Let’s start with a classic, the Nigerian prince scam, also known as an advance-fee scam. These try to make victims believe that they are the recipients of a large amount of money (emotion trigger: greed), but to receive it, they must pay a fee (“transfer fee” or “handling fee”). Here’s a simple example:

Note the use of gift cards – criminals can’t use the standard international bank transfer system (Swift) as their funds would be blocked very quickly, and asking normal users to transfer crypto currency is also a dead giveaway – thus, the gift card request, a very common tactic.

A second clue in this email is the poor use of grammar and English, which is always a sign of something fishy but will likely be less prevalent in the coming months as generative AI tools become commonplace. Does this email really sound like it would have been sent by someone at JP Morgan Chase bank with the last name Angel?

Next is the phishing category, starting with a spoofing email. Spoofing is using various techniques to make it appear as if the email is coming from one sender when, in fact, it’s sent from an attacker’s email address. In this example that’s American Express, amex.com. This email also employs the tactic of making the entire email into an image, to make it harder for anti-spam engines which analyze text. Having SPF and DMARC records in place will block this particular spoofing technique.

The link shown in the image isn’t the one that an unwary user will open if they click it, which is why it’s important to train users to hover over suspicious links before clicking them (which is easier on computers than on smartphones).

Humans, including security experts, are poor at identifying malicious URLs (because they were never designed to be an indication of trustworthiness), but the fact that the link text you’re seeing on the screen doesn’t match the actual link target is enough to know that it’s a scam.

If you do click, you’re taken to a phishing page with a sign-in prompt, which looks like it’s an American express site.

Note the scroll bars however, it’s a webpage, made to look like a browser (within the real browser), which you can tell from the scroll bars on the right and at the bottom. Again, the actual domain that the victim is entering their credentials into isn’t the one shown on the page.

Another flavor is impersonation, the email below again purports to be from American Express, but the sender is secureAmex@wsfax.com, whilst the display name of the sender is “American Express”. This email isn’t about triggering greed, but rather concern about the “important information” relating to your account.

Here’s another one from Canada Revenue Agency / Agence du revenu du Canada, again with the actual sending email address being different. This one appeals to greed, with the promise of a refund, clicking the link leads to a credential harvesting page.

We have all become accustomed to receiving a lot of packages, and after the Covid-19 pandemic, it has become ubiquitous. In our data, DHL has been the leading company impersonated for a long time, but they were recently replaced by Fedex.

Here are two examples of DHL impersonation emails where the display name doesn’t match the sending email address, with links to click to “update your address”. Note the misspelt word “Packagging” as well as using “Hello Dear” as an introduction, unlikely from a shipping company.

Phishing emails frequently use attachments to spring their trap; here’s one purporting to be from DocuSign.

The PDF attachment, obviously not a scanned fax page, looks like a DocuSign document – clicking the link for View Pending Document will lead to a phishing page. The use of a DocuSign-looking page is appealing to the familiarity of the process. many of us are asked to electronically sign documents using DocuSign, so we’re less likely to be suspicious of this request.

As mentioned, QR codes have become very popular in phishing emails. There are two reasons for this: firstly, email hygiene solutions were slow to incorporate technology to spot these in emails, scanning the code, following the link, and inspecting the target web page for signs of maliciousness. Hornetsecurity has had QR code scanning in place since early 2023.

Secondly, and possibly the reason why we’re still seeing large volumes of malicious emails with QR codes, is that they move the attack from an often managed, locked down, secured computer endpoint, where most business users read their emails, to a personal smartphone with minimal protection.

Scanning a QR code with your smartphone is second nature for most of us, especially as their use in society is so common, and people don’t expect a bad result from doing it.

Here are three examples of phishing emails with QR codes as the link instead of the traditional weblink or button to lure a victim.

This QR code leads to a phishing site where the victim enters their credentials to “update their password” but instead, they hand over their username and password for criminals to use in further attacks.

This second example is similar but focuses on the victim updating the Multi-Factor Authentication (MFA) which is about to expire. Note the misspelling of “mult-factor”.

The urgency of this email, with the 24-hour deadline, is again creating a sense that the user must do something about this now or risk losing access and not being able to do their job.

Both of these are particularly insidious because the legitimate set-up process for MFA with Microsoft Entra ID, either with Microsoft’s Authenticator app or a third-party app, involves scanning a QR code. It’ll seem quite normal for end-users to scan a QR code again as part of MFA.

Key here is education of the business staff by the IT / security teams. If there are no legitimate business processes that involve scanning QR codes sent through emails, it is essential to inform everyone to avoid scanning any QR code that they receive in an email.

