I recently received a missive that quoted Lamar Bailey, who leads Tripwire's Vulnerability and Exposures Research Team, in saying:
"Phishing attacks are become very sophisticated and timely. The attackers are using current events and trends to trick targets into installing malware or disclosing personal information that is used in follow up attacks. The attacks can be very specific to the target which makes them harder to detect. This attack adds another layer to make it appear more legitimate by trying to trick the ISP with fake notices in hopes that the ISP will forward them to the end users. If successful the end user will be getting the fake notice from the real ISP which adds to the credibility from the users' perspective. It may be time to re-evaluate email and start requiring PGP/GPG signing for communications between businesses and users."
I would add to that, in my best shout to the stars...
I've used encryption for a long time, but only recently have I started signing all outgoing messages by default. Why? Because attacks (spoofing, phishing, SPAM, etc.) are not only growing more and more common, they're becoming smarter and trickier to spot. To this end, I now sign every email...not just those related to business communications.
SEE: Internet and Email Usage Policy (Tech Pro Research)
Consider this: On almost a daily basis, I receive emails from "Apple," "Google," and countless other companies claiming that I need to update my account information. For me, a quick hover over a link tells me everything I need to know. Some users, however, don't realize that's all it takes to see the email is not genuine.
This could very easily be avoided if businesses would begin taking advantage of encryption...even if only in the form of digital signatures. With a quick glance at the top of the email, the reader would know the email was sent from the actual sender and not a spoof. The integrity and authenticity of the email would be intact, and the reader could click away.
If your business is sending out email without a digital signature, you should change this practice now.
Add digital signatures in your security policy
Digitally signing all outgoing email should be in your company's security policy. Every employee that communicates using the company server should have, at the bare minimum, their emails digitally signed. Any employee sending sensitive company data should also up the ante with full-blown encryption (but that's another issue altogether).
Depending on your situation, you may have to generate PGP keys for every staff member within your company roster. Or, you might be able to get away with using a single company key for continuity. No matter which way you go, this should be put in place. The added security will be well worth your time, especially in the eyes of clients and customers.
This should be standard operating procedure
Digital email signatures and PGP should be adopted by everyone. We've reached the point where digital security is at a premium, and we should do everything we can to lock down our data and verify our communications. If everyone started working with digital signatures, fewer scams would be spread, or at least that task would become more challenging.
You may be thinking, "But I use Gmail, and Gmail doesn't support encryption or digital signing." Although that is true, there are ways around this. For instance, you can use the Thunderbird email client and install the Enigmail add-on so you gain the added benefits of PGP.
But it's so hard
Many users, and even some businesses, do not want to be challenged in any way—they don't want to add an extra step to the already tedious daily grind. The time has finally come when it's necessary to change this mindset.
According to The Radicati Group, over 205 billion emails a day were sent in 2015 and by 2019 that figure will reach over 246 billion a day. Even if only 1% of those emails are spoofs or phishing scams, that still comes out to just over 2 billion a day. That's a massive number of malicious email.
But if you consider that in Q1 of 2015, the percentage of spam in email was nearly 60%, you start seeing a much uglier picture being painted—that picture will get worse. That's why the issue of digital email signatures (and in certain cases encryption) should not be brushed aside.
Security has become one of the most important concerns for businesses and individuals. Because of this, every company should be signing all outgoing email, and all end users should understand how this works and know how to add their signature to their personal accounts.
Make it happen
If you're not employing digital signatures for all outgoing company email, someone could spoof you. When that happens, trust is lost. Lose the trust of your customer base, and your bottom line suffers.
Make digital signatures and encryption happen now.
- Google finally adds HSTS encryption to google.com (TechRepublic)
- Ransomware 2.0 is around the corner and it's a massive threat to the enterprise (TechRepublic)
- Simple security: How Gmail, Mailvelope, and Virtru make encrypted email easier (TechRepublic)
- How to use the Nylas PGP plugin to encrypt/decrypt N1 email (TechRepublic)
- Adobe pushes new open standard for cloud-based digital signatures (ZDNet)
- That email from your CEO could be a scam (CBS News)
Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.