ProtonBlog(new window)

Email is the #1 target for hackers. Here’s how to secure email for your business

Share this page

Email is the primary attack vector for hacking and fraud, and the situation is only getting worse. From 2017 to 2018, email-based attacks on businesses increased 476%, according to the most recent threat survey(new window) by the cybersecurity firm Proofpoint.

The FBI reports(new window) there are around 14,000 email scams each year worldwide, costing companies $12 billion. And most small businesses(new window) don’t believe they could remain profitable if they lost their data.

There are several reasons hackers target email so often:

  • Email attacks work — human error is an unpatchable weakness in any security plan, and email is a perfect medium to exploit people.
  • Email accounts store lots of data — your email account is a trove of sensitive data, including financial information, contacts, and information that can be used in social engineering schemes.
  • Email is ubiquitous — everyone uses email, making the number of potential targets in a single organization as large as the payroll.
  • Email is identity — your email account is used to verify your identity, email addresses are often usernames, and a successful account takeover is an entrypoint to further attacks.

Given the stakes, secure email practices must be a priority for your organization. Based on what we know about attacks, implementing this advice can reduce your exposure to email attacks.

Train employees on common attacks

It’s important to create a culture of security awareness(new window) in your organization, and email security should be at the top of the list. There are a few areas you should cover:

Phishing

Phishing attacks(new window) attempt to trick victims into clicking on links or downloading attachments in emails that appear to be legitimate. Phishing emails often look obviously fake. But sophisticated ones might spoof the “from” address(new window) to look like an official sender and design the email in a convincing way.

For example, the phishing email that exposed Hillary Clinton’s campaign emails looked like this:

When her campaign manager clicked the “change password” button, it took him to a page operated by the hackers, where he proceeded to enter the login to his Gmail account. Other kinds of phishing attacks might result in malware or ransomware being installed on your device or network.

You can prevent phishing attacks by training your employees to be vigilant. As a general rule, they should never click on links or download attachments in unexpected emails without first verifying their legitimacy. Proton Mail provides a number of anti-phishing features(new window), such as report phishing and anti-spoofing protection with SPF(new window), DKIM(new window), and DMARC(new window). If you receive an unexpected email alert from an online service you use, it’s always better to go to the website and log in to your account there, rather than clicking the link in the email.

Fraud

The FBI report cited above focuses on another kind of email attack: scams. You’re surely familiar with the emails from strangers hoping to send you millions of dollars, provided you cover their wire fees up front. Businesses are often the target of more sophisticated scams that use social engineering.

One common tactic is to spoof(new window) a manager’s email address (or actually take over that person’s account) and send an “urgent” message to a lower-level employee asking for a quick transfer to a client. Or they might fake an invoice from a plausible vendor.

Employees should be trained to be skeptical of any emails requesting money transfers or sensitive personal or business data. If there’s any doubt, reach out to a manager or IT contact in the company.

Require two-factor authentication (2FA)

Every employee in your organization should use two-factor authentication (2FA) in any online account that offers it. With 2FA enabled, after entering their username and password, a person then also has to enter a code from a fob or an authenticator app installed on their mobile device. (Email and SMS codes are also common, though these are less secure. Hardware authenticators(new window) are most secure). If Hillary Clinton’s campaign manager had 2FA enabled on his Gmail account, the hackers would not have been able to access his account unless they also had control of his smartphone.

Enforce password security

Using a strong, unique password is the first line of defense for all your organization’s accounts and devices, including email. We have previously offered our recommendations for choosing strong passwords(new window), but there are two main points:

  • Use a different password for each online account.
  • The longer(new window) and more random your password is, the more secure it is.

There is no reason to ask employees to reset their passwords periodically or to require the use of certain kinds of characters. It’s much more important to ensure they are choosing a strong, memorable password or using a trustworthy password manager to help them do it.

Use encrypted email

Some email providers are more secure than others. If you are using an email service that does not use end-to-end encryption(new window), then there is a possibility that a data breach will expose your organization’s emails. For certain organizations, this can also increase your liability for penalties under HIPAA(new window) and the GDPR(new window).

Unlike Gmail and other mainstream providers, Proton Mail does not have the ability to decrypt users’ emails and neither do hackers. The only way someone could access messages sent between Proton Mail accounts would be to compromise the end-user or stage an elaborate man-in-the-middle attack. We have also taken measures, such as encrypted Proton Contacts(new window) and address verification(new window), to drastically reduce the possibility of one of these attacks succeeding.

Reduce your attack surface

Every email address is an opportunity for an attacker. So if you reduce the number of employees with publicly available email addresses, you can reduce your potential attacker’s options. You should only list essential employee names and contacts on your organization’s website. You can also consider using non-obvious email formulations that are difficult to guess. For example, instead of alice.smith@example.com, you could use as938@example.com.

Proton Mail is committed to providing the most secure email service possible for businesses. Over 10 million users, including thousands of organizations, governments, and small businesses, depend on us to keep their data safe. Learn more about Proton’s secure business email(new window).

Best Regards,
The Proton Mail Team

You can get a free secure email (new window)account from Proton Mail.

We also provide a free VPN service(new window) to protect your privacy.

Proton Mail and Proton VPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan(new window).Thank you for your support.

Protect your privacy with Proton
Create a free account

Share this page

Ben Wolford(new window)

Ben Wolford is a writer and editor whose work has appeared in major newspapers and magazines around the world. Ben joined Proton in 2018 to help to explain technical concepts in privacy and make Proton products easy to use.

Related articles

Can you password-protect a folder in Google Drive?
Protecting a folder with a password is a simple yet effective way of securing files. You may wonder whether you can password-protect a folder in Google Drive. We explain what access controls Google Drive offers and what you can do to improve your sec
Proton Pass now supports passkeys on all devices and plans
We’re excited to announce that Proton Pass supports passkeys for everyone, allowing you to manage and use passkeys across all devices seamlessly. Passkeys are an easy and secure alternative to traditional passwords that can help prevent phishing atta
what is a passkey?
Passkeys are a new way to secure your online accounts using cryptographic keys instead of passwords. They offer a high level of convenience and security, and are a real game-changer in the way we access and secure sites. What is a passkey, though, an
Apple’s marketing team has built a powerful association between the iPhone and privacy. The company’s ad campaigns claim that “what happens on your iPhone, stays on your iPhone.” And, “Privacy. That’s iPhone.” But Apple’s lawyers are telling a diffe
A cyberattack on national public employment service France Travail has exposed the personal data of as many as 43 million people.  The latest breach is the second major cybersecurity attack to happen in France in the past month, raising concerns abo
If I share a folder in Google Drive, can anybody see my other folders
Google Drive makes it easy to share files and folders, but you may have wondered at some point whether the people you’ve shared a folder with can see your other folders. We answer this question below and also share some tips for truly secure link sha
In 2014, Proton Mail was introduced as a web app, revolutionizing how we think about email privacy. Today, we’re excited to broaden the horizons of secure communication by launching the Proton Mail desktop app. Anyone can now use the new Proton Mail