Additionally, it is recommended to follow up with Security Awareness training, including simulated phishing emails, to test staff and help them sharpen their instincts.

If you do have legitimate business processes that involve QR codes, look to see if they can be sent in some other way than via email, and if they can’t, clarify to everyone that this process does use QR codes, and here’s how that flow works, but don’t scan any outside of this procedure.

This last example introduces a wrinkle with the QR code being blue on a red background, no doubt to bypass email hygiene solutions (Hornetsecurity ATP isn’t fooled and caught these). Note the clumsy grammar “failure to secure your update Mailbox will lead to deactivation”.

If you scan the QR code you’re taken to a credential harvesting page, gathering Microsoft login credentials.

The key in all these examples to convey to your staff is to be aware of triggering emotions, unusual requests, unusual processes (this isn’t how I normally reset my password), bad spelling and grammar and for QR codes, don’t scan them unless it’s part of a known business process.

Phishing remains the number one attack vector for criminals to establish a foothold in your organization. Even in this day and age of Teams, Slack and their cousins being used for collaboration and communication, email remains the most common way to exchange information with people outside an organization.

And it’s got inertia because it’s been there for so many decades, and everyone knows how to use email, both in their personal and work lives.

This also makes it the perfect channel for the bad guys to “show up in front of” your users, masquerading as someone trustworthy.

At the lowest level this involves impersonating a trusted company – DHL / Fedex (“we’re delivering a parcel and need you to click here to validate the address”), or your bank / credit card company (“click here to validate this anomalous transaction we’ve flagged”).

And of course, there’s the OG phishing scam – “I’m a Nigerian prince with money to give away and I just need you to help me out with the transfer”. These are sent in bulk because even if only 1 in 1,000 makes it through to a user’s inbox and only 1 in 1,000 clicks it, for each million I send, I get one hit.

Stepping it up a bit are more customized campaigns, targeting specific countries or regions, with specific lures related to current affairs and impersonating companies more likely to be trusted by the recipients in that geography.

Finally, we have spear phishing with highly customized lures, sent in much smaller volumes but where criminals have done their homework and use people and companies that your users are already collaborating with, ensuring a much higher success rate.

In all cases – if a user falls for the lure and clicks the link, or downloads the attachment, or enters their login details on the fake sign-in page, the consequences can be dire.

That single click or download can be the start of a major incident. In cybersecurity we talk about the kill chain, the steps an attacker must take to achieve their end goal, which could be theft of your intellectual property, or encryption of all files in a ransomware attack.

There are many variants, and depending on the attacker and the target, not all steps are required but generally they start with Reconnaissance to understand your business and what lures are most likely to generate a click (and your revenue to know how much they can demand in ransom for your files / systems).

This is followed by Compromise, gaining that first foothold, Moving Laterally to compromise other user accounts and systems, achieving control over the environment (“Domain dominance”), Exfiltration of data so that you can be further incentivized to pay the attacker to not have your data leaked. And if it’s a ransomware attack, this is followed by the actual encryption of your files.

And all from that single click by a user – which is why phishing is such an important attack vector to understand and defend against.

Out of the 45 billion emails analyzed  in Hornetsecurity’s Cybersecurity Report 2024, 36.4% were labelled unwanted. Out of this third, 96.4% were spam, with 3.6% classified as malicious.

In this slice of malicious emails, phishing took the top spot at 43.3% (a 4% increase over the previous year) followed by 30.5% emails with malicious URLs (an 18% increase over the previous 12 months). Where there were malicious attachments, the most common was HTML files (37.1%), followed by PDFs (23.3%) and then archives such as ZIP files at 20.8%.

All email hygiene systems follow the same basic architecture. Start by filtering out emails coming from known bad email servers and known bad domains by just refusing the connection.

Then, look at the DNS records (SPF – Sender Policy Framework, DMARC – Domain-based Message Authentication, Reporting and Conformance, and DKIM – DomainKeys Identified Mail) to filter out suspicious senders. Emails that make it through these first gates are then scanned by multiple anti-malware engines to spot any known viruses and filter those out.

In Hornetsecurity’s case, this is followed by Advanced Threat Protection, which inspects each email and its attachments in a sandbox, opening the files to look for any suspicious actions they perform, and using Machine Learning (ML) and over 500 signals to provide a verdict if the file / email is legitimate or not.

And if we later identify an email as malicious after delivery we can reach into any mailboxes where it has already been delivered and delete it.

