Can Opening an Email Get You Hacked?

Email hacking is one of the most prevalent cyberattacks on the Internet. Data from the Internet Crime Complaint Center (IC3) found that business email compromise (BEC) is the costliest type of cyberattack, with 19,369 total complaints racking up $1.8 billion in losses.

The cost of BCE might be this high because a compromised email is like handing criminals the keys to the front door. It allows them to perform further exploits, like changing security settings, to get admin access to sensitive data and exfiltrate that data without anyone noticing.

Small business owners are particularly vulnerable to email hacking because they might not have sophisticated IT security tools, systems, or protocols to protect them.

Although cybersecurity might not be one of the top ten concerns small business owners have, thinking about it early can preempt the pain of getting attacked as your company grows.

This article discusses how to recognize email hacking attempts and what to do to protect your business.

How dangerous is just opening a suspicious email?

Just opening an email can be dangerous, but not always directly.

Here’s why.

All email attacks require some kind of action after opening an email. For example, most email malware attacks need users to click on a link or download an attachment to initiate the attack.

However, phishing attacks can employ a more dangerous method called social engineering. In this method, a criminal attempts to persuade the user to confirm their credentials, update their password, or perform any other compromising action while hiding behind the guise of a legitimate client, co-worker, or vendor.

In this sense, just opening a suspicious email can be dangerous because the user can easily fall victim to a social engineering exploit, making them vulnerable to email hacking.

The email hacking process explained

Here’s a more detailed rendition of the email hacking process:

Step 1: A suspicious email hits an employee’s email, which might not ask for anything. It’s often just a first contact email to test the waters.

Step 2: If the employee replies to the email, the attacker knows they might be willing to take further actions. They might, for instance, ask them to confirm their employee credentials, like their employee number.

Step 3: Once the attacker has built rapport with the victim, they now go for sensitive information. For example, they might tell them there is a suspected attack and that all employees should change their email password and send the user to a fake password reset page.

Step 4: Once they have the credentials, they will use the compromised email to email more unsuspecting employees until they have sufficient access to launch the main attack—a data breach or financial fraud.

How to recognize suspicious emails

Once an attacker has control of an internal email, it becomes challenging to tell whether an email sent from that address is genuine or fake. Before it gets this far, however, preventing the hack in the first place is the most effective measure to take.

Here are some ways to recognize suspicious/malicious emails and prevent a hack:

• Demands urgent action: Such emails create a sense of emergency with drastic repercussions if the user does not act immediately.
• Poorly written: Emails with lousy grammar, missing punctuations, or missing characters should raise red flags.
• Unfamiliar salutations or greetings: Overly formal greetings like Dear, Attention, and Greetings might appear odd in a work setting where employees use less formal language.
• Inconsistent formatting, domains, and links: Most business emails have the same design, domains, and link structures, so anything that looks different should be treated as suspicious.
• Requesting sensitive information: If it’s uncommon for co-workers to request login credentials or other sensitive information via email, this is a red flag too.

3 Measures to protect employee emails

The first step in protecting employee emails is to train them to recognize suspicious emails, as outlined above. You can include these details in an employee handbook, so every new employee knows how to respond to potential phishing attacks.

In addition to this, you should implement the following three measures to further secure employee emails:

1. Install security software
2. Implement periodic password changes
3. Use two-factor authentication (2FA)

Install security software

Anti-phishing toolbars, antiviruses, firewalls, and email filters can all help reduce employee exposure to hacking attacks. For example, email filters remove 99% of spam and other suspicious emails, making it easier for employees to assess whatever emails make it to their inbox.

Implement periodic password changes

Periodic password changes (e.g., monthly) can make it difficult for attackers to maintain a long-term attack. Besides implementing such a program, consider using automatic account locks on expired passwords to force employees to update their passwords or lock unused emails.

Use two-factor authentication (2FA)

2FA is a powerful deterrent to hackers because it relies on information tied to the user. For example, a physical key, authenticator app, or SMS OTP are challenging targets for criminals because the codes change constantly, and employees typically would not send such information via email.

What to do if an employee’s email is compromised

If you implement the above measures and your employees’ emails are safe, you might be among the few who are not compromised. For the majority, compromised emails are a matter of when and not if.

If your company falls in this category, this is what you can do if an employee’s email becomes compromised:

1. Log out all sessions currently logged into the email address
2. Change the password and security questions
3. Implement two-factor authentication
4. Scan all outgoing emails from that account for attachments and links
5. Review all outgoing emails to see whether other employees may have been compromised
6. Warn all employees of the compromised email so they can remain vigilant

These measures are usually enough to stop an email hacker in their tracks. However, in some cases, the hacker may have used the account to gain access to other accounts, so you might need to look at all accounts connected to the compromised one and secure them as well.

Long-term email safety

One of the challenges small business owners face is maintaining online security measures as the business grows. Online security can become a headache with more employees, customers, and vendors.

The best way to scale security with your company is to maintain a cybersecurity playbook that teaches everyone how to maintain online security.

It might be as simple as a one-page document pinned on the notice board. As you grow, it can develop into a detailed training manual that empowers employees to keep themselves and the company safe from email hacking attacks. 

This is not intended as legal advice; for more information, please click here.