to 'unsubscribe' them from your mailing list.
Phishing: email version of an oldtime con. The sender presents himself/herself as a legitimate contact, often from a wellknown business, charity or government entity. The email asks the recipient to click on a link which goes, not to the real Woolworths, Paypal or ATO site, but to the phisher's website. The website's domain name &/or appearance might be very like the genuine site. There the hapless victim is fleeced of personal ID or credit card details, or enticed to download malware.
The email's 'from' address may be spoofed. The website may have a lookalike domain name (such as suttonet.com). A sophisticated phishing webpage will be styled to look like the genuine one: eg a fake Paypal login page.
Add to that Vishing - the phone (ie 'voice') version of phishing - and Smishing - which has nothing to do with kisses, but a lot to do with SMS.
S/MIME is a mail security protocol that guards against spoofing. You'll soon be able to find out more about S/MIME on this website. We plan to publish a review of email security options for our clients. We'll send you a webpage link by email.
If you ever suspect that your password has been stolen or guessed, contact us asap by phone or from a secured email account. The only cure is a new password. In this situation, spam emails can be sent out in your name via SuttonNet's server. Our server - and your website - is then at risk of getting blocked worldwide for email abuse. So the sooner you change your password, the better.
SuttonNet stops spam from a broken-into mail account as soon as we become aware of it. We limit the number of outgoing emails per hour to help guard against spamming. The server sends us an auto alert if that limit is exceeded.
Your computer's or phone's anti spam and anti virus/anti malware programs help guard against spam and phishing emails if you keep them up to date. Spammers constantly invent ways to disguise their emails' spamminess from the filters. Security software vendors constantly update their products to outwit the spammers.
Take sensible precautions, regardless of how good you think your protective software is. No anti spam software keeps out dangerous email entirely.
- Never open any attachments on a suspect email.
- Beware of mail from senders you don't know.
Of course, a business can't ignore mail from an unknown email address: it might be a new customer. But you can be diligent, and keep your hand off that mouse while reading new mail. That way you can't accidentally click on a dodgy link.
The sooner you Junk bad emails and then Delete from Junk folder, the less trouble they can cause. If you aren't 100% sure: you can keep the mail in Junk until you get some clarification.
Last updated 30 April 2020