If someone gains access to your inbox, a possible consequence is a corporate email compromise (BEC) attack, in which case your emails can be a big part of the success. Of course, security software helps keep the winds in your favor, but anyone can fall for phishing, so it's important to minimize the potential damage and remove any messages you wouldn't want to fall into someone else's hands – just in case. . Below is what not to keep.
- Personal data
Other people's personal data, such as resumes, job application and admission documents, and so on, can also be found in your inbox. When people give your company permission to store and process their personal data, they expect you to keep that information safe and secure.
- authentication data
Most services today avoid sending temporary passwords, instead providing unique links to a password change interface. After all, sending passwords via unencrypted email is a very bad idea. But some companies still email passwords, and the practice is slightly more common with in-house services and resources. Also, sometimes employees send themselves passwords, logins and their answers to secret questions.
These emails are exactly what attackers are looking for: with access to corporate resources, they can obtain extra information for social engineering manipulations and to develop attacks.
- Online service notifications
We receive all kinds of notifications from online services: registration confirmations, password reset links, privacy policy update notifications. The emails themselves are of no interest to anyone, but they show the services that the user subscribes to. Attackers will likely have scripts ready to automate their search for these notifications.
In most cases, your inbox is the master key to all these services. Knowing which username you use, attackers can request a password change and log in through your inbox.
- Scanning of personal documents
Corporate users (especially those in small businesses) are often tempted to use their inboxes as a kind of cloud file storage, especially if the office scanner delivers scans via email. Copies of passports, taxpayer IDs and other documents are often required for routine paperwork or business travel.
It is recommended to immediately delete all messages containing personal information. Download documents and keep them in encrypted storage.
BUT: About a third of websites still don't use HTTPS by default
- confidential business documents
For many employees, exchanging documents is an integral part of their business workflow. That said, some documents can be valuable not only to your colleagues, but to attackers as well.
Take, for example, a financial report. Probably found in the treasurer's inbox, a financial report provides a wealth of powerful information – and an ideal starting point for BEC attacks. Instead of sending fraudulent emails to colleagues, for example, cybercriminals with this information can directly use real information about specific contractors, accounts and transaction sums to create compelling subject lines. They can also gain useful information about the company's business context, partners and contractors to attack them. In some cases, careful study of a financial report can also present an opportunity for stock market manipulation.
Therefore, it is important to delete sensitive information upon receipt and never exchange it without encryption.
How to protect against inbox compromise
It is recommended to delete any information that might be of interest to the attackers – not only from your Inbox, but also from the Sent and Trash folders. If your business requires you to send commercially sensitive information via email, use encryption, as most email services have this security barrier for business accounts.
Additionally, it is recommended to use two-factor authentication whenever possible. If you do this, even if an attacker compromises your inbox, your other accounts won't end up in their hands.
Store passwords and scanned documents in specialized applications such as Password Manager.
