As we mark Cyber Security Awareness Month this October, we find ourselves at the crossroads of heightened awareness and potentially grave vulnerabilities.
At the heart of this awareness month is the "Email Security Awareness Survey" conducted by Zoho. This survey is more than just a questionnaire; it's your chance to actively participate in strengthening the defenses against email-based threats.
Before diving into this blog, we encourage you to participate in our Email Security Awareness Survey. If you've already completed it, please proceed with the article.
In the following sections, we'll walk through a series of email security awareness scenarios, each representing a common email-related situation. For each scenario, we'll explore the insecurity or potential risks and provide insights into the right course of action.
1. Phishing email link
The scenario: You receive an email from your company's HR department detailing adjustments to the group health insurance policy, an update that was touched upon in the last all-hands meeting. The email content is thorough, discussing policy benefits, new coverage inclusions, and a few exclusions. At the bottom, there's a link that says "Visit this link to update your beneficiary details in light of the new policy changes." What should your best course of action be?
A. Access the HR portal directly without clicking the link to look for similar instructions or announcements.
B. Reach out to a trusted colleague on the HR team through an official chat platform, asking if this email is a legitimate communication.
C. Check your inbox for previous communications from HR for any precursor announcements to this email.
D. Wait for a few days to see if any follow-up emails arrive or if the same information is communicated in another manner.
The insecurity: Clicking on email links without verification can lead to phishing attacks and data breaches. In fact, 32% of data breaches involve phishing. Falling victim to phishing can result in stolen personal or financial information, identity theft, and unauthorized access to sensitive accounts.
The correct option: A. In this scenario, the best course of action would be to access the HR portal directly without clicking the link to look for similar instructions or announcements. This cautious approach ensures the email's legitimacy before taking any action, thereby preventing potential data breaches.
While option B, which involves reaching out to a trusted colleague on the HR team through an official chat platform, is not inherently wrong, accessing the HR portal directly allows you to immediately verify the information without waiting for someone else to respond. Moreover, if everyone who received the email reached out to HR for verification, it could potentially overwhelm the HR team, especially if it's a large organization.
2. Suspicious vendor's email
The scenario: You receive an email from a known vendor sharing a "State of email security awareness report." The link text says, "State of email security awareness report," but when you hover over it, it redirects to a shortened URL http://bit.ly/12345. What should you do?
A. Open the link in an incognito window to safely check the contents of the linked page.
B. Copy the link address and paste it into a notepad to inspect it more closely before deciding on your next step.
C. Reach out to the vendor through a newly composed email (not a reply), using the official email address from their website to inquire about the legitimacy of the message and link.
D. Use a URL expander tool to check where it leads before deciding whether or not to click it.
The insecurity: Clicking on unfamiliar links can expose you to malicious websites or malware. These malicious links can lead to various cybersecurity threats, including phishing attacks and the installation of malware. Email remains a common vector for cyberattacks. Malicious links in emails are a prevalent method for distributing malware, and falling prey to such attacks can result in severe consequences, including system compromise, data loss, and financial harm.
The correct option: C. Reaching out to the vendor directly using a verified communication channel is the safest option. By composing a new email (instead of replying), you ensure that you're contacting the genuine vendor and not potentially communicating with a threat actor.
3. Password security
Scenario: You have received an automated prompt to update your work email password as a part of your organization's regular password rotation policy. You decide to create a new password by slightly modifying your existing password, changing a number and replacing a letter with a special character. What do you think of this approach?
A. It could be seen as a sensible strategy, because it aligns with the policy of frequent password changes while retaining a sense of familiarity to avoid forgetting the password.
B. It might be beneficial because it maintains a core structure, yet adds elements that would potentially thwart automated hacking attempts.
C. While it might seem practical, this strategy can potentially retain vulnerabilities, especially if the base structure of the password has been compromised in any way before.
D. It might be seen as a balanced strategy, introducing enough complexity to avoid common hacking attempts while not changing too much to forget the new configuration.
The insecurity: Creating weak or easily guessable passwords can compromise your accounts. It takes only 39 seconds to crack a weak password. Weak passwords can result in unauthorized access, data breaches, and identity theft.
The correct option: C. Modifying an existing password by making only slight changes is not the best practice for security. While it might seem practical, this strategy can potentially retain vulnerabilities, especially if the base structure of the password has been compromised in any manner before.
While options A, B, and D mention some potential benefits of slightly modifying an existing password, these benefits are outweighed by the security risks involved. Therefore, option C provides the most accurate assessment of the strategy described.
