The Importance of Email Security

hand holding phone

During our day-to-day operations at LNW, we face a constant barrage of threats from cyber attackers. This is not uncommon for our industry. Bad actors know that companies in the finance industry in general are appealing targets. Attacker techniques and the list of software vulnerabilities available for them to exploit are always evolving. To defend against these attacks, we dedicate time and resources to ensuring that we have controls, policies and technology in place to help us detect and respond to weaknesses in our security environment, protecting our firm and our clients.

Email Makes an Appealing Target

Over the past several years, we have observed an important shift in the way that attackers are targeting LNW. Rather than spend significant time and energy attempting to gain access to our systems directly, the threat actors are targeting you, our clients. This is because, in the vast majority of cases, individuals do not have the same extensive policies, technology or other resources allocated to cyber security – which typically means that our clients are less likely to be able to defend against the bad actor’s attacks.

The single most common cyber security incident that we respond to is that of a client’s email account being compromised and used to initiate or hijack conversations with us about money movement or other investment decisions. The attackers believe that if they can convince your financial advisor that they are you, they can direct us to move money to nefarious outside accounts which they control. In some cases, our clients don’t even know that their email account has been under the watchful eye of an attacker until we receive a strange request to wire money to a new account.

The single most vulnerable, and thus most appealing, point of entry for a bad actor to steal your money is through your email account. This goes beyond the scenario described above. Outside of your communication with your financial advisor, there is likely going to be other information in your email history that an attacker can leverage to do more financial harm. Your email account likely has personal information that can be used to bypass security questions, information about where you may have accounts, and critically, email is commonly used to reset passwords of your online accounts. Fortunately, most financial institutions have additional hurdles you need to jump through before resetting a password, but by having access to the treasure trove that is your inbox, the attacker’s job is made much easier.

Steps You Can Take to Keep Your Email Account Secure

For these reasons, the importance of securing your email account cannot be understated. Fortunately, there are just a few straight forward steps that you can take to make it much harder for a bad actor to gain access to this critical online account. Note that while the steps below focus on Gmail specifically, as it is by far the most common email provider; however, all of these steps can be replicated in other mail platforms as well.

  1. Review access logs and password recovery settings in your email account to make sure that it has not already been compromised. Before going down the path of securing your email account, it’s important to make sure that you are the only one who has access. In Gmail, you can go to your security settings and review the “How You Sign In To Google” section – pay special attention to the “Recovery Phone” and “Recovery Email” to make sure that nothing looks unusual and that your information is current. 
  2. Next, check to make sure that an attacker hasn’t set up any email forwarding rules, which could allow them to receive copies of emails coming into your inbox. For Gmail accounts, you can review this by going to your forwarding settings and checking the “Forwarding” section to make sure that forwarding is disabled, or that you recognize any forwarding rules that might already exist. One other place in Gmail where forwarding can be configured is in the “Filters and Blocked Addresses” section of the settings. In this section at the top of the page, review any filters that have been created. If any of the filters look unfamiliar – especially any of those that are labeled with “Do this: Forward to”, you should delete them.
  3. Now that you have some confidence that you are the only person with access to your Gmail account, you should consider taking two more steps. First, you’ll want to enable two factor authentication, if it hasn’t been enabled already. Two factor authentication makes it harder for an attacker to access your inbox because it requires that both a password and a one-time authentication code be entered to login. You can check to see if this feature is enabled (and enable it, if it hasn’t already been done) in your security settings. The first option in the “How you sign in to Google” section is “2-Step Verification.” If it’s not already “on” then proceed through the process of enabling it. This is the most important step you should take to secure your inbox. You’ll have the option to use SMS / text message as an authentication mechanism, or you can use an authentication app. It is preferable to use an app authenticator as it is somewhat more secure, however, most people are more familiar with SMS / text message and may find that more convenient. Though the SMS / text option comes with some risks, it is certainly better than not having two factor authentication enabled at all.
  4. Finally, you should think about the password that you use for your email account. Key questions you should ask yourself are:

    Is this password unique? That is, is it different than passwords that you use for other online accounts? The reason that it’s important to have a unique password for your critical online accounts is because of what is known as a “password replay attack”. Websites all around the Internet are constantly being breached and leaking lists of credentials of their users. Attackers keep an eye out for these lists and try using the same username and password combo to access other sites. Earlier this year, the biggest credential leak in the history of the internet occurred – more than 10 billion unique username and password combos were exposed.

    Can my password be longer? Password length is the single most important attribute to determine password strength. Longer passwords are harder to break because the possible combination of characters in the password increases the longer they get. Best practice these days is to target a password that is more than 14 characters in length. At this length, calling them “pass-phrases” is seemingly more appropriate – but an important differentiation to recognize. By making your password a combination of words with spaces and perhaps some punctuation, you can more easily come up with a long and strong password that is easy to remember. It isn’t so important to include numbers and symbols into your password – once thought of as a best practice, this technique commonly makes it harder for folks to remember their passwords, causing them to write it down, or worse, forget their password entirely.

By following this guidance, you can increase the cyber safety surrounding your email account, which is the key for an attacker to gain access to other accounts and relationships that you have established over time. If you have any questions or run into any difficulties, LNW’s technology team is happy to help, or else searching the web should be able to point you in the right direction. Please reach out to your advisor and they can connect you a member of our team for help.