Protecting yourself from email attacks
There are a number of ways that people can get information from your organisation in order to launch a phishing attack against you, or to impersonate you whilst phishing someone else.
The simplest way of getting this information is to do a search on a search engine like this one. A threat actor can make even more complex queries to then feed into a script, extracting all types of information. If you're a school, the Ministry of Education makes contact information for State Integrated Schools publically available on the Education Counts website which makes farming information for key personnel even easier for threat actors. This can be obtained through a similar search engine query like this one.
As you can see, this makes it very easy to get this data and for a half-decent threat actor, it's not difficult to automatically deal with this information with a script. Let's be honest, it's impossible to defend against every attack, you simply want to mitigate potential attacks so that the threat actors go somewhere else.
"So then, enough of the doom and gloom... how do we mitigate these attacks?", you may ask. The answer isn't simple – purely because the landscape changes so often. The following is not an exhaustive list, but we'll continue adding to it as the landscape changes:
|Email Direction with Mitigation Action||Level of Mitigation||Impact on Your Staff/Users|
|BOTH – Encrypt and sign inbound/outbound email with Secure/Multipurpose Internet Mail Extension (S/MIME).||9/10 – For participating organisations only. Email impersonation will be impossible with an effective S/MIME implementation. Along with a rules-based filtering solution (see below), you can rest assured knowing that emails between participating organisations are secure, encrypted and safe.||2/10 – Depending on your implementation, users can have some teething problems when sending to another organisation. Once bedded down, this becomes inconsequential.|
|BOTH – Implement a rules-based filtering solution.||8/10 – Depending on the quality of the solution you employ, you can mitigate fake emails with extreme reliability. If your solution also scans for viruses and malware, you will have considerable success in mitigating most passive attacks.||4/10 – False negatives and positives (marking a spam email as safe or a good email as unsafe) take quite a bit of tuning. When a new attack vector begins to be used by threat actors, there may be additional tuning required.|
|BOTH – Ensure that you have correct Sender Policy Framework (SPF) records in place on your domain(s).||5/10 – This mitigation will limit the threat actor's ability to impersonate an email address on your domain(s) – as long as the recipient mail server is configured to interrogate SPF records. Due to the number of domains that don't have correct SPF records in place, this solution currently has limited positive impact.||1/10 – Any impact that might be experienced is limited to improperly configured third-party tools that you may have in use. Speak to us about fixing these.|
|INBOUND – Enable spam, phishing and malware protection on your mail server (or service) OR pay for a mail filtering service.||7/10 – There are myriad services available. Cloud services such as Google Workspace has recently made significant advances in this, but there is a manual administration component to enabling this. Speak to us if you'd like us to validate this for you.||3/10 – Depending on the service deployed, emails will likely have the subject line altered with a spam rating or tags applied to the email. The impact will minimise over time as your users get used to the relevant visual changes.|
|BOTH – Implement malware and antivirus protection on your email.||7/10 – Most threat actors are trying to get the best bang for their buck. If they're phishing you, they likely are trying to take advantage of you in other respects too. The better the tool, the more you will mitigate their attacks. You should be aware that there is usually a direct correlation between the cost of the service and its efficacy.||3/10 – Depending on the service you use, sending emails can be impacted by these tools.|
|INBOUND – Implement a Domain-based Message Authentication, Reporting & Conformance (DMARC) policy.||4/10 – In an ideal world, this score would be significantly higher. In reality, however, this requires the domains that send to you to have DomainKeys Identified Mail (DKIM) enabled on their domain. If you can achieve critical mass on domains that send emails to you, then you can have a higher score here.|
Having DKIM enabled on your own domain, along with a DMARC policy would achieve significant mitigation on phishing emails that appear to come from your domain to your own users.
|5/10 – A restrictive DMARC policy could result in emails from other domains being incorrectly blocked.|
|INBOUND – Remove staff lists completely from your website.||7/10 – This mitigates the simple information-gathering methods detailed above.||7/10 – This approach means that contact methods have to be shared through other means. The level of impact will reduce over time as it becomes commonplace for your community.|
|INBOUND – Add email aliases to your users which only ever appear on your website or other sites (e.g. Education Counts).||5/10 – If coupled with mail processing rules that tag incoming email as a web source, your users will be presented with a visual cue that the email should attract extra scrutiny.||1/10 – If coupled with mail processing rules that tag incoming email as a web source, legitimate contacts will receive replies from your users' primary email addresses and the website-only email address will fall away from the chain quickly.|
|INBOUND – Obscure your email addresses on your website.||3/10 – Depending on which approach(es) you implement, you can frustrate threat actors' automated tools for obtaining your details. On the other hand, this could also be seen by them as a challenge to reverse-engineer.||1/10 – website maintenance of your contact pages can be a little frustrating, however, you can ask us to manage this on your behalf.|
|INBOUND – Configure your email server not to send information to threat actors. Please note this may not be possible if you are using a cloud email service.||5/10 – You will find that most mail servers reply automatically to emails sent to invalid accounts or where emails are marked as spam. This, in turn, allows threat actors to know whether they're getting through to your users and what action is being taken on their email. Disabling this feedback can severely dampen data gathering exercises.||0/10 – This activity will have no impact on your users.|