An introductory guide to email account security

Your business email account is the most common entry point for criminals and is at the root of many successful cyberattacks on lawyers. It is not surprising that the most used function in a business is the one that criminals use to exploit. What is surprising is that the security of a firm’s email system isn’t made a higher priority.

In this summary we will describe how attacks start, in order to give an insight into the key things that you need to defend against. We will also describe some common consequences of an attack to help to understand why this subject deserves real attention. Finally, we give 10 top tips on how to avoid becoming a victim.

Top four attack approaches

Here are the common methods of attack against a law firms’ email systems.

1. Phishing. The criminals send blanket emails to every address they have acquired from social media, the dark web and website scraping. They pose as legitimate suppliers and trick you into giving away your email login credentials. In our simulated attacks 20% of untrained staff typically fall for this type of attack.
2. Malicious attachments. Emails with fake attachments will tempt you to open them with headings like “missed message”, “urgent invoice”, “bank statement” etc. They will have malicious code that will attempt to get control of your computer in some way.
3. Account hijack. With credentials purchased from the dark web, automatically breaking weak passwords, or tricking you with phishing attacks, the criminals get access to your account. They login as you, with full functionality including access to all your email history.
4. Spoofing. The criminals create their own email accounts and pretend to be you. They are not inside your account but send emails to employees to try and get access to business systems and data.

Top three consequences

Here are the consequences if the criminals are successful in the approaches above.

1. Ransom. This is the most damaging consequence and can be business ending. The criminals use the access they have gained first to steal confidential and personal information, and then to encrypt your systems. They threaten to release the data if you don’t pay a ransom fee. The average business downtime is now 26 days. The average ransom payment in 2021 was £628,000.  
2. Virus spreading spam email. The most common consequence is thousands of emails being sent from your email to every contact associated with your business. The aim of the email is to contaminate their systems with a view to stealing money from them. We probably don’t need to describe how damaging this can be for a previously trusted business.
3. Payment diversion. The main object here is to get money diverted to their bank accounts by tricking you or a client into sending money to the wrong payee. There is the obvious financial and reputational damage, but the conversations with the ICO will not end well if a client has lost thousands of pounds because you didn’t protect their data sufficiently.

Top tips to help defend against email attacks

Here are the top 10 areas you must address to defend against the greatest cyber threat facing your business.

1. Appropriate business email account. Free and basic email systems are not good enough. You may need to upgrade to get the appropriate level of capability.
2. Good employee disciplines. Email addresses should be for work purposes only, and you need to make this clear to staff. The dark web is littered with business email addresses that have been used on personal accounts (e.g. Amazon, eBay etc) that have then been lost along with passwords and critical information.
3. Unique, strong passwords and strong authentication. The password should not be a repeat of anything you have used elsewhere, and it is essential that authentication has another factor e.g. a code on your phone. 
4. Inbound filters. Get these expertly set and don’t rely on defaults. If done well it will stop the deceptive emails ever getting into staff inboxes.
5. Domain records. The end of your email, @acme.com, is called the domain. There are important records that need to be set in the domain control panel to avoid criminals easily spoofing your address.
6. Staff training and simulation. Make sure your staff get annual training and run simulated attacks to make sure they know what to expect.
7. Access methods. You need to have a clear policy on how staff access emails, e.g. from a laptop, mobile, through a web browser, etc. The more you reduce this, the more access points can be switched off in the security settings.
8. Payment methods. Make sure that there is a robust process that ensures that changes to payee details have strong challenge processes.
9. Antivirus and browser integration. Your web browser, email service and antivirus software need to be configured to work in unison to stop attacks. This is the most important retrospective control as it is unwise to rely on staff spotting the criminals’ tricks.
10. Alerts and blocks. Make sure that the alerting from security systems is properly configured and is going to your technical support, and that rules are set to block, not allow.

This guide gives you a starting point and a roadmap. Please invest some time and resources to getting this right – it will be the best money you spend this year.

This article was produced by the Law Society of Scotland's strategic partner Mitigo. Take a look at their full service offer. For more information contact Mitigo on 0131 564 1884 or email lawscot@mitigogroup.com