Three essentials to keeping your email accounts safe from cyber crime

With most organizations still dependent on email, it’s essential to adopt protocols that safeguard access to company accounts and the critical information they contain

5 minute read


Key takeaways

  • Multiple layers of authentication and oversight may be needed to ensure the legitimacy of all email interactions.
  • Email protocols like DMARC and BIMI should become standard security tools in organizations of all sizes.
  • Businesses should continue to educate employees about evolving email threats and invest in training, such as phishing simulations.

Email continues to be the backbone of business communication in almost every industry — and one of the most popular vehicles for cyber crime. Phishing, business email compromise (BEC) and accounts payable scams are persistent threats for most businesses. But email is not just a means to a criminal end. Email accounts themselves, and specifically the rich data they contain, are also targets for cyber criminals.


With remote work assignments generating more messages than ever, every organization must take steps that balance email’s efficiency with security. This requires a combination of company-wide practices that emphasize the basics of account maintenance and access with automated tools that can filter criminals’ emails before they land in company inboxes.


Watch the following video on BEC and read about three steps that help explain the evolving cyber threat to email — and how you can improve your organization’s security.


Step 1: Understand how and why criminals target your emails


If they gain access to email accounts, sophisticated cyber criminals can mine them for many different types of information that reveal how a company operates, what protocols it follows and how employees interact.


As the line between personal and business email accounts have blurred, criminals may be able to harvest information from both our personal and professional lives. This can lead to identity theft, social engineering, insider trading and intellectual property theft.

"Both personal and business email accounts are giant repositories of data that cyber criminals can mine for myriad purposes."

Cyber criminals leverage a variety of strategies to gain access to email accounts, such as sending targeted spear phishing emails to deceive an individual into providing login information, using malware to infiltrate company networks, or spoofing an email account or domain to send authentic-looking emails to gain access. If hackers gain access to a user’s email account, they can use a number of tricks to keep their presence undetected, such as enabling auto-forwarding of incoming emails to an external address or setting up rules to automatically delete certain messages. In fact, a cyber criminal’s ability to leverage data harvested from the account and replicate their target’s language, personality, and organizational identifiers can make the intrusions extremely difficult to spot.


Step 2: Establish email best practices


The following steps should apply to all employees and email accounts:


  • Verify emails requesting sensitive information – All emails that involve financial sensitive data should be confirmed through an alternate channel approved by company leadership.
  • Separate personal and professional email accounts – Even the smallest businesses should provide work email accounts for employees and encourage the separation of personal and work-related email to minimize exposure. Company email accounts should be used exclusively for professional purposes, and never used to create accounts on websites for personal use.
  • Manage account access – Requiring multifactor authentication is one of the simplest and most effective ways of protecting access to email accounts. Regular updates of robust passwords are also essential.
  • Enabling alerts for activity such as unusual login locations can help detect breaches.
  • Disable automatic forwarding – Prohibiting the automatic forwarding of email to external domains prevents cyber criminals from exfiltrating email messages and the data contained within them.
  • Monitor inbox rules – In addition to ensuring that intruders aren’t covering their tracks by using rules to auto-send messages or divert suspicious ones to trash, consider implementing rules that block macros and file extensions commonly used by malware.
  • Maintain phishing simulations and fraud education – Strong cyber defense depends on alert employees who are aware of current threats and their role in company security. Educate all employees on the fundamentals of password best practices, including how to create strong passwords and prompts to change them on a regular basis.


Step 3: Consider automated protocols for email security


In addition to implementing best practices, there are a number of emerging protocols that are helping to advance email security. Two of the most critical are domain-based messaging authentication reporting and conformance (DMARC) and brand indicators for message identification (BIMI).


DMARC is an email authentication protocol that helps organizations protect their domains from being spoofed. DMARC prevents spoofing by registering your domain and authentication details with email servers and providing instructions on what to do with emails that fail the authentication — for instance, locking, quarantining or rejecting the email.


BIMI, on the other hand, leverages DMARC and other protocols to provide means to authenticate emails that originate from a legitimate source. BIMI enables emails that have passed DMARC authentication checks to display a company logo, so that users can see at a glance that the email is genuine and the organization’s domain has not been spoofed. Not only does this help keep an organization’s partners safe from fraudulent emails, it also helps increase brand awareness by displaying a distinctive logo in each message.


Like every other security tool and protocol, BIMI and DMARC can’t eradicate business email spoofing. But they have enhanced security by helping to legitimize authentic emails and creating a record and enforcement policy for those rejected by the organization’s system. They do require some skill to implement and maintain, so businesses with limited internal IT resources may require third parties.

Neither Bank of America nor its affiliates provide information security or information technology (IT) consulting services. This material is provided “as is,” with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this material, and without warranty of any kind, express or implied, including, but not limited to warranties of performance, quality and fitness for a particular purpose. This material should be regarded as general information on information security and IT considerations and is not intended to provide specific information security or IT advice nor is it any substitute for your own independent investigations. If you have questions regarding your particular IT system or information security concerns, please contact your IT or information security advisor.