This is an ongoing arms race, with attackers adjusting their tactics, types of attachment, obfuscating the malicious code and so forth, all to avoid detection. Our Security Lab experts, together with the ever-learning ML model tweak our detections to stop as close to 100% of all malicious emails as possible.

However, no system will catch every single bad message, and this is where the cybersecurity concept of defense in depth comes in.

In any complex IT system, you want to have multiple layers of protection, so that if the attackers penetrate one, they still have others to get through before they get to their prize. In this case, that’s your “human firewalls”, trained staff who know what signs to look for with their sharpened instincts.

Email is still the most important communication channel. More than 300 billion e-mails are sent and received every day. According to forecasts, this figure will increase to almost 400 billion a day by 2026.

Hackers know this and are constantly targeting companies, infecting them via email with various types of malware or phishing attacks. But this only happens when companies have poor security hygiene and fail to provide ongoing employee training.

As an example, in 2019, healthcare organization NHS Highland inadvertently disclosed the health records of 40 HIV-positive people by sending an email via CC rather than BCC. This was considered an email security breach.

This article is about email security breaches and how to avoid them using best practices and Hornetsecurity’s email security services.

We all want to stay ahead of a malicious email leading to a compromised business. Don’t we!?

A data breach is data loss or data compromise due to inadequate security measures or human error.

Malicious actors are targeting our infrastructure using various techniques such as malware, phishing, and social engineering. In most cases, these attacks are carried out via email. The hackers try to trick us into opening links or attachments that give them access to our infrastructure and data.

Even if we have the most advanced security measures and systems in place, this is of no use if our employees are not trained in the correct handling of devices, emails, and data.

The first target of most cyber attacks is people. Attackers use our human psychology against us, our willingness to help others or our lack of understanding of the risks involved in email attacks.

The introduction of strong email security measures and employee training reduces the risk of being hacked.

There have been several data breaches in the last decade. We will not go into all of them, but we will mention a few major data breaches.

In August 2013, Yahoo was attacked by a hacker group. Over 3 billion email accounts were compromised.

In 2018, hackers gained unauthorized access to Aadhar, the largest ID database in India. Over 1.1 billion Indian citizens were affected by this data breach, including their data such as names, addresses, photos, phone numbers, emails, and biometric data.

In July 2019, hackers gained access to over 100 million accounts hosted by Capital One. The hackers stole credit information affecting around 100 million people in the US and around 6 million accounts in Canada.

In June 2021, LinkedIn discovered that 700 million of its user accounts had been exposed to the dark web. This was the largest data breach the company had experienced.

There are dozens of other data breaches that can be traced back to inadequate security measures. 

Weak email security can expose company data and vulnerabilities. Weak email security is related to weak passwords, lack of multi-factor authentication, lack of security measures against phishing and spam, lack of email encryption, lack of email security policies, lack of ongoing training, and others.

Even failing one of these can damage the integrity and reputation of a company and put it in financial difficulties.

Where there is weak email security, there is plenty of scope for attacks and email security breaches. Attackers can easily penetrate our network and exploit vulnerabilities from the physical to the application layer to attack our unpatched systems, unencrypted storage, unpatched systems, and others.

To minimize the risk, companies should invest in robust email security measures.

If you suspect that your email account has been hacked, there are several signs you should look out for. Please note that these signs, especially if they are suspicious activity (they could be you), are not always proof that your account has been hacked, but they should trigger an alert to check it out.

There are two possible scenarios. Your account has been hacked and you can no longer use it, or your account has been hacked and you can still use it.

In the first case, hackers have compromised your email account and data and changed the password.

You have tried several times to re-enter your web or email client password, but it does not work. If you have been authenticated in the Outlook client application, you are prompted to re-enter your password. You have probably been hacked.

In the second case, the hackers have compromised your email account but have not changed your password. If you have configured this, you should receive a notification about unusual or suspicious activity in your email account.

Email accounts have a security service that sends emails directly to you or your alternate email address when suspicious activity is detected.

These activities may include notifications of unauthorized access from unusual IP locations or devices, password change notifications, unexpected password reset emails, changes to account information, and unknown devices connected to your email account.

You should always pay attention to these notifications, even if you think it’s not a sign of malicious activity. For example, if you were logged into your email in Germany, then traveled to the US and continue to use your email, your email service will trigger a notification of a new sign-in activity from a different country.

In this example, we see that someone tried to log into my email account from the US and an unknown location, and it wasn’t me.

Email Sign-in activity

Additionally, if your internal or external colleagues are receiving spam or phishing emails from your account that you did not send, your account is likely compromised.

Note that sometimes an email may appear to be from you, when in fact it was sent from a different email address and merely uses your email addresses as “cover” to make it more likely to slip through defenses.

