How to protect your email from cyberattacks

A step by step guide

The numbers are overwhelming. Ten million malicious emails are prevented by Google every 60 seconds. Hold Security discovered a cache of 272.3 million hacked email accounts last year from major providers around the world, and more than half a billion personal records were stolen or lost in 2015, an increase of 23 percent from previous years, according to the 2016 Internet Security Threat Report (ISTR).

The increase in cybersecurity threats is alarming, and given the statistics, it is difficult to feel assured that our digital lives are secure. Cybersecurity should no longer be only a concern for states, businesses and public figures. It should be a major concern for every single person.

Step one: Acknowledge the threat

Alarmingly, too many people are neither concerned with nor aware of the seriousness of the problem. They adopt the attitude that it will never happen to them as they have nothing to hide. There is no need to be harboring state secrets, however, to exersize a minimum level of privacy, protection and security. Internet users should start to actively look for ways to protect themselves. The internet’s reach and scope are increasing exponentially, and organized criminal activity on the dark web is constantly on the lookout for new techniques to hack their targets, while by and large our security threshold remains the same.

The consequences of this could be devastating. John McAfee, founder of Intel Security Group, a global computer security company, has warned: “An email hack can destroy our digital world, and we won’t see it coming.” Estimates from various hacking groups say that passwords for 75 percent of the world’s email accounts are available for purchase on the dark web. Beyond that, there are thousands of videos, tutorials and softwares online on how to hack into emails, social media accounts, smartphones and others.

Step two: Secure your password and devices

It goes without saying that the first step is to have a strong password that is a mixture of uppercase and lowercase letters, numbers and symbols. Security experts warn against reusing the same password over separate accounts, and some suggest changing passwords often to add an extra layer of protection.

Other safety steps include: installing a well known antivirus, performing constant software updates, avoiding public PCs, being cautious of public Wi-Fi at airports, coffee shops and other locations, and opting for Secure Sockets Layer (SSL)/Transport Layer Security (TLS) when available. Also, it is best to use two-factor authentication when possible.

Regarding email addresses, avoid easy to guess emails, i.e. john.smith@gmail.com. Instead, add random numbers and characters, and avoid posting your email over the internet on blogs, websites and social media. Any hacker who knows an email address can click on the forgot password link in the webmail and try to guess the answers to the security questions, so make sure to give obscure answers.

If you do want people to contact you online, one trick is to post your email as a picture instead of having it written as text; spam software are not able to decode images. Avoid replacing the @ with (at) or .com with (dot) com in an email address; while people think this tricks spambots it is in fact very easy to decode.

Step three: Secure your email

The hack of Democratic Party officials during the United States presidential elections were global news, not just for their political impact, but also because of cybersecurity concerns. If those emails had the latest level of encryption, hackers would not have been able to get their content.

The two most commonly used encryption protocols are Pretty Good Privacy (PGP) and its newer successor Secure/Multipurpose Internet Mail Extensions (S/MIME). Although you can use the older PGP protocol, cybersecurity experts advise using S/MIME protocol if possible, as it is much more secure and offers authenticity (explained below), which you do not find with PGP.

More than half a billion personal records were stolen or lost in 2015

S/MIME consists of two security services: digital signature and encryption. These two services combined offer a high level of email security. A digital signature is a unique code added to your email that proves authorship and assures the receiver that it didn’t come from someone pretending to be you, and that the email has not been edited or changed during its transit.

Using a digital signature alone is not enough ,however, as your email will be traveling servers in plain text, making it very easy for hackers to intercept and read. Here, the role of encryption in S/MIME comes into play. Encryption makes your email unreadable to everyone except the intended recipient.

Setting up email encryption can be a laborious process, however. Below is Executive’s guide to securing Outlook, Hotmail and Gmail email accounts.

Microsoft Outlook Desktop

application for Windows

1. Click on the File tab in Microsoft Outlook, then select Options -> Trust Center -> Trust Center Settings -> Email Security.

2. Under Digital IDs (Certificates) click on Get a Digital ID, Outlook then opens up a page with a list of some of the certificate authorities (CAs) that are qualified to issue digital certificates. (Some CAs offer free Digital ID like COMODO and StartSSL, others you will have to pay for. The price ranges between $5 per user a month to around $10 per user a month).

3. Assuming you get your Digital ID from StartSSL, all you have to do is to go to their website using Mozilla browser, sign up for the free package and your digital ID is ready to install. If it doesn’t install automatically make sure to click on the Install button.

