Email Security - COVID-19 and beyond
- AuthorKevin Glass
We've all grown weary at some point of the never-ending tide of spam directed at our in-boxes. There are many types of spam, ranging from unsolicited advertising which simply wastes time, to the most hostile type, phishing, which is used to perpetrate fraud either against you as a law firm, or your clients, and generally targets users of online banking and online payment gateways.
Email security should be a top priority for your law firm, since it is the number one target used by 'bad actors' to gain access to your firm’s private data, and thereby give them the potential to obtain passwords, credit card numbers, bank account details and more.
The need to be on guard constantly to the threat of phishing attacks, malware and scams have never been more important than during the recent COVID-19 pandemic. New attacks and scams appear daily to try and take advantage of the fear and uncertainty surrounding the pandemic.
To give you a feel for the level of the problem over March & April 2020, Google via its Gmail service blocks more than 100 million phishing emails every day. Of those around 18 million alone are related to COVID-19. At Conscious HQ – over the last few weeks we are seeing spam detection rates to our own email servers in the region of 97%.
We've recently had a number of clients seeking advice on best practice when it comes to email channels from their website, in response to concerns over phishing attempts or general levels of spam.
One concern relates to the harvesting of email addresses from their website. The Conscious CMS platform has some in-built features to mitigate against harvesting attempts from your staff profile pages. However, the effectiveness can be limited when any email address is entered directly into blog posts or services page posted on the site.
Avoiding handing lists of emails up on a plate is a laudable approach, but it is of limited use. Spammers or any 'bad actor' can easily obtain lists of company email addresses without going anywhere near a website, using a variety of techniques. At the simplest level just guessing that firstname.lastname@ or firstinitial.lastname@ might work.
So whilst we occasionally see requests to remove all email addresses and contact forms from websites, this only serves to inconvenience existing and potential new clients who in general want to email someone directly rather than fill in a form.
The first line of defence for any business should be an Email Security Gateway, a platform which guards against hackers, spam and viruses. These tools protect against all sources of threat, whether from a form on your website or a link to an email address on your website, or any other channel that results in an email being delivered to your mail servers.
There are many well-known products on the market aimed at law firms of all sizes, but it is not the intention of this article to promote or provide a definitive list. However, some of the more common names that we encounter include companies such as Mimecast, Sophos and SpamTitan.
The criteria used to choose a solution will vary from firm to firm, but will usually include pricing, ease of implementation, support and how effective the solution is at addressing the risk assessment that you have undertaken.
If this is not something that your law firm has in place to protect against this threat, then it surely needs to be something that you review in the near future. Your COLP needs to have this on their radar screen.
If your firm already uses such a service and you notice a sudden increase in spam, then we would recommend reviewing how it is being used with your IT supplier or internal IT department. It’s important to ensure that the balance is right and that you are not seeing a large number of false-positives and potentially rejecting legitimate enquiries via your email channels. Whilst at the same time, ensuring that you are being protected against the real threat posed by this problem.
It is also important to remember that even with systems such as these in place, even tech giants such as Google can only claim to prevent 99.9%.
With that in mind, it is therefore equally important to ensure that your workforce is kept aware of the threat and understand the basic techniques and tips to follow when dealing with an email is to ensure that the identity of the sender of any email is authenticated and that any threat is mitigated. Particular when the client or the firm’s money are involved.
Remember that banks (or any other official source) will never ask you to supply personal or confidential information via an email. Neither should you be asking your clients to provide personal details in this way. If you have any doubts about a message, call the person or organisation directly, having independently authenticated their contact details.
Don't use any telephone numbers, website links or email addresses in the email, but visit the official website instead, allowing you to be confident that you are dealing with the person or organisation that is mentioned in the email.
Hopefully, these tips will help you stay even safer during these strange times.