Check if there are any suspicious emails in the “Sent” folder or if there are any forwarding rules in place to forward emails from your account to a third party’s email address.

If you are an IT Administrator and you notice in the breach list that some of the emails within your organization are breached, you need to take immediate security measures and inform affected parties.

First and foremost, change the email password and implement (MFA) multi-factor authentication. If you are an end-user and find that you can no longer log in, report the incident to your IT team immediately.

Different security measures to secure your email account

Check your account settings to see if they have been changed. Since many apps are registered to a specific device or you, check the apps and devices associated with your email account. If you notice any unknown devices, block them immediately.

Also, check account activity and see where you have logged in or tried to log in without authorization.

Malicious people could be sending emails to your contact list. You should check your folders for sent, received, and deleted emails. Also make sure that your contact list is informed, as they may have received emails from you that originate from malicious people.

Scan your computer and network for malware and viruses.

Once you have found the root cause and taken the measures mentioned, you should find out what caused it, document it, and strengthen your security measures to prevent it from happening again.

How can you do this? Read the section below on Hornetsecurity.

One of the most common email errors is incorrect delivery. That is, when you accidentally send a confidential email with or without attachment to the wrong external email contact.

One of the ways to alert employees when the company sends email notifications is through external email notifications. Microsoft 365, for example, offers you the option of activating external email alerts. If you send an email to an address outside your company, you can see the warning as a precautionary measure.

External Email Warning Message Microsoft 365

Another example of incorrect delivery is the improper use of CC and BCC email fields. In 2019, representatives from the healthcare organization NHS Highland sent emails to nearly 40 HIV-positive people, publicly exposing them and breaching confidentiality.

What did they do to publicly expose them? They sent an invitation to a support group run by a health clinic, using the CC and not the BCC (Blind Carbon Copy) email field. For the sake of sharing, with CC all recipients are visible to everyone, whereas those who are BCC’ed are not visible to anyone.

Another mistake is not recognizing spam. Spam is an unsolicited advertising message that. Phishing emails on the other hand are malicious emails, either with links to malware or some other dangerous site, or malicious attachments. Users should be trained to recognize these and report them immediately to the IT department.

How can you mitigate these simple email mistakes? By providing continuous security awareness training and challenging users’ actions.

Additionally, use email filtering and security detection to block malware, spam, and phishing attacks before they land in your user’s inboxes.

Security is a shared responsibility. It is the organization’s responsibility to implement security measures and training on security, and it is the end users’ responsibility to follow them.

First and foremost, make sure you have a strong password culture. That means enforcing various password policies within your organization. These policies include password complexity, password length, minimum and maximum password age, password history, password lockout, and others.

For example, the password’s complexity determines which characters should be included in it, while the length determines how long it should be. If you apply these two policies to your email accounts, you can get a password with at least 12 characters, including upper and lower case letters, numbers, and symbols.

As far as password guidelines are concerned, you should never use the same password for multiple accounts. If one is hacked, so can all the others. Also, never use personal information in your password.

Using a strong password is not enough. You should implement MFA (Multi-Factor Authentication). With MFA, you must confirm your identity via SMS, app, or biometric data. If a hacker were to hack your password, they would be unable to successfully log in if they do not have access to your phone. MFA is a must. Not an option.

Hackers use social engineering and phishing to trick you and gain access to your computers. How can you fight them? With solutions like the Hornetsecurity Security Awareness Service, you can also simulate phishing attacks and create sophisticated phishing emails that train users to spot suspicious emails. With this service, you can target everyone from entry-level to C-level.

Phishing attacks will still come after the training. You should implement email security measures that recognize and block phishing attacks in time.

You can find out more about preventive phishing measures in the section Protect your brand with Hornetsecurity: The role of email security.

There are other practices that are a variation of what we mentioned above.

Hornetsecurity offers you a range of tools to strengthen your email security and mitigate email data breaches. These include advanced threat protection, spam and malware protection, and email encryption.

Advanced Threat Protection protects your organization from advanced cyber security attacks and threats such as ransomware, phishing, and more. This is very important protection as malicious individuals and groups target organizations with malware such as Emotet, Tribot, GandCrab, and others. The easiest way to send them is via email.

We are trying to make our lives easier by providing everyone with a QR code to download or access a specific website. It’s easier to scan it than to type it in. Isn’t it? Very often hackers put links that direct you to a malicious website to download or simply access a link.

Advanced Threat Protection offers a QR Code Analyzer that analyzes QR codes and checks if they are malicious, in which case the email is blocked accordingly.

