The Security Issues Caused By Misdirected Emails
When we consider the security of our business technology, we often think of scams or phishing e-mails. These get easily shrugged off, as we assume no one would fall for e-mails that simply ask for money or state other falsities such as your having won a lottery in which you never participated. If we were to list the actual security threats of the companies, you would be surprised. The #1 data security incident reported in 2017 was misaddressed e-mails. Something as simple as typing too fast, or misspelling a person’s name can have huge repercussions for your business. The scary thing is any employee, at any moment in the workday, could make this terrifying mistake.
Two major issues result from misaddressed e-mails. One is the result of your e-mail being accidentally sent to the wrong person. Now, some person has information that wasn’t meant for them. This could be as small as a secret joke about the boss, or as treacherous as spreadsheets with a department’s payroll information. Either way, this simple mistake could have enormous consequences.
The second major security issue results from a more sinister adversary where something you send is accidentally delivered into their eagerly awaiting hands. This is known as “doppelganger domains,” where websites are similar to legitimate ones. These similar websites are bought for the entire purpose of capturing your misaddressed e-mails. How many misaddressed e-mails could there be that could do damage to the integrity of your business? Research shows in one case using only two researchers, in six months time, they managed to capture 20 gigabytes of information from various Fortune 500 companies.
The e-mails they captured contained various levels of confidentiality that ranged from employee username and passwords, to even legal documents such as contracts or affidavits. The scary thing is that while a company could catch an e-mail and be working on improving their security, it could be all too late. After a hacker has confidential information such as passwords and usernames, or payroll accounts, the business has all but already handed over the reins. Anyone of these items could be dangerous enough to seriously endanger the business, but all together? The outcome could be catastrophic.
If you were on the receiving end of an e-mail that was not meant for you, what should you or your employee do? The New York Times recently answered this question with the following recommendation, ”If the message appears life-threatening or otherwise very important, then you have a moral responsibility to reply back and try to get the e-mail where it was originally headed. If the message is not life-or-death, you can safely ignore it. That approach means you don’t punish people in need, but otherwise, you let Natural Selection do its thing on people who can’t be bothered to check e-mail addresses.”
Knowing the dangers of misaddressed e-mails is only half the battle. What can we do to prevent it and protect the integrity of our business? Basic e-mail policies are key to improve the security of your business. To do this, you should encourage the use of strong passwords, so they can’t be easily guessed or forged. Secondly, you should ask employees to memorize their passwords (rather than write them down, as this poses another security risk). Thirdly, remember to change their e-mail passwords frequently–it is recommended to do so every two months.
Training, in regards to e-mail and internet etiquette, go hand in hand with your business’s e-mail policy. Training should show employees the importance of always remaining vigilant in attempts to catch e-mails that carry malware or phishing attempts. To achieve this objective, employees should avoid opening attachments or click on suspicious links. Secondly, employees should be suspicious of clickbait titles and check their e-mails for names of unknown senders to ensure they are legitimate. Lastly, train employees to look for inconsistencies or style red flags, simple grammar mistakes or excessive or unusual punctuation.
Businesses do have other options in dealing with doppelganger domains. A study done by the University of Cape Coast shows that companies can buy their own doppelganger domains, thereby maintaining the integrity of their business. The research goes on to state that the business should “set it up so that when a message is received, it will automatically send out a failure notification. Awareness of the issue should be raised among employees.” This could capture any e-mails accidentally sent to the wrong address, and thereby maintain the business’s integrity.
After establishing good work policies for e-mails, there are further steps that you can take to ensure the safety of your business’s confidential information. Similar to how Grammarly checks for spelling and grammar issues, you can check for doppelganger domains. CheckRecipient is a next-generation e-mail security technology to prevent highly sensitive information from being sent to the wrong people. CheckRecipient uses artificial intelligence and machine learning to analyze historical e-mail data and automatically identify anomalies and mistakes in outgoing e-mails which may result in inadvertent data loss. Some of the world’s largest organizations rely on CheckRecipient’s technology across the financial, legal, professional services and biotech sectors.