Tip #1 - Strong passwords for strong authentication

One of the most important email security best practices for employees is to use strong passwords that are changed frequently and not reused across different systems. Taking a serious approach to email passwords may not entirely overcome poor practices on the part of the organization, but it will help defend against attackers using dictionary attacks to target weak passwords.

Requiring employees to change their passwords frequently is one tactic for password hygiene that has been reevaluated in recent years. The benefits of changing passwords quarterly or monthly must be balanced with users' tendency to use weaker passwords that are easier to remember, and thus easier for attackers to exploit.

Tip #2 - Multifactor authentication makes for stronger authentication

The use of two-factor authentication in an enterprise is not usually up to employees: Either the organization has implemented 2FA and requires employees to use it, or it hasn't and they don't. However, employees can protect themselves by using 2FA wherever it is available.

Locking down all accounts with 2FA is an important tactic to reduce the risk of email account takeovers. Employees who use 2FA for their private accounts will be better prepared to use 2FA in their work accounts. They can also advocate for the deployment of 2FA in organizations that have yet to take it up on their own.

Tip #3 - Take phishing awareness seriously

Increasing numbers of enterprises are addressing email security through phishing awareness training, and employees should consider such training an important best practice. Email security training can be tailored to emphasize the types of email security threats targeting enterprises in different industries and specific threats facing employees.

Employees can use this type of email security training to help identify problematic messages and learn how to avoid clicking on the wrong links or opening the wrong attachments. More importantly, such training can also be used to inform employees about the types of security tactics used in the organization. For example, employees can better understand which malicious messages might be caught and which might not be caught by email filtering systems

Employees need to read their emails carefully, not just skim them. Many phishing attacks and spear-phishing attacks are launched from other countries, and although this can result in glaring grammar and stylistic issues, phishers have become more sophisticated. They have the resources to compose clean emails in their target language, and they make fewer mistakes. Employees should read emails carefully for both glaring and subtle grammatical issues that might indicate that the sender is not reputable. In a recent Office 365 phishing page discovered by Vade Secure, there was only one discrepancy between the real Office 365 page and the phishing page: extra space between “&” and “Cookies” in the “Privacy & Cookies” link in the footer of the phishing email.

Hackers Use Real Brand Images and Logos in Phishing Emails. Brand logos and trademarks are no guarantee that an email is real. These images are public and can be downloaded from the internet or easily replicated. Even antivirus badges can be inserted into emails to persuade victims into thinking an email is from a legitimate source. While most email filters can spot a known phishing URL, they cannot spot a counterfeit image unless they have machine learning and computer vision capabilities.

Tip #4 - Take care with email attachments

Many email attacks rely on the ability to send and receive attachments that contain malicious executable code. Malicious attachments may be sent directly by an attacker to target individuals, and many such attachments can be blocked by antimalware software that detects the malicious source. However, malicious attachments can also be sent by trusted sources that have been exploited by attackers.

Whatever the source, employees should take care of attachments even when the organization uses email scanning and malware blocking software. If an attachment has an extension associated with an executable program, like .exe (executable program), .jar (Java application program) or .msi (Microsoft Installer), extra care should be taken before opening it. Word processing, spreadsheet, and PDF files can carry malicious code too, so employees should be cautious when handling any type of attached file.

Tip #5 - Approach email links with caution

Weblinks in email are also a risk, as they often connect to a web domain different from what they appear to represent. Some links may display a recognizable domain name like www.amazon.com but in fact direct the user to some different, malicious, domain. One tactic employee can use is to review the link contents by hovering the mouse pointer over the link to see if the actual link is different from the displayed link.

Attackers also use international character sets to create malicious domains that appear to be those of well-known brands. When in doubt, employees should type the domains directly into their browsers, or just avoid using the link at all.