Email Security Best Practices & Protocols to Keep You Safe

Multiple layers of authentication and oversight may be needed to ensure the legitimacy of all email interactions.
Email protocols like DMARC and BIMI should become standard security tools in organizations of all sizes.
Businesses should continue to educate employees about evolving email threats and invest in training, such as phishing simulations.

Email continues to be the backbone of business communication in almost every industry — and one of the most popular vehicles for cyber crime. Phishing, business email compromise (BEC) and accounts payable scams are persistent threats for most businesses. But email is not just a means to a criminal end. Email accounts themselves, and specifically the rich data they contain, are also targets for cyber criminals.

With remote work assignments generating more messages than ever, every organization must take steps that balance email’s efficiency with security. This requires a combination of company-wide practices that emphasize the basics of account maintenance and access with automated tools that can filter criminals’ emails before they land in company inboxes.

Watch the following video on BEC and read about three steps that help explain the evolving cyber threat to email — and how you can improve your organization’s security.

Business email compromise, or BEC, is one of the most effective cyber crimes, and it can be very difficult to detect.

Scammers may use a number of tactics, including phishing emails, social engineering or hacking, to trick employees into downloading malware or revealing company or financial information.

Many BEC attempts target accounts payable employees, or decision-makers who have authority to access financial details and approve transactions.

But make no mistake: Every employee must remain vigilant and aware of evolving BEC threats.

In some cases, criminals will first compromise a third-party email account, such as a vendor’s, or the email of an employee who doesn’t handle financial information.

Then they can execute BEC crimes by using the third-party email address to target other employees’ accounts or access company networks.

Also bear in mind that any company, of any size, can be a target.

[Visual: Best practices for every employee]

That’s why every company needs to create and share email best practices with every employee.

These practices are particularly important when it comes to any email that includes account changes payment instructions or sensitive company information.

These are 6 best practices to follow:

[Visual: 1. Always stay alert]

First, always stay alert. Criminals count on human error and lack of oversight to help them pull off many scams.

Even if the sender’s address, request and tone seem normal, don’t assume the email is legitimate.

Take time to verify the sender’s identity through another channel.

[Visual: 2. Establish protocols]

Number two, establish protocols. If you work with vendors, establish protocols with them that govern how you’ll accept and validate changes in payment instructions.

Look carefully at vendor contracts, and make sure these protocols are outlined in them, along with steps you might take to handle non-compliant requests.

[Visual: 3. Validate email requests]

Number three, validate email requests. Don’t respond to emails that contain instructions for changes in payment processes.

Instead, follow established protocols for responding to these types of requests.

[Visual: 4. Create secure processes]

Number four, create secure processes. Employees should be able to slow down payment approvals without undue pressure.

Implement dual approval payment processes, and set up alerts for payments above certain thresholds.

[Visual: 5. Use available tools, such as DMARC]

Number five, use available tools.

Domain-based messaging, authentication, reporting and conformance, or DMARC, is a protocol that helps authenticate the origin of your emails, and helps you track any use of your company’s email domain.

This can help prevent BEC, especially by criminals who try to spoof your company’s identity to trick others.

DMARC can also be utilized on inbound emails to help prevent domain-spoofed emails from reaching your employees.

In addition to DMARC, a tool called Brand Indicators for Messaging Information, or BIMI, can help your email recipients trust that communications from your company are legitimate.

BIMI does this by populating inboxes with a verified, trademarked brand logo.

This can provide your customers and partners with a visual cue that indicates the email has been properly authenticated.

[Visual: 6. Create secure processes]

And finally, number six, create a cyber-aware culture at work.

Encourage all employees to practice cyber hygiene and use all opportunities to reinforce the idea that your company’s security is everyone’s responsibility.

Step 1: Understand how and why criminals target your emails

If they gain access to email accounts, sophisticated cyber criminals can mine them for many different types of information that reveal how a company operates, what protocols it follows and how employees interact.

As the line between personal and business email accounts have blurred, criminals may be able to harvest information from both our personal and professional lives. This can lead to identity theft, social engineering, insider trading and intellectual property theft.