Scenario: You’re well-acquainted with 2FA and its necessity in keeping confidential information secure. You know that it adds an extra layer of security to the authentication process, making it harder for attackers to gain access to a person's devices or online accounts. In the context of advanced phishing attacks where attackers are known to bypass 2FA, which of the following would be the most secure method to ensure the highest level of security?
A. Relying solely on SMS-based 2FA while avoiding the use of email-based authentication.
B. Using biometric authentication methods in conjunction with a strong, unique password.
C. Keeping the default 2FA settings as they are generally optimized for high security by the IT department.
D. Regularly changing the 2FA method (between SMS, email, and app) to ensure a diversified security setup.
The insecurity: Relying solely on one 2FA method may leave you vulnerable to certain attacks. Cybercriminals are constantly evolving their tactics, and some advanced phishing attacks can circumvent specific 2FA methods, such as SMS-based codes or email-based authentication. Statistically, multi-factor authentication (MFA) has been shown to prevent 99.9% of account hacks when properly implemented.
The correct option: B. Using biometric authentication methods along with a strong password provides a robust defense against phishing attacks, enhancing your account security.
Given the context of advanced phishing attacks, biometric authentication, coupled with a strong password, offers the highest level of security.
5. Sensitive request verification
The scenario: Your organization has a stringent policy for sharing sensitive files, which includes a verification process to confirm the authenticity of the request. You receive a sudden request for a sensitive document over email from a senior executive, which appears to be legitimate at first glance. What action aligns best with the principle of verifying the authenticity of sensitive requests?
A. Using a separate, verified communication channel to confirm the request directly with the senior executive before sharing any information.
B. Responding to the email with a set of security questions that only the senior executive could answer correctly.
C. Seeking verbal confirmation from a colleague who works closely with the senior executive before responding to the email.
D. Reporting the email to the IT department without responding to the executive, and waiting for their guidance on how to proceed.
The insecurity: Sharing sensitive information without proper verification can lead to data leaks. In 2020, data breaches exposed 36 billion records. Sharing sensitive data without verification can result in regulatory fines, loss of trust, and reputational damage.
The correct option: A. Using a separate, verified communication channel to confirm the request directly with the senior executive is the safest route, preventing potential data leaks.
6. An unexpected email attachment
The scenario: You receive an email from a colleague in another department whom you occasionally work with. The email subject reads "Urgent Task" and the content says, "I'm caught up in meetings all day but was asked to forward this document to you for immediate review. Please look into it and get back to me before EOD." The email has an attachment labeled "Urgent-Review.docx," but you weren't expecting any such document. What should you do?
A. Open the document in a secure environment or sandbox to review its content.
B. Check the email's "Sent" timestamp and compare it to your colleague's known work hours or schedule.
C. Call or message the sender on a different channel.
D. Send a separate email (without replying) to the colleague's official email address, asking for clarification regarding the attached document.
E. Options A, C, and D are correct.
F. Options C and D are correct.
The insecurity: Opening unexpected email attachments can expose your system to malware, which is a significant cybersecurity threat. Malware includes various types of malicious software, such as viruses, trojans, and ransomware, which can cause severe harm to your computer and compromise your data. Malware attacks are a common method used by cybercriminals to compromise systems and steal sensitive information. These attacks can result in data loss, system compromise, and financial harm.
The correct option: F. The right approach involves a combination of verifying the sender through a different channel and seeking clarification before opening the attachment, safeguarding your system from potential malware threats.
7. Secure document sharing
The scenario: You need to email a confidential document to a colleague from a different department. The file size exceeds the email attachment capacity, so they suggest using a popular file sharing platform that both of you commonly use for non-sensitive files. The platform can generate a link that you can email directly. What should you do?
A. Encrypt the document with a password and share the link on the platform.
B. Use the file-sharing platform, but notify your IT department about the data transfer.
C. Use your company’s official secure file transfer method, and notify the recipient to expect it there.
D. Zip the file, upload it to the platform, and share the password separately via SMS.
The insecurity: Sharing confidential documents without proper security measures can result in data breaches, potentially exposing sensitive information to unauthorized individuals. Data breaches can have severe consequences, including financial losses and legal repercussions for organizations. The average cost of a data breach is estimated to be $3.86 million, taking into account expenses related to investigation, notification, and recovery efforts.
The correct option: C. Use your company’s official secure file transfer method, and notify the recipient to expect it there.
Encrypting the document with a password is a good step for security. However, relying on a platform not intended for sensitive information is not the best choice. Additionally, sharing the encrypted file and password through the same platform could still pose risks if the platform is compromised.