QR Analyzer

Advanced Threat Protection protects you against blended attacks that are combined into a single email attack. Blended attacks include different types of malware such as viruses, spyware, spam, and phishing.

Hornetsecurity uses various technologies to protect you from email attacks, including sandboxing, freezing, safe links, URL scanning, real-time alerting, and ex-post alerting.

A strong alliance against all methods of attack

The sandbox engine scans the attachment in an isolated environment and checks for malicious activity. If the document is malicious, the file is quarantined, and the IT Security team is notified. If a file cannot be classified as malicious, but seems suspicious, Hornetsecurity freezes it for a short period.

Advanced Threat Detection also helps you to scan links before you open them. If you receive attacks such as PDF or Word documents and they contain links, the URL scanning engine can scan them without compromising the integrity of the document.

When an attack occurs, Advanced Threat Protection sends a real-time alert and informs you accordingly. It also supports ex-post alerts to inform you about emails that have already been delivered and are subsequently classified as malicious. It’ll even reach into user’s mailboxes and delete malicious emails that have already been delivered.

Hornetsecurity email security offers you a powerful spam filter and protection against malware. According to our research, 50% of the world’s email traffic is spam. Email Security offers the highest detection rate on the market, with 99.9% guaranteed spam and virus detection.

It protects you from DDoS attacks and phishing emails.

It also supports informal filtering, data traffic encryption, link tracking, phishing filters, automatic virus signature updates, outbound filtering, bounce management, dynamic virus outbreak detection, and multi-level spam detection.

In 2023, Hornetsecurity processed in excess of 45 billion emails which provides a unique opportunity to identify emerging threats and critical vulnerabilities, reveal important trends and can make informed projections for the future of Microsoft 365 security threats, enabling businesses to act accordingly. Read more in our Cyber Security Report.

Hornetsecurity spam filtering and malware protection can be integrated into the email management system. Ask about Spam Filtering and Malware Protection now.

Email encryption enables the encrypted exchange of emails. This is extremely helpful when exchanging sensitive data and attachments. If a hacker intercepts them, they can read them.

It supports all standard encryption technologies including S/MIME, PGP and TLS. It takes minimal effort to manage encryption, user certificates and encryption policies.

Email encryption includes the following features: Testing option for encryption suitability, automatic digital signing & encryption of outgoing emails via S/MIME and PGP, automatic certificate management & key storage, individual setup and definition of encryption policies, personal email certificates, confidential communication via Websafe, and others.

You can read more here Encrypted email – secure email with PGP, S/MIME, TLS Email Encryption.

You can also opt for email compliance and productivity tools for email archiving, signatures and disclaimers, and continuity services.

According to the World Economic Forum, 95% of all cyber security incidents are caused by human error. One of the types of human error is clicking on suspicious links and attachments in phishing emails. Hornetsecurity has developed a solution that simulates realistic phishing emails and is aimed at everyone from entry-level to C-level.

The solution is called Security Awareness Service. It is a fully automated awareness benchmarking, spear phishing simulation, and e-training to raise awareness and protect employees from cyber threats.

It offers an ESI (Employee Security Index) that continuously measures and compares the security behavior of employees throughout the company. Based on the target group in your company and their ESI index, you can develop a customized training course that is tailored to their needs.

Weekly, monthly, or however you like, you can trigger phishing emails and test your employees’ phishing detection skills.

This way your network stays safe.

To properly protect your cyber environment, use Hornetsecurity Advanced Threat Protection to secure your critical data.

We work hard perpetually to give our customers confidence in their Spam & Malware Protection, Email Encryption, and Email Archiving strategies.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.

Email security breaches let malicious individuals or groups access your company data. This happens due to inadequate security measures and a lack of security awareness.

Hackers attack companies through emails by using social engineering and phishing attacks. The idea behind these two attacks is to trick people into opening malicious links and attachments in email in order to gain access to their data. It is one of the most common malicious methods.

Another way for hackers to gain access to emails is if organizations or companies use weak email security. This indicates weak passwords, lack of multi-factor authentication and inadequate email security software.

Security is a shared responsibility between IT teams and employees. IT teams should implement strong email security measures and enforce policies, and employees should follow them.

This article covered email security breaches, how they occur, and what users and organizations can do to prevent them. It also demonstrates the power of Hornetsecurity’s email security solution.