"Both personal and business email accounts are giant repositories of data that cyber criminals can mine for myriad purposes."

Cyber criminals leverage a variety of strategies to gain access to email accounts, such as sending targeted spear phishing emails to deceive an individual into providing login information, using malware to infiltrate company networks, or spoofing an email account or domain to send authentic-looking emails to gain access. If hackers gain access to a user’s email account, they can use a number of tricks to keep their presence undetected, such as enabling auto-forwarding of incoming emails to an external address or setting up rules to automatically delete certain messages. In fact, a cyber criminal’s ability to leverage data harvested from the account and replicate their target’s language, personality, and organizational identifiers can make the intrusions extremely difficult to spot.

Step 2: Establish email best practices

The following steps should apply to all employees and email accounts:

Verify emails requesting sensitive information – All emails that involve financial sensitive data should be confirmed through an alternate channel approved by company leadership.
Separate personal and professional email accounts – Even the smallest businesses should provide work email accounts for employees and encourage the separation of personal and work-related email to minimize exposure. Company email accounts should be used exclusively for professional purposes, and never used to create accounts on websites for personal use.
Manage account access – Requiring multifactor authentication is one of the simplest and most effective ways of protecting access to email accounts. Regular updates of robust passwords are also essential.
Enabling alerts for activity such as unusual login locations can help detect breaches.
Disable automatic forwarding – Prohibiting the automatic forwarding of email to external domains prevents cyber criminals from exfiltrating email messages and the data contained within them.
Monitor inbox rules – In addition to ensuring that intruders aren’t covering their tracks by using rules to auto-send messages or divert suspicious ones to trash, consider implementing rules that block macros and file extensions commonly used by malware.
Maintain phishing simulations and fraud education – Strong cyber defense depends on alert employees who are aware of current threats and their role in company security. Educate all employees on the fundamentals of password best practices, including how to create strong passwords and prompts to change them on a regular basis.

Step 3: Consider automated protocols for email security

In addition to implementing best practices, there are a number of emerging protocols that are helping to advance email security. Two of the most critical are domain-based messaging authentication reporting and conformance (DMARC) and brand indicators for message identification (BIMI).

DMARC is an email authentication protocol that helps organizations protect their domains from being spoofed. DMARC prevents spoofing by registering your domain and authentication details with email servers and providing instructions on what to do with emails that fail the authentication — for instance, locking, quarantining or rejecting the email.

BIMI, on the other hand, leverages DMARC and other protocols to provide means to authenticate emails that originate from a legitimate source. BIMI enables emails that have passed DMARC authentication checks to display a company logo, so that users can see at a glance that the email is genuine and the organization’s domain has not been spoofed. Not only does this help keep an organization’s partners safe from fraudulent emails, it also helps increase brand awareness by displaying a distinctive logo in each message.

Like every other security tool and protocol, BIMI and DMARC can’t eradicate business email spoofing. But they have enhanced security by helping to legitimize authentic emails and creating a record and enforcement policy for those rejected by the organization’s system. They do require some skill to implement and maintain, so businesses with limited internal IT resources may require third parties.

Neither Bank of America nor its affiliates provide information security or information technology (IT) consulting services. This material is provided “as is,” with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this material, and without warranty of any kind, express or implied, including, but not limited to warranties of performance, quality and fitness for a particular purpose. This material should be regarded as general information on information security and IT considerations and is not intended to provide specific information security or IT advice nor is it any substitute for your own independent investigations. If you have questions regarding your particular IT system or information security concerns, please contact your IT or information security advisor.

Fraud and Cyber Security

Insights to protect your business from cyber threats

How cyber criminals engineer deception online

Learn tips on how to defend against “Social engineering”

This increasingly common scam can be costly for you or your company. Here’s how to spot the five telltale signs of a phishing email.

Cyber Security Journal

Security. It's in our nature. The threats never rest, and neither do we. We arm you with education against fraud and a team that’s dedicated to keeping your business secure.