Any telco that maintains a consumer email platform, like it or not, carries a huge responsibility on their shoulders. Similar to a consumer’s expectation that their phone and internet should work 24/7/365, telco consumers depend on their email to work at all times. This is because email is not only a consumer’s fundamental source of digital identification, but it’s their unrivalled communications lifeline to friends, family, companies and organisations that they care about.
Parallel to this responsibility to provide a strong, stable and reliable email system, is a telco’s responsibility to protect their consumers – as best as possible – from email spam, scams, phishing and malware.
Whilst the extent of this protection might be the subject of debate (e.g. Should telcos be responsible for banishing everything bad from a consumer’s inbox, or should consumers share the responsibility to protect themselves?), the bottom line is that telcos possess email security know-how that most consumers do not, so at the very least, telcos should exercise a duty of care to educate consumers about email security, plus provide some basic level of protection for their email accounts.
1. Educate your email customers
It has long been true that email is one of the largest attack surfaces that a company exposes to would-be hackers. It is also the largest vector of attack, with more surface area than any other app in the residential/consumer environment. For this reason, it’s important to educate your email customers, so that they don’t knowingly engage in unsafe email practices that place both themselves (and you as their email provider) at risk of email security breaches. This is especially true in the current climate, where more and more of us are working from home, and malware has the potential to move across a customer’s home network to both home and work devices.
To educate your email customers, ideally your technical team should be working with your customer communications team, to share email security tips and lessons with your customers, so that they do not unknowingly fall foul of scammers, malware, and so on. Some example tips could include:
- Don’t click on links in the email if you are not sure what they are, or whether the email is genuine. And yes, this includes links claiming to be for government COVID-19 payments, coronavirus infection maps, or home delivery tracking of your lockdown parcels.
- Check the email address – for example, [email protected] is clearly is not a legitimate Amazon account
- See if it’s urgent – urgency can be an alarm bell that an email is not legitimate, because bad cyber actors want people to act quickly, not think rationally
- Look at the greeting – generic greetings, that do not use your actual name and/or the correct salutation, can also be a sign that something is suspicious
- Do not reply – even if you think that you recognise the sender, do not reply to an email message if it seems suspicious
- Do not open any suspicious links or attachments – scam emails can put a virus on your smartphone or computer (remember, fake links may be mixed with genuine links to give the email a guise of authenticity)
- Call the sending company – if you’re not sure, phone the company on a number that you trust or verify on their website (by typing their web address directly into the address bar of a browser)
- Forward the message to your email provider – if you cannot verify it yourself, ask your customer to forward the message to your support team to confirm if they believe the email to be genuine or spam
- Choose a strong password (and not one you use elsewhere) – and if your account is compromised and the password is reset for you, don’t change it back to the old password – because guess what, it will be hacked again (I have lost count of the number of times I have seen this over the years)
- Keep your computer software applications (especially antivirus programs) up to date (and ideally in auto-update mode) on your computer, so that you benefit from any security patches made by your software providers.
- If you are using a trial version, make sure that it hasn’t lapsed so that you are not left unprotected.
There are plenty of reputable companies sharing some intelligent tips for email security and remote working right now. Sophos’ Keeping You Secure Through The Coronavirus Pandemic page and Cisco’s Cybersecurity for Remote Workers document are two excellent places to start if you need inspiration for educating your email customers.
2. Protect your customer email accounts
With news that Google is blocking 18 million coronavirus scam emails every day, and similar reports (such as the UK National Cyber Security Centre’s COVID-19 advisory about malicious cyber actors) about recent phishing and malware incidents, there has never been a better time to rethink how you as a telco are protecting your customer email accounts, particularly in each of the following areas.
With approximately 300 billion spam emails sent per day, we know that telcos (like consumers) hate spam. Inbound spam can irritate customers and increase the load on the telco support desks (e.g. Why is my inbox full of spam? Or, what have you done so that now all of my legitimate emails are ending up in my spam folder?), and outbound spam can damage a telco’s all-important sender/IP reputation (which means destination servers could start to distrust you as the sender and could block the delivery of their incoming email from you, which will inevitably result in your customers complaining about their inability to send emails – which is never a good outcome for anyone).
So, to protect both your platform and your customers, it’s important to offer:
(a) at the very least, a basic level of antispam protection for your customer email accounts; and,
(b) ideally, if you are serious about protecting your customers, a premium level of antispam protection (for outbreak detection in near real-time) – either as a free inclusion in your current email offering, or as a paid addition for the consumers who understand the benefits of premium antispam and are willing to pay for the privilege.
Interestingly, in our 300-hour research project of email pricing worldwide, we found that some consumers pay more for their premium antispam (and/or advanced email security options) than they do for their email address, so if your hesitation for introducing premium antispam has always been cost, you may like to consider offering a ‘user pays’ model for the segment of your platform users who are happy to pay for advanced protection.
Strong password policy (and potentially 2FA)
A strong email password policy is the simplest way to help protect both your customers and your email platform. Take the time to educate your customers about what constitutes a strong password, and ideally, design your email system to only accept strong passwords.
If you’re interested in strengthening the ID check further, you may wish to consider 2FA (Two-Factor Authentication), to provide a way of double-checking that your customers are really the people that they claiming to be when they log into their email account on your platform. If your current email solutions vendor does not offer 2FA, reach out and chat about their roadmap to see if/when it might become available.
If your telco does not offer malware detection, you would be wise to explore it as a free or paid option to protect your end users.
“Malware is one of the most serious security threats and spreads autonomously through vulnerabilities or carelessness of users. In order to protect a computer from infection or remove malware from a compromised computer system, it is essential to accurately detect malware.” Source
Likewise, if your telco does not offer antiphishing protection for some or all of your customer email accounts, now is a good time to reassess that need, given that Cyren, a trusted email security provider that blocks more than 300 million threats daily – for industry leaders such as Google, Microsoft, Cox, and Deutsche Telekom – describes phishing as today’s “number one security threat”.
To be clear, “Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication,” says Wikipedia. It is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email or other form of communication.
Time of Click
Time of Click protection provides a way to categorise URLs and block malware and phishing attacks at the time of URL click. It’s considered a premium security feature that you could introduce either for all customers on your email platform, or as part of an advanced security email package to the portion of your customers who are willing to pay for advanced security.
As a responsible telco that is interested in protecting both your customers, and the reputation and reliable operation of your email platform, there has never been a more perfect time to:
- Educate your email customers about email security; and
- Reconsider the level of email security that you offer (either free or user-paid) on your customer email accounts.
After all, CIOs lose enough sleep at night. The last thing they need during COVID-19 is a major email service disruption due to poor diligence by their email platform management team.
Written by Jay Sil and Andrea Martins
atmail is an email solutions company with more than 20 years of global, white label, email expertise. You can trust us to deliver an email platform that is secure, stable and scalable. We power more than 170 million mailboxes worldwide and offer modern, white-labelled, cloud hosted email with your choice of US or (GDPR compliant) EU data centres. We also offer on-premises webmail and/or mail server options. Contact us anytime, here.