There are two technical approaches to layer email security on top of Exchange Online in Microsoft 365:

1. The first involves changing the Mail eXchanger (MX) records for your email domain (“company.com”) in the internet’s Domain Name System (DNS) to point to our service. All incoming mail will pass through our services, providing a clean feed to your user’s inboxes.
2. The second method is creating an application in Entra ID (formerly Azure Active Directory, AAD), the identity platform underlying Microsoft 365 and giving it specific permissions to the Graph Application Programming Interface (API) that exposes user mailboxes. This second approach allows additional flexibility, such as the ability to reach into user’s mailboxes after an email has already been delivered and deleting it, if the system has determined that something was missed in the original delivery scan and the email is now identified as malicious.

Hornetsecurity applies both methods, combining the best of both worlds for unsurpassed protection.

In our 2024 Cyber Security Report we saw that out of the 45 billion emails we scanned in 12 months, 36.4% were categorized as unwanted. That’s over a third of all emails that you want to keep out of your user’s inboxes. Out of that third, 3.6% were flagged as malicious.

Clearly you need a fast system to deal with the vast amount of junk quickly, which we do at the blocking phase, weeding out connections from known bad email servers, and traffic from known bad senders.

We have a 99.9% guaranteed spam detection and 99.99% virus detection, using 18 independent virus and phishing spam filters, and we scan both incoming and outgoing emails for spam, malicious URLs and viruses.

Sometimes an email bounces, meaning it’s sent back as the address is unknown (or accidentally mistyped) which is useful for the sender to know. However, sometimes you get bounced emails because an attacker used your email as the sending address, we filter out these fake ones to protect against backscatter and bounce attacks.

The above services deal with most of the incoming undesirable and malicious emails. However, attackers spend a lot of time and effort changing their attack methods to bypass email filters. This is where ATP comes in.

One popular option is attaching an encrypted document to an email. Normally anti-malware engines can’t scan these and so might miss a malicious file, ATP uses Malicious Document Decryption to protect against this.

QR codes in emails is an attack type that’s gained momentum in the last few months, partly because QR codes are now such a normal part of life (restaurant menus, paying for car parking etc.), and partly because it moves the attack from the (often) corporate owned and managed PC to a user’s personal phone.

It neatly bypasses all the protections in place on the computer and the URL in the QR code often leads to a familiar looking login page. ATP has had built in QR code scanning for common file types (GIF, JPEG, PNG and BMP) for over a year.

ATP has many layers of protection such as the Sandbox Engine, which will open all attached files, identifying malicious attachments and if they are, the email is quarantined.

The Sandbox Engine looks at if the attached files show signs of detecting that they’re running in a VM or a sandbox, which is a dead giveaway that it’s malicious. It also uses a file system monitor to see if the attachment writes or alter files, a process monitor to see if the file starts a child process (popular in malicious Adobe PDF files).

There’s also a registry monitor to spot unusual values being stored in the registry (often used for persistence when the PC is restarted) and network monitoring to see if the document is trying to communicate with an endpoint on the internet, another unusual behavior for a document.

Memory is inspected from a forensic point of view (again, documents accessing memory in unusual ways is a strong indication that it’s malicious). Tying it all together is a Machine Learning engine that looks at the above signals, and over 500 indicators, and separates malicious files from benign ones with very high accuracy.

Freezing is another approach, if an email is suspicious, but not clearly classified as bad yet, it’s held back for a short time. New data may lead to a positive identification of a virus attachment for example.

All links in emails (URLs) are rewritten with a link to our secure web gateway, and scanned both when the email is received and when the user eventually clicks on it.

To work around this, attackers often include the links in attached files, which can’t be rewritten (it would alter the integrity of the document), but our engine still follows these links to verify if there’s any malicious payload on the target end.

One very important feature of cyber security tools is to let you know when bad things are afoot, and ATP provides real-time alerts when your organization is under a targeted email attack.

A related feature is Ex-Post alerts: if emails that have already been delivered are subsequently identified as malicious your IT team is notified.

As mentioned, these emails can be automatically deleted, but the user may already have clicked a link, or opened an attachment, so your response team might want to investigate these user accounts / devices further.

Human beings are still the weakest link, and our psychology is used against us when attackers employ social engineering tactics.

Our Targeted Fraud Forensics uses automated fraud attempt analysis and intention spoofing recognition to detect and prevent social engineering attacks.

It looks at the language of the email, looking for patterns that indicate malicious intent, espionage attacks, or if the text presents false facts to get the recipient to respond, as well as spotting forged sender identities.

According to our research published in Cyber Security Report, email continues to be the primary communication channel for many organizations, with over 333 billion emails sent and received daily. Based on projections, that figure will increase to almost 400 billion daily by 2026.

This means that more cyber-attacks are being spread via email. While it may seem like a simple thing, we need to make sure we know how to use email properly, what we’re sharing and who we’re sharing it with.

