What not to keep in your mailbox

Getting e-mail through a Web interface may be convenient, but attackers are after corporate mailboxes, and one day they may visit yours.

If someone gets access to your mailbox, one possible consequence is a BEC attack, in which case your correspondence can contribute greatly to its success. Of course, security software helps adjust the odds in your favor, but anyone can fall for phishing, so it’s important to minimize potential damage by removing any messages you would not want to fall into someone else’s hands — just in case. Here is what to remove first.

Authentication data

Most modern services avoid sending even temporary passwords, instead providing unique links to a password-change interface. Sending passwords through unencrypted e-mail is a terrible idea, after all. But some companies do still send passwords by e-mail, and the practice is somewhat more common with internal services and resources. Moreover, employees sometimes send themselves passwords, logins, and their answers to secret questions.

Such letters are exactly what attackers are looking for: With access to corporate resources, they can get extra information for social engineering manipulations and further develop attacks.

Online service notifications

We get all sorts of notifications from online services: registration confirmations, password reset links, privacy policy update notifications. The letters per se are of no interest to anybody, but they show what services you subscribe to. The attackers will most likely have scripts ready to automate their search for these notifications.

In most cases your mailbox is the master key to all of these services. Knowing which ones you use, the attackers can request a password change and get in through your mailbox.

Scans of personal documents

Corporate users (particularly those in small business) are often tempted to use their mailboxes as a sort of cloud file storage, especially if the office scanner delivers scans by e-mail. Copies of passports, taxpayer IDs, and other documents are often required for routine paperwork or business trips.

We recommend deleting any messages containing personal information immediately. Download the documents and keep them in encrypted storage.

Sensitive business documents

For many employees, document exchange is an integral part of business workflow. That said, some documents may be of value not only for your colleagues, but also for attackers.

Take, for example, a financial report. Likely to be found in the accountant’s mailbox, a financial report provides a wealth of powerful information — and an ideal starting point for BEC attacks. Instead of sending scattershot scam letters to colleagues, for example, cybercriminals with such information can directly use real info about specific contractors, accounts, and transaction sums to craft appealing subject lines. They can also obtain useful information about the company’s business context, partners, and contractors so as to attack them as well. In some cases, careful study of a financial report may also present an opportunity for stock exchange manipulation.

Therefore, it is important to delete sensitive information on receipt and never to exchange it unencrypted.

Personal data

Other people’s personal data, such as resumes and CVs, application and registration documents, and so forth, can find their way into your mailbox, too. When people give your company permission to store and process their personal data, they expect you to keep that information safe and secure. Regulators expect that as well, especially in countries with strict PII laws.

How to secure yourself against a mailbox compromise

We recommend deleting any information that may be of interest to attackers — not only from your inbox but also from your Sent and Deleted folders. If your business requires you to send commercially sensitive information by e-mail, use encryption, which most e-mail clients for business support.

Additionally, we recommend using two-factor authentication wherever possible. If you do, then even if an attacker compromises your mailbox, your other accounts won’t end up in their hands.

Store passwords and scanned documents in specialized applications such as our Password Manager.

Practice prevention by keeping your mailbox secure, carefully screening your incoming mail at the mail server level and, as an additional layer of protection, using reliable security solutions on corporate computers.