Cyber Security is a serious business these days. The move to remote working and working from home has exposed many more companies infrastructure to potential malware or hack attacks. Installation and configuration of Cyber Security hardware and software to support the protection of the corporate network and its data during remote access is becoming more and more vital every day.
Hacking and other malpractices are on the rise around the world, and email is often used as a means of finding an entry to corporate networks. Ransomware in particular has shown a significant increase. While most organisations use sophisticated electronic countermeasures, the FBI has said that the greatest threat lies between the keyboard and the back of the chair, since user errors account for a high percentage of all successful malware attacks.
While the focus is often on network issues and the cyber security policies and procedures around them, an equally important area is the protection of company information from theft and hijacking. Something as simple as an email address list could provide the raw material for a spam or phishing attack.
The answer to the question “Should you encrypt email addresses as in a database?” is simple, yes you should, particularly so if the organization operates in an environment in which sensitive material is stored and handled. That type of organisation can range from finance houses and research centres to an e-commerce application holding customer financial and contract information.
Domestic users should also encrypt the email addresses in their contacts to reduce spam mail.
A further issue is that there can be quite a gap between the data breach of stealing an email address book and detection of the theft. A lot of damage could happen in that interval.
Here are some tips on why and how encryption of e-mail addresses is advisable.
Spam and phishing
While not strictly always a threat, everyone is inundated with large amounts of spam mail, some of which is phishing mail, intended to encourage you to part with credentials to financial websites. Encrypting an email address list will stop it from being used in robot mailers and reduce the number of spam and p[hishing messages. Apart from unsolicited sales pitches and inappropriate requests, Spam mail is also used to deliver malware.
Phishing emails are designed to look safe, in that they appear to come from a trusted source. Opening a spam or phishing mail and clicking on a link can take you to a fake website where malware automatically downloads and installs to your device. A variant is where opening an email attachment installs the malware which is embedded in it.
The email addresses used in spam and phishing emails are taken from contact lists stolen from websites or bought on the dark web. Encrypting contact lists can stop this process, and reduces the amount of spam and phishing email sent around the Internet.
A variant of phishing is spearphishing. Spam and phishing emails are generally sent to tens, if not hundreds of thousands of recipients. The hacker hopes that a small number will be successful. Spearphishing, in contrast, is sent to a small number of targeted individuals, often as a personalized email from a known source.
The email addresses are picked up from corporate websites, sometimes on “Contact Us’ pages and sometimes on “About Us” pages. The key here is not to display the contact details of senior executives. If they are included in corporate email contact lists and address books, again a good security measure is to encrypt them.
How to encode email addresses
At a personal level, encoding is quite simple, and as a consequence quite easily circumvented. Three ways:
If your email is firstname.lastname@example.org, use fred (at) xyz.com to fool the email harvesters, scrapers and hunters. This trick doesn’t always work, they just look for (at) instead of @.
Email encoding addons; and
Thee are many commercially available addons to common email packages that encode email addresses in hexadecimal form, again fooling the collectors.
Online email encoders.
More sophisticated techniques might be needed in some environments. These usually take the form of add-ons to browsers such as Chrome or email managers like Outlook. As you write the email, any email addresses are encoded, stopping them from being harvested.
For more stringent encoding, applications are available that use the PGP standard to encode the entire message but require that the recipient has a decryption key.
Finally, there are specific addons for website design services like WordpPess that encrypt any email addresses included in the website.
In short, it is highly advisable to encrypt your email address database. It protects against spam and phishing and reduces the amount of unsolicited mail reaching your inbox.