This article is about email leaks and how to prevent them.

A data leak is when sensitive data is exposed to someone(s) not authorized to see it. Data leaks can occur for two reasons: cybersecurity attacks and inadequate security measures.

Sensitive data includes Personal Identifiable Information (PII) and business data such as project plans, financial details, software code, and other similar types of data.

Personal Identifiable Information (PII) is any data that can be used to identify someone such as their first and last name, email address, phone number, passport number, driver’s license, social security number, and other personal information.

Attackers use various malicious methods that cause data leaks. Individuals or groups employ various methods to trick end users into gaining access to their data. Three common methods are phishing attacks, malware attacks, and brute-force attacks.

Phishing mail attacks are one of the most common malicious methods we see nowadays. According to our Cyber Security Report, almost 40% of attacks are delivered via phishing mails. We often see viruses or other types of malwares integrated into different file types, including Word, Excel, PDF, and archives.

Hackers develop sophisticated emails that look like the real thing and trick you into opening malicious links or attachments to gain access to your network. Phishing attacks are used in combination with social engineering to trick people into revealing their sensitive data by impersonating people.

Phishing attacks are carried out via email, SMS, voice and QR code scams.

Malware is a second method attackers use to try to penetrate your network. It is a broader term that covers various malicious software. This includes viruses, trojans, worms, ransomware, spyware, adware, keyloggers and more. According to our Ransomware attacks survey, 1 in 4 (23.9%) IT professionals say their organization has been the victim of a ransomware attack.

The best protection is Endpoint Detection and Response (EDR) on end user devices, strict firewall rules and security solutions that block internal and external malicious activities. You can read more about malware attacks here Malware vs. Viruses: Understanding the Threat Landscape.

In third place is a brute force attack. In such an attack, your username (email address) is loaded into brute force software, which then attempts to guess a password based on various password combinations stored in dictionaries. Dictionaries can be found for free on the Internet. The best practice here is to have a strong password and use multi-factor authentication.

There are various reasons for data leaks.

First and foremost is a poor security culture. Your credentials are the first layer of attack. Never use weak passwords to protect your online accounts. If you are an IT administrator, you should enforce a password policy that prevents the use of weak passwords. You can read more in the next section.

When you log in with your account on a shared computer in your company or in public, always make sure that you have logged out. If you don’t and someone else, hypothetically a malicious person, gains access to your email, it could lead to a data leak.

If you are staying in a hotel or your favorite cafe, you should be very careful about which Wi-Fi network you use. There are many scenarios where a malicious person will try to eavesdrop on traffic on an open network.

The best thing to do is to set up a mobile hotspot and use the internet via your cell phone. You can also train your users to use a VPN for every connection, although this does carry the risk that a user might forget to use it on an untrusted network.

An inadequate security measure may also be that someone has unintentionally sent an email to the wrong external email address (misdelivery). Even a second of unintentional action can lead to significant problems for us.

This happens when a user accidentally sends sensitive information to the wrong email address. According to Verizon Data Breach Report 2022, there were 715 incidents, 708 with confirmed data disclosure, that compromised personal, medical, financial, and other data. 

Double-check to whom you are sending your email.

If you are using a bad password or a single password for more than one account, please change it immediately. Each account should have a different strong password. Now you are probably going to say how to memorize it!? You don’t need to see below.

Other bad practices usually relate to infrastructure and inadequate policies. You can find out more about this in the section “How to prevent data leaks”.

Despite cybersecurity experts and companies advocating for a strong password culture, passwords in many organizations continue to be the weakest link. According to the Specops Breached Password Protection list, there are 2 billion breached passwords, and that number is increasing daily.

It is the responsibility of IT teams to enforce password policies in companies. This primarily includes the use of complex passwords with lower and upper-case letters, numbers and special characters.

Different security solution providers give different recommendations on the number of characters a password should have. The general rule of thumb is that more characters are better. Do not use less than 12 characters.

In the past we often enforced frequent password changes (every 30 days was popular). This has proven to be counterproductive, and both NIST in the US and GHCQ in the UK now recommend not to enforce frequent changes.

This just leads to people picking easier passwords and attaching the number or the name of the month to the end of their passwords for example.

You should also introduce a password history policy to prevent the reuse of old passwords. According to an Online Security Survey conducted by Google, 65% of people reuse their passwords. This is a major security issue.

In addition, you can introduce other password policies such as lockout policies, disabling accounts that are not being used, introducing multi-factor authentication (MFA), assessing password strength, monitoring account access, introducing SSO and others.

