4 Email Habits That Stop Hackers

It is the end of the week on Friday. In comes an email to the inbox of a financial coordinator from the CFO. Both are genuine; there is no discrepancy with regard to the displayed name and the signature block at the bottom.

This phishing attack asks for a wire transfer while referencing a genuinely existing project by name.

No malware is involved in this case of cybercrime since it takes advantage of the context, timing, and inherent tendency to trust an actual name in a stressful situation.

You will need preventive strategies like cultivating certain practices, which can make it difficult for you to become a victim.

1. Trust the Address, Not the Display Name

It takes just one line of email header scripting to spoof a display name. The display name "Sarah Chen, CFO" could be placed right above any domain that an attacker registers.

Picking up on inconsistencies within just the first few seconds of reading an email is the fundamental step for avoiding phishing and protecting company assets.

Take, for example, a typical inbox scenario. "Sarah Chen, CFO" appears in the display name, while the full sending address shows a different domain altogether.

A flaw in technology like this is responsible for CEO fraud, vendor impersonation scams, and invoice rerouting schemes that are scheduled according to contract expiration periods.

The remedy here requires just a second of your time – before you respond to any email requesting money, information, or login credentials – examine the full sending domain.

In your phone, all you have to do is touch the sender’s name to see the entire address. It only takes less than two seconds to break down business email compromise forever.

Firms may consider putting in place a passive form of protection as well, which would help in forming the habit.

Information technology professionals could set up their email filters to add an external tag to all incoming emails that originate from outside.

A tool such as Trustifi’s secure phishing prevention could go a long way in enhancing this level of security since it uses artificial intelligence to identify spoofing, impersonation, and other forms of social engineering.

2. Hover Like You Are Browsing, Not Panicking

The first line of attack is a compressed decision timeframe. Emails, such as those involving passwords expiring soon or documents that require urgent inspection, are carefully crafted.

It is difficult for people to think critically about what they're doing before clicking, which is why clicking on phishing attacks despite prior education remains a common practice.

To combat the urgency involved in emails, pause and hover over each link in an email for at least two seconds. Look at the destination address that pops up at the bottom of the screen.

Hold the link to check where it leads before loading on mobile phones. It will reset the decision process and break down the artificial urgency.

Recognizing when something is fishy doesn't take technical knowledge. The URL in the case of Microsoft login would be entirely different from that of harvesting credentials.

In response to such habits, the attacker has now created phishing attacks using QR codes to get around it. These consist of email attachments, either as a PDF or an image, with a QR code embedded within them that skips the preview process on mobile phones. 

This tactic is used to capture user credentials from people who wouldn’t normally follow a link in a phishing email message but won’t think twice about scanning a QR code.

One should not ever scan a QR code coming from an email message without their explicit consent.

Manually navigating takes only a little extra effort and time, but it beats losing an entire account.

3. Let the Robot Remember Your Passwords

Password reuse amplifies phishing attacks without a sound. The same phishing attack will yield access to several accounts if the same password is used across platforms.

The attacker is not interested in hacking all services; research has found that almost half of users use the same password on different websites.

Password managers have the ability to turn the management of passwords into an effortless and seamless process.

When using a password manager, you can create and save a strong password for each site.

Your task is to simply remember the one master password.

Even more critically, however, password managers become a powerful tool for passive phishing detection.

Password managers fill out login forms exclusively when the website matches the domain where the passwords were stored.

In other words, if an attacker attempts to use a password manager to gain access through a phishing website using a false domain, the password manager will be entirely unresponsive. 

Thus, preventing the user from entering anything before he or she examines the website carefully.

Combining this solution with Multi Factor Authentication brings ultimate safety since even in the case that an attacker manages to steal your password, he will never have another authentication factor to proceed with logging in.

The tools responsible for this protection are authenticator applications and physical hardware keys.

4. Make Reporting Easier Than Deleting

While most workers tend to simply ignore an email that looks fishy by deleting it, reporting it needs only a single click, which creates compounded value for the organization overall.

A single reported email may trigger the automatic playbooks, which will detect and eliminate the same threat in all other email accounts.

In this case, the micro-habit depends on the widely accessible single-click reporting button provided by the vast majority of today’s email clients.

It means that the security team gets their signal automatically, the email disappears from the inbox of the reporter, and is then processed in the incoming email filtering system.

This helps the models detect any further attacks based on this specific template.

The more employees participate in reporting, the more signals there are for the machines.

It generates a feedback cycle that is a combination of human behavior and automated protection mechanisms.

The alert provided by one individual shields his/her colleague from any potential attack.

However, it is only effective when there is an adequate underlying technical infrastructure capable of providing information in real-time mode.

Businesses may consider using third-party solutions alongside their native systems for establishing a robust architecture of inbound scanning systems.

Turning Habits Into a Repeatable Process

Habits represent the baseline, not the capstone. Whereas individual behavioral shifts lower individual risk, adopting an organizational multilayer model lowers overall risk.

Both models are intended to complement each other to ensure that there are no breaches.

Take, for example, the multilayer organizational approach. Technical controls entail incoming email filtration, file attachment sandboxing, and URL rewriting. Human measures consist of regular phishing simulations based on real-life patterns.

Process measures require second channel verification for all financial transactions and information requests.

This approach works on the belief that each layer does not have to be impeccable. In fact, each layer is specifically built to identify what the others cannot.

The technical control that detects the suspicious email helps the employee who could not see the spoofed email address.

The employee who detects the new trick used by the phisher will help the inbound mail filter, which did not know about it.

To ensure that this stack operates properly, set up an evaluation framework focusing on three primary metrics. Evaluate the click rate of phishing emails as a lagging indicator of the efficacy of employee training in cybersecurity.

Measure the reporting rate as a leading indicator of cultural engagement. The third metric you should track is the time to remediate.

Your Email Security Checklist

These habits must be maintained in order to ensure that a low cognitive load is maintained. The following habits involve all four habits as well as the organizational process layer.

None of the habits requires you to have any special knowledge about security to perform them. Simply print off this list and attach it to your monitor or share it in your team’s channel.

1. Always check the complete email address when a request involving funds or login credentials is made.
2. Hover your mouse over links to check the destination link before clicking.
3. Do not scan QR codes within any uninvited or strange emails.
4. Make use of a password manager along with unique credentials while setting up MFA everywhere.
5. When you come across a suspicious email, use the one-click reporting button since deletion is not enough.
6. Check your payment instructions using another channel of communication.

Spread this list among your team members or even send it over to your IT department, as it may help in aligning your department’s email security habits.

The Bottom Line

Back to our late Friday scenario. This fleeting moment of doubt before tapping reply is no paranoia. This is the way it does its work.

This is the result of four actions that are individually low-cost and collectively highly significant.

A good defense strategy need not be grueling. The strongest barrier against BEC attacks can be erected using behaviors so ordinary that they are imperceptible.

Examining a more detailed email address, hovering over links, allowing a password manager to fill in fields, and reporting rather than deleting emails involve little effort.

Combining preventative actions with intelligent technology and a robust process of verification helps establish an approach that prevents attacks.

The three elements do not have to be perfect because, when taken together, they are hard to beat.

Be armed with the email security best practices discussed above, and you will be on your way to making your inbox an impossible target.