4. From Mozilla menu tab, click on Tools -> Options -> Advanced -> View Certificates -> select Your Certificates tab.

5. Locate your certificate under “SmartCom Ltd” and click on the backup button.

6. It will then prompt you to add a password in order to protect your certificate. (Make sure to remember the password as there is no recovery option for it, and your certificate won’t work if you don’t provide the password. It’s also advisable to make a copy of the certificate file you have just downloaded and store it on a USB drive). After you complete all the instructions below, delete the file from your computer, otherwise any person accessing your computer can take it and start sending emails on your behalf.

7. Going back to Outlook, Click the Import/Export Digital ID button located under Digital IDs (Certificates) (see step two).

8. Under Import/Export Digital ID from a file click on Browse and select the digital signature file that you just downloaded on your desktop.

9. Enter the same password that you just used for backing up your digital signature in step six. Press Ok and you will be redirected to the Email Security -> Press the Settings located under Encrypted E-mail.

10. Click on the Choose button located in the Change Security Settings window to select the signing certificate. It might get selected automatically by Outlook, if not then browse and select it.

11. Press Ok and then Ok again.

12. Go back to Email Security -> under Encrypted E-mail, check the Add digital signature to outgoing messages and then Send clear text signed messages when sending signed messages.

Now you can start sending digitally signed emails, and users can differentiate them through a small red certificate icon at the right of your email if the receiver happens to use Outlook. Double-clicking on that icon will show whether the certification is valid and trusted or not.

After setting up your digital signature, the next stage is encryption. Provided you have followed the steps above, this is a simple process: click to enable encryption in your Outlook. Encryption is a two-way process, meaning that the sender and the receiver should exchange their digital signatures by email and save these in their contacts. When digital signatures are exchanged between the sender and the receiver, only then can they start exchanging encrypted emails.

Hotmail webmail client

Outlook Web Access, which runs Hotmail, only supports S/MIME on Microsoft Windows® 2000 and Internet Explorer 6 or higher. This is provided you already have a digital ID, explained in steps above. Only then can you install the S/MIME control.

Once installed, you can use the gear menu > S/MIME settings to encrypt all messages. Simply select Encrypt contents and attachment of all messages I send and Add a digital signature to all messages I send.

Gmail webmail client

Gmail supports TLS connection, which means that the connection is secure and encrypted, but not the email itself. For the TLS connection to persist when an email travels to data servers other than Google’s, then those servers need to support TLS as well. It’s important to note that Gmail emails are stored as plaintext on Google’s servers, without any encryption. Back in 2010, a Google employee was fired after being caught using information from a teenagers’ emails accounts to stalk them. Since then, Google has taken some measures to increase its security locally, although Gmail emails are still stored as plaintext on their servers.

Currently S/MIME is only active for Gmail Enterprise and not solo users, so Executive searched for an S/MIME add-on that would work on Gmail but found none. Gmail users can, however, make use of PGP encryption. As stated earlier, PGP protocol is older than S/MIME. One of the drawbacks is that it doesn’t encrypt email headers, allowing a hacker to see who an email is addressed to, though its content stays encrypted. However, when a PGP-encrypted message is additionally encrypted by a TLS connection, the sender and receiver will become encrypted as well. This solution ends up very secure, as emails are not only safely encrypted during transit, but are also stored encrypted on Google’s servers as well.

PGP relies on something called public-key and private-key, which a user must own in order for them to receive encrypted emails. Those keys are generated by third party companies that support PGP encryption. The public-key encrypts the message while the private-key decrypts it. Once a user has those keys, they must share their public-key with other users, either by uploading it to special servers or by sending it via email. Let’s say that A wants to send an encrypted email to B. A has to encode his email using B’s public-key. When the encrypted email reaches B, he can decrypt it using his private-key.

There are many free PGP add-ons available online, and they make the process very easy for anyone to use; you just have to follow their instructions. Executive has tested Mailvelope and Enlocked add-ons for webmail clients (Gmail and Hotmail), and they proved very user friendly.

However, if you don’t want to bother with add-ons, browser compatibility and so forth, you can always switch to a webmail client such as ProtonMail, as their server can’t be decrypted (though ProtonMail has become so popular you might find yourself on a waiting list), or you can use a third-party company like DocuSign where you can digitally sign and S/MIME encrypt your email before sending.

In order to be secure, you constantly need to stay up to date on the latest security releases, performing regular updates of your software, and encrypting not only your emails, but your computer, laptop and mobile as well. Act now, before you become the next victim. Stay secure, and stay safe.

2 Comments

  1. Frankie said:

    An fascinating discussion is value comment. I think that it is best to write extra on this matter, it won’t be a taboo topic however generally people are not enough to talk on such topics.

  2. erp in chennai said:

    Yes! Nice post thanks for sharing. Actually some days ago my email id was hacked by unknown person.After watching the locations details i was changed the password.

*

Top