Email security is the practice of preventing email-based cyber attacks, protecting email accounts from takeover, and securing the contents of emails. Email security is multifaceted and may require several different layers of protection.
Email security is the process of preventing email-based cyber attacks and unwanted communications. It spans protecting inboxes from takeover, protecting domains from spoofing, stopping phishing attacks, preventing fraud, blocking malware delivery, filtering spam, and using encryption to protect the contents of emails from unauthorized persons.
Security and privacy were not built into email when it was first invented, and despite email's importance as a communication method, these are still not built into email by default. As a result, email is a major attack vector for organizations large and small, and for individual people as well.
Some of the common types of email attacks include:
Email domain spoofing is important in several types of email-based attacks, as it allows attackers to send messages from legitimate-seeming addresses. This technique allows attackers to send an email with a forged "from" address. For example, if Chuck wants to trick Bob with an email, Chuck might send Bob an email from the domain "@trustworthy-bank.com," even though Chuck does not really own the domain "trustworthy-bank.com" or represent that organization.
Phishing is an attempt to steal sensitive data, typically in the form of usernames, passwords, or other important account information. The phisher either uses the stolen information themselves, for instance to take over the user's accounts with their password, or sells the stolen information.
Phishing attackers disguise themselves as a reputable source. With an enticing or seemingly urgent request, an attacker lures the victim into providing information, just as a person uses bait while fishing.
Phishing often takes place over email. Phishers either try to trick people into emailing information directly, or link to a webpage they control that is designed to look legitimate (for instance, a fake login page where the user enters their password).
There are several types of phishing:
An email security strategy can include several approaches for blocking phishing attacks. Email security solutions can filter out emails from known bad IP addresses. They can block or remove links embedded within emails to stop users from navigating to phishing webpages. Or, they can use DNS filtering to block these webpages. Data loss prevention (DLP) solutions can also block or redact outgoing messages containing sensitive information.
Finally, an organization's employees should receive training on how to recognize a phishing email.
Email attachments are a valuable feature, but attackers use this email capability to send malicious content to their targets, including malware.
One way they can do this is by simply attaching the malicious software as an .exe file, then tricking the recipient into opening the attachment. A far more common approach is to conceal malicious code within an innocent-seeming document, like a PDF or a Word file. Both these file types support the inclusion of code — such as macros — that attackers can use to perform some malicious action on the recipient's computer, like downloading and opening malware.
Many ransomware infections in recent years have started with an email attachment. For example:
Part of email security involves blocking or neutralizing these malicious email attachments; this can involve scanning all emails with anti-malware to identify malicious code. In addition, users should be trained to ignore unexpected or unexplained email attachments. For web-based email clients, browser isolation can also help nullify these attacks, as the malicious attachment is downloaded in a sandbox separate from the user's device.
Spam is a term for unwanted or inappropriate email messages, sent without the recipient's permission. Almost all email providers offer some degree of spam filtering. But inevitably, some spam messages still reach user inboxes.
Spammers gain a bad "email sender reputation"* over time, leading to more and more of their messages getting marked as spam. For this reason they are often motivated to take over user inboxes, steal IP address space, or spoof domains in order to send spam that is not detected as spam.
Individuals and organizations can take several approaches to cut down on the spam they receive. They can reduce or eliminate public listings of their email addresses. They can implement a third-party spam filter on top of the filtering provided by their email service. And they can be consistent about marking spam emails as spam, in order to better train the filtering they do have.
*If a large percentage of a sender’s emails are unopened or marked as spam by recipients, or if a sender’s messages bounce too much, ISPs and email services downgrade their email sender reputation.
Attackers can use a stolen inbox for a wide range of purposes, including sending spam, initiating phishing attacks, distributing malware, harvesting contact lists, or using the email address to steal more of the user's accounts.
They can use a number of methods to break into an email account:
Using multi-factor authentication (MFA) instead of single-factor password authentication is one way to protect inboxes from compromise. Enterprises may also want to require their users to go through a single sign-on (SSO) service instead of logging directly into email.
Encryption is the process of scrambling data so that only authorized parties can unscramble and read it. Encryption is like putting a sealed envelope around a letter so that only the recipient can read the letter's contents, even though any number of parties will handle the letter as it goes from sender to recipient.
Encryption is not built into email automatically; this means sending an email is like sending a letter with no envelope protecting its contents. Because emails often contain personal and confidential data, this can be a big problem.
Just as a letter does not instantly go from one person to another, emails do not go straight from the sender to the recipient. Instead, they traverse multiple connected networks and are routed from mail server to mail server until they finally reach the recipient. Anyone in the middle of this process could intercept and read the email if it is not encrypted, including the email service provider. However, the most likely place for an email to be intercepted is close to the origin of the email, via a technique called packet sniffing (monitoring data packets on a network).
Encryption is like putting a sealed envelope around an email. Most email encryption works by using public key cryptography (learn more). Some email encryption is end-to-end; this protects email contents from the email service provider, in addition to any external parties.
The Domain Name System (DNS) stores public records about a domain, including that domain's IP address. The DNS is essential for enabling users to connect to websites and send emails without memorizing long alphanumeric IP addresses.
There are specialized types of DNS records that help ensure emails are from a legitimate source, not an impersonator: SPF records, DKIM records, and DMARC records. Email service providers check emails against all three of these records to see if they are from the place they claim to be from and have not been altered in transit.
The Cloudflare Email DNS Security Wizard helps domain owners quickly and correctly configure these crucial DNS records. To learn more, see our blog post.
Many email providers have some built-in phishing protection (and the DNS records listed above are usually one of the signals they look at for blocking phishing attempts). However, phishing emails still regularly get through to user inboxes. Many organizations employ additional phishing protection to better defend their users and networks.
Cloudflare Area 1 Email Security offers cloud-based phishing protection. Cloudflare Area 1 discovers phishing infrastructure in advance and analyzes traffic patterns to correlate attacks and identify phishing campaigns. Read in more detail about how this anti-phishing service works.