The single biggest threat to your business’s online security is malicious emails. As owners and managers, it’s up to you to require email security best practices among your employees and institute a security-minded culture within your organization.
Contrary to popular myth, the most effective hacking techniques require almost no technical skill. A hacker only needs an internet connection, an email account, and a knack for deception. Phishing email attacks(new window) remain the most common and devastating attack vector. These attacks use various social engineering strategies and target end users (i.e. your employees) rather than infrastructure.
These attacks have become so widespread that the FBI put out a public service announcement in 2022, calling business email compromise “The $43 Billion Scam(new window).” Filings with financial institutions between June 2016 and December 2021 revealed compromised business emails impacted more than 240,000 victims in all 50 states and 177 countries.
In this article, we explain how implementing email security best practices can minimize your organization’s vulnerability.
Email security best practices
Given that hackers tend to exploit human mistakes rather than technical ones, your company’s security policy should emphasize each employee’s role in preventing cyberattacks. Here are the main points you may want to focus on:
1. Education
The most important thing you can do is keep security a priority among your team. Start by understanding the common phishing attacks(new window) and share updates and reminders with your employees regularly. We’ve published articles documenting new kinds of phishing scams(new window). You might want to share examples of attacks you receive with your team to keep them alert.
2. Limit public information
Attackers cannot target your employees if they don’t know their email addresses. Don’t publish non-essential contact details on your website or on any public directories, including phone numbers or physical addresses. All these pieces of information can help attackers engineer an attack.
It’s good practice to limit the number of people who know your real email address. Proton allows you to create multiple email addresses (including email addresses using your company’s custom domain with a Proton for Business plan). Additionally, hide-my-email aliases(new window) in Proton Mail are a way to protect your identity, control spam, and prevent phishing.
Hide-my-email aliases are unique, randomly generated email addresses you can share publicly instead of your real email address, meaning you can create accounts, receive emails, and reply in your Proton Mail mailbox without revealing your identity.
A Proton Business plan will give you an unlimited number of aliases to create as many as you need. You’ll find your hide-my-email aliases in our new Security Center in Proton Mail.
3. Carefully check emails
Phishing attacks are seldom perfectly executed. Often there’s a tell, such as a bizarre address (e.g. service145@mail.145.com), unusual links (e.g. amazon.net.ru), or a high number of typos or formatting mistakes in the text. If it looks suspicious, employees should report it.
4. Beware links and attachments
Your employees should be skeptical anytime they receive an email from an unknown sender. Do not click on links or download attachments without verifying the source first and establishing the legitimacy of the link or attachment. Attachments are especially dangerous because they may contain malware, such as ransomware(new window) or spyware, that can compromise the device or network.
5. Hover over hyperlinks
Never click on hyperlinked text without hovering your cursor over the link first to check the destination URL, which should appear in the lower corner of your window. Sometimes the hacker might disguise a malicious link as a short URL. You can retrieve the original URL using this tool(new window).
6. Never enter your password
Unless you’re 100% certain the website is legitimate, you should never enter your password anywhere. If you aren’t logging in to your account and you haven’t requested to reset your password, then password reset links are likely part of a phishing attack. Password managers, in addition to helping you use strong, unique passwords(new window), can detect fake websites for you.
If in doubt, ask. It’s better to be safe than sorry. Your employees should be instructed to check with IT staff or a manager any time they have doubts about an email.
7. Enable two-factor authentication (2FA)
As another line of defense against account compromise, Proton allows you to enable two-factor authentication(new window) (2FA)or make it mandatory for your org. When enabled, 2FA requires you to enter a six-digit code generated on your smartphone before gaining access to your account, in addition to your username and password. This assures that even if hackers learn your password, they would still be prevented from logging in.
8. Monitor authentication logs
Authentication Logs are another special security feature in Proton Mail. This allows you to check whether someone else has access to your account. If someone else does have access or if you accidentally stayed logged in on a device you don’t control, you can log out of other sessions remotely.
9. Use a VPN
The virtual private network (VPN) was originally developed to let remote workers securely access corporate intranets as though they were physically connected to their office’s local area network (new window)(LAN).
Many businesses may find it useful to provide employees individual VPN subscriptions to give them the ability to access the internet privately.
Proton VPN for Business (new window)encrypts the online traffic of your business to provide an extra layer of defense against hacking and surveillance. When you connect to Proton VPN’s unique Secure Core architecture(new window), your internet traffic is routed to a VPN server in a privacy-friendly country, such as Switzerland, Iceland, and Sweden. That means any third party monitoring your traffic will only be able to trace it back to the edge of Proton’s VPN network, allowing you to conduct business with a strong sense of security and privacy.
A VPN for your business could be particularly useful for employees who must travel across international borders, where governments are increasing internet restrictions and content censorship(new window), making it difficult to use the internet freely. With Proton VPN, you can bypass region blocks and censorship, allowing you to access the content you need to do your work while being safe and private.
10. Use a secure email service
Security training is your best defense, but it isn’t the only defense. It’s important to choose an email service provider that takes security seriously. As a privacy-first alternative to platforms like Microsoft and Google, Proton Mail uses advanced encryption to make sure nobody — not even Proton — can access your data. We have also implemented a number of unique security features designed to minimize the threat of email-based attacks on your small business, including several dedicated anti-phishing technologies(new window).
Using Proton Mail is just like using any other email provider, so you won’t need to do any training or onboarding with your team. All the encryption happens automatically, with no extra steps.
Protect your business with Proton
A Proton for Business plan includes Proton Drive, Proton Pass, and Proton VPN. With these tools, you can store and share files securely, manage your team’s login details and bank cards, and ensure your internet connection is private. Launching the suite of tools that comes with your Proton for Business plan is a straightforward process with a few easy steps.
We offer two plans:
- Proton Mail Essentials: Our simplest plan offers secure email with 15 GB of total storage and 10 addresses per user, support for three custom email domains, and basic VPN access on one device per user. This plan also includes basic features for Proton Pass and Proton Drive.
- Proton Business: Our upgraded business plan gives you secure email with 500 GB of storage and 15 email addresses per user, support for 10 custom email domains, and the highest speed VPN on 10 devices per user with more servers worldwide and extra security features. This plan also includes all Proton Pass and Proton Drive functionality.
Read all about our business plans
We built our user-friendly platform with familiarity and ease of use in mind. We have published a number of resources on our website, including this safe email guide(new window) and resources about the GDPR and HIPAA, that can help guide your organization’s security policy.
By following the email security best practices above and choosing a security-focused email service, you can significantly reduce your chance of falling victim to an email attack and keeping your business safe.