8. Email header analysis
The scenario: You've just been informed of a possible phishing campaign targeting your organization. You receive an email that appears to be from your company's IT department, discussing a new software update and asking employees to install it. Before taking any action, you decide to analyze the email headers. What should you be looking for in this scenario?
A. Check if the "From" address in the headers looks like other official emails you've received, ensuring there are no slight variations or typos in the domain.
B. Look for the path the email took in the "Received" headers, ensuring it doesn’t have an unfamiliar or external starting point.
C. Compare the timestamp in the header with the time you received the email, seeing if there’s a significant delay, which might indicate it took a detour through other servers.
D. Confirm that the "To" address lists the general company distribution list and not a mix of unrelated individual addresses.
The insecurity: By examining the "Received" headers, you can trace the route the email took to reach you. If it starts from an unfamiliar or external source, it could be an indicator of a phishing attempt or malicious email. Phishing attempts have become increasingly sophisticated, with a 600% increase in such attacks since the start of the pandemic. Falling victim to phishing can lead to unauthorized access, data breaches, and significant financial losses.
The correct option: B. Look for the path the email took in the "Received" headers, ensuring it doesn’t have an unfamiliar or external starting point. This step helps you verify the email's legitimacy and protect your organization from potential threats.
9. Email verification
Scenario: After sponsoring and setting up a booth at the Gartner IOCS Summit, you and your team had the opportunity to network with a range of professionals from different sectors. A week after the event, you receive an email with the subject line, "Gartner Summit Discussion Follow-up." The email is from an individual claiming to have stopped by your booth and showing interest in your company's solution. They mention they had a brief chat with one of your colleagues, but don't specify who. To jog your memory, they've attached a photo of their business card titled "MyCard.jpg" and suggest that if you recall the conversation, you should arrange a formal meeting to discuss potential collaboration. What should you do?
A. Open the attachment immediately, hoping to recognize the business card.
B. Respond to the email expressing interest, but ask them to share the details of their discussion or the name of the colleague they spoke to, without opening the attachment.
C. Contact your company's IT department to scan the attachment for any potential threats before opening.
D. Look up the sender's name on LinkedIn or the event's official attendee list to verify their credentials before proceeding.
The insecurity: Opening email attachments without verification can expose your system to malware. It has been found that 94% of malware is delivered via email. Falling victim to malware can lead to data loss, system compromise, and financial harm.
The correct option: D. Verifying the sender's credentials before opening the attachment is the safest approach, preventing potential malware infections. Contacting the IT department is generally a sound practice for uncertain attachments, but before taking that step, it's beneficial to verify the sender's identity.
Because events like Gartner often provide lists of attendees or those who had their badges scanned near booths, you can cross-reference the name with the list to determine if the individual indeed attended and might have visited your booth. This, combined with checking their professional background on LinkedIn, will give you a clearer picture of the sender's authenticity.
10. Secure remote work
The scenario: You have a five-hour layover at the airport and need to work on an important PowerPoint presentation and send emails to your designers. What's the best course of action to securely complete your work in this situation?
A. You should connect to the airport's free WiFi network, but make sure to use a reputable VPN service to encrypt your data.
B. It's best to connect to the airport's free WiFi network, but before doing so, ensure your device's firewall is disabled for smoother connectivity.
C. To guarantee security, avoid the airport's free WiFi entirely and set up a mobile hotspot using your smartphone's data.
D. Connect to the airport's free WiFi network, and periodically change your password during your work session to enhance security.
The insecurity: Using unsecured WiFi networks without precautions can result in data theft. Public WiFi networks are a prime target for cybercriminals. Neglecting secure remote work practices can lead to data breaches, financial losses, and identity theft.
The correct option: C. To guarantee security, avoid the airport's free WiFi entirely and set up a mobile hotspot using your smartphone's data.
While VPNs encrypt your data and can protect you from eavesdropping, they don't necessarily protect against all potential threats, especially if the network itself has been compromised.
11. Investigate unusual emails
The scenario: As you check your sent folder, you come across a set of unusual emails. These emails contain messages sent to addresses you don't recognize, and the content includes unfamiliar links and attachments. You haven't shared your login credentials with anyone. What should you do to address this situation?
A. Share the content of these unfamiliar emails on your organization's internal social channel, warning fellow employees of the breach and sharing screenshots of the email.
B. Immediately contact the recipients of the unfamiliar emails and inform them of a potential breach in your account, seeking their assistance in identifying the attacker.
C. Delete the unfamiliar emails, empty your trash folder, change your password, apply 2FA, and carry on using your email account as usual.