The bottom line is that today, just using a username and password for identifying a user isn’t adequate, wherever possible you must use strong authentication such as MFA, including phishing resistant MFA such as FIDO 2 hardware keys, or biometrics such as Windows Hello.

These measures stop 98%+ of all identity-based attacks.

One of the most common mistakes of poor password hygiene is sharing login credentials via email. Imagine if someone were to gain access to your email and find your password? This would mean that a malicious person would be able to compromise your integrity and your data.

If you find your address in an email leak, you should immediately change your password. A new password should follow the policy introduced in the previous section.

Use Password Managers to store your password, don’t store it written or printed on paper, stored in .txt or any other files on your machine, or shared via email. Password Managers are designed to do it most securely.

In case of email leaks that happen in organizations, you should inform relevant stakeholders and check if there were any suspicious activities done on affected services.

Note: Do not ignore security breach notifications, ignoring would put your account and data at risk.

From an IT management point of view, you should introduce access control and define who is allowed to do what. One of the most important measures is to introduce access control with minimum authorizations.

Your data should be encrypted regardless of where it is stored, both in transit and in storage. Even if a malicious person gains access to the data, they cannot read it.

Security is a shared responsibility. Make sure that you implement strong security protection on your network and endpoints and that your employees are trained in handling the data.

In addition, you should ensure continuous monitoring and logging of all activities that take place internally or externally on your services.

Please note that data leaks are not a one-off event, but an ongoing process that requires strong technology and employee awareness.

Many websites or client–server communications do not use TLS (SSL) certificates. This means that the communication between you and your server is in plain text and can be intercepted and read by a criminal.

Make sure that your website uses certificates, that communication is encrypted and that you renew them on time. Better yet, automate the process using a service like letsencrypt which not only ensures your certificates are renewed on time, but also offers free certificates. 

Make sure your infrastructure is always up to date at the physical and application level and patched with the latest updates. If our systems are not patched with the latest security updates, this poses a major security risk that can be exploited by attackers to gain access to our network.

To maintain security measures, you should apply compliance regulations and industry standards to prevent data breaches. Some of the factors that can lead to a data leak are shadow IT, poor data processing practices, lack of encryption, poor BYOD (Bring Your Own Device) practices, inadequate employee training and others.

According to the World Economic Forum – The Global Risks Report 2022, 95% of all cyber security breaches are caused by human error. Malicious people (read hackers) try to exploit human psychology using phishing and social engineering.

To prevent it, organizations need to provide continuous training to employees on how to use technology and prevent data leaks.

That is where the Hornetsecurity Security Awareness Service comes into play. Security Awareness Services provides fully automated awareness benchmarking, spear-phishing simulation, and E-Training to sensitize and protect employees against cyber threats. Practically speaking, you can train and then challenge your employees by simulating sophisticated email attacks.

Service Awareness Service provides ESI (Employee Security Index) that continuously measures and compares employee security behavior across the organization and offers individual training needs.

Security Awareness Service also provides an e-learning hub for employees where they learn security content on how to handle phishing attacks in multiple languages.

That is not all.

Hornetsecurity provides several solutions that help you strengthen your security and prevent data leakage including fully automated, secure, and effective email encryption, the cloud-based corporate email platform with integrated spam and malware protection, email archiving service to ensure email data integrity & compliance for M365 and other email servers, powerful spam filtering and malware protection to stay ahead of cybercriminals and more.

You can read full insights into different Hornetsecurity solutions that help you stay safe. You can read more here Email Cloud Security Services from Hornetsecurity.

Remember, the best way to protect against malicious methods is to have a proper understanding and implementation of IT Security. 

To properly protect your cyber environment, use Hornetsecurity Security Awareness Service, and Advanced Threat Protection to secure your critical data.

We work hard perpetually to give our customers confidence in their Spam and malware Protection, Email Encryption, and Email Archiving strategies.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.

Data leaks are a constant challenge that occurs in many organizations. There are two reasons for this. The first is when users accidentally share data by sending sensitive emails to the wrong email address or forgetting the USB stick with the data in a public café. The second is when malicious people attack our infrastructure with malware.

There is a solution for both cases. IT teams should implement strict security mechanisms from the physical to the application level, strict access control and good password policies and enforce MFA for all user accounts

Security is a shared responsibility. Employees should be trained in the proper handling of emails, passwords and anything that could put data at risk.

Hornetsecurity offers an e-training and security awareness service platform that allows you to educate and challenge your employees by exposing them to fake phishing attacks that look like real attacks.

In this article you learned all about data leaks and how to prevent them.