Why email traffic is vulnerable without S/MIME

It is impossible to run a business without email. It is a simple fact. Cross-industry companies rely on e-mail as an indispensable communication method to keep employees in contact with customers, partners, providers and of course with each other.

However, email communication also has disadvantages. Messages and attachments can be spied on, modified, and forged, exposing businesses and organizations to a variety of spear phishing attacks that can result in the loss of business secrets, confidential information, or even money from corporate accounts. What’s worse, these incidents can also put companies in a non-compliance status.

The potential for damage is very real here. According to a recent FBI report, $ 12 billion in fraud has been lost since 2013 due to 78,000 Business Email Compromise (BEC) attacks – a special form of spear phishing attack that causes spear phishers to lose money is sent. And those are just the incidents that have been reported, suggesting that the actual number is likely to be much higher. In fact, the losses from BEC attacks are higher than with any other form of cyber-enabled crime. This is a clear indication that email security must be one of the main concerns of companies in the area of ​​cyber security.

Spear phishing attacks come in many forms, but the most common form is to pretend to be someone in the organization – probably as a CEO, CFO, or other leader. Employees in departments such as finance or human resources may receive an email urgently requesting that a payment be processed or that confidential information be disclosed. The sender claims to be unavailable to confirm the authenticity of the request.

This may seem straightforward, but cybercriminals can be underhanded. You may have heard of typographical errors in which criminals register domains that differ from legitimate domains, and register email addresses that appear authentic at first glance. The truth is that in many cases this is not even necessary. E-mail sender addresses are perfectly fake. This means that the phisher can simply insert the email address that is to be displayed in the sender field in the appropriate position in the email header. This is shown to the recipient. Even eagle-eyed people who guard against typing errors and other simple phishing methods may not recognize fraudulent emails if they come from a legitimate source.

Don’t worry, there is good news. Over the next few weeks, the Sectigo team will break down how companies can use digital certificates to deal with these (and similar) attacks. Secure e-mail certificate technology (S / MIME) for Internet mail expansion can solve the problems and weaknesses associated with e-mails, thus protecting a company from espionage and protecting its employees from e-mail-dependent social – Improve engineering attacks. S / MIME differs from standard email protection programs such as antivirus programs in that it checks the sender and does not simply analyze an email for threats it has received. It also protects the content of emails during transmission.

How does S/MIME works?

There are three different ways to improve the security profile of email communications.

  • It verifies the authenticity of the sender and confirms that the sender is the one the person claims.
  • S/MIME also encrypts all content and attachments in e-mails and thus prevents malicious software from intercepting and reading the e-mail communication during transmission.
  • The protocol also ensures integrity, ensures that sent e-mails remain unchanged, and gives recipients the certainty that the messages and attachments received are identical to those sent.

This ongoing blog series explores specific ways that companies and organizations can use S/MIME technology, including to prevent spear phishing and to comply with information security regulations such as GDPR and HIPAA. As more and more companies use this important technology, understanding the many applications helps to get a more complete picture of the value of S/MIME.

Comments are closed.