D. Forward the suspicious emails to your IT department for investigation without taking any other action.
The insecurity: Neglecting unusual emails can result in unauthorized access to your account. Cyberattacks occur every 39 seconds. An inadequate response to unusual emails can lead to data breaches and financial harm. IT departments in organizations are equipped to handle such security concerns. They can investigate the origin, nature, and extent of the breach and take necessary actions.
The correct option: D. Forward the suspicious emails to your IT department for investigation without taking any other action. Reporting it ensures that you're acting responsibly by alerting the experts and allowing them to address the issue comprehensively.
12. Critical client attachment inspection
The scenario: You're a member of a technical support team of a high-security project that frequently receives classified emails from clients on a group email address for issue resolution. One day, you receive an email on this group address with an attachment named "Implementation_Issues_Report.pdf." The subject line reads "URGENT: Critical Implementation Issues," from a newly onboarded client’s team. This email is in a new thread, not a part of any existing conversation. The email body is vague and raises your suspicion. What should you do to address this situation?
A. Coordinate with your security operations center (SOC) team to open the attachment in a secure, isolated environment for urgent review of its content.
B. Forward the email to your IT department by raising a ticket for their inspection before taking any action.
C. Ignore the email and the attachment, as it seems unusual for the sender and lacks specific details.
D. Respond to the email, asking the sender to confirm the attachment's content before taking any action.
The insecurity: Opening unexpected email attachments can expose your system to malware. Malware costs businesses $2.6 trillion annually. An inadequate response to suspicious email attachments can lead to data loss, system compromise, and financial harm.
The correct option: A. Coordinating with the SOC team to open the attachment in a secure, isolated environment for urgent review of its content ensures that the attachment is checked for security before being opened, reducing the risk associated with potentially malicious attachments.
13. Secure remote work practices
The scenario: As an employee working remotely, you often use personal devices to access company resources. You receive an email from your manager that contains a confidential project update, and it's crucial to review it promptly. Which of the following actions would you consider to be the most secure way to access and review this sensitive information while working from home?
A. Open the email on your personal device and review the document using your usual email client.
B. Forward the email to your personal email address so you can access it on your personal device where you feel more comfortable.
C. Connect to your organization's virtual private network (VPN) and use a company-provided secure email client to access and review the document.
D. Download the document directly from the email and review it offline, then delete it from your device once done.
The insecurity: Accessing sensitive documents on an insecure device can lead to data leaks. It’s been found that 61% of businesses had data breaches caused by remote work in 2020. Neglecting secure remote work practices can lead to data breaches and financial losses.
The correct option: C. Connecting to your organization's VPN and using a secure email client ensures data protection, safeguarding sensitive information during remote work.
14. Vendor email verification
The scenario: You're a member of the accounts payable team, responsible for processing vendor invoices. You receive an email in your group inbox that appears to be from a known vendor, but it's sent to the group address without specifying the marketing team member to whom the invoice belongs. The subject line is "Urgent: Invoice Pending," and the email body contains a PDF attachment named "Invoice_1035.pdf." The content of the email mentions the invoice was due last month, and a penalty applies. However, upon closer inspection, you notice that the vendor's email address contains a minor misspelling in their domain name. What should you do?
A. Mark the email as spam and delete it.
B. Mark the email as phishing and report it to your IT security team for further investigation.
C. Block the sender and delete the email.
D. Reply to the email, requesting more details about the invoice and the intended recipient.
E. Forward the email to your colleague on the marketing team, just in case it was a genuine vendor.
The insecurity: Engaging with suspicious emails can lead to phishing attacks and data breaches. Phishing attacks have a 30% open rate. An inadequate response to suspicious vendor emails can result in unauthorized access, data breaches, and financial harm.
The correct option: B. Responding to the email or forwarding it might risk exposing the recipient or others to potential harm, especially if the attachment is malicious. The safest and most prudent action is to report it to the IT security team, who can investigate the email further and ensure that the company's systems remain secure.
As we conclude this guide during Cybersecurity Awareness Month, it's crucial to emphasize that each of us plays a vital role in safeguarding our digital assets and protecting our organizations.
The "Email Security Awareness Survey" by Zoho serves as a wake-up call, highlighting the importance of staying vigilant in the face of evolving threats. By exploring real-life email security awareness scenarios and understanding the associated risks, we've empowered ourselves to make informed decisions that protect us from phishing attacks, malware infections, data breaches, and more.
Remember, cybersecurity is a collective effort, and your actions matter. By consistently following best practices, verifying emails, and prioritizing security over convenience, we can collectively raise the bar for cyber-resilience. Let's make every month Cybersecurity Awareness Month and continue to fortify our defenses against email-based threats. Together, we can ensure a safer digital world for ourselves and future generations.
Stay secure, stay aware!