If cybercriminals don’t know your username and password, they can’t get into your site’s backend. Unfortunately, they have found ways to get the information they need, for example, via phishing campaigns. What do these look like?
“Your CMS requires a password change. Sign in and change it immediately.” Such calls for rapid action are sometimes part of phishing campaigns. If website admins give up their login details, cybercriminals can take control of their websites.
Hackers take advantage of human factors such as our tendency to act rashly. If you want to minimize the chances that they break into your website, pay attention to employee training,” says Martin Cambal, ESET Global Web Development Manager. “For example, run a fake phishing campaign to find out if employees are able to correctly identify the risks. Then educate the employees who fall victim to the phishing tactics. Smaller companies can outsource employee training.”
Employees should pay attention to spelling details such as whether the email was sent from examples.com instead of example.com. “Also, be wary of a false sense of urgency. An attacker posing as your content management system provider may ask you to download an apparently urgent security update. But once downloaded, your device can become infected with malware,” adds Cambal.
Attackers may try to scan your website with automated tools that look for vulnerabilities. This is why you should hide identifying aspects of your system. For example, you should keep attackers in the dark about which content management system (CMS) you are using. “The elements of the CMS can be hidden and the source code edited so that cybercriminals can’t tell what platform you’re using,” says Cambal.
How can your company’s domain be misused for spam and phishing?
Cybercriminals can also misuse your company domain for phishing and spam campaigns. This is where implementing a sender policy framework (SPF) pays off. “Create well-thought-out SPF records that list the IP addresses allowed to send emails under your website’s domain. Having no such records in place means anyone can send an email under your domain name.
Authorizing a trusted set of IP addresses should be one of the basic email security measures,” Cambal adds. Managing your domain name system (DNS) records, and access to them, is critical since this is what allows for more secure (email) configuration — for example, to enable the authorized use of your domain for sending emails. This also makes it possible to create subdomains.
The responsibility for verifying the use of domains in email lies upon the receiving email server. “If the server finds out the email was sent from an IP address that’s not listed in the SPF records of the domain in the envelope return address, it can decide to decline the delivery,” says Cambal. “Many IT admins forget that domain names can also be misused in competitive fights — imagine a rival company sending harmful emails under your company domain. In such situations, your business’s reputation is at stake.” But if the receiving server evaluates the sender’s IP address as unauthorized, it can handle it as spam.
Generally, for small- and medium-sized companies, it is recommended to use an external email service provider to take care of email servers instead of managing them on your own. “Outsourcing is beneficial as long as your company’s email communication isn’t extra confidential,” suggests Cambal.
Be wary of sending emails in bulk and monitor your domain’s usage
But why do messages sent from your company’s email server sometimes land in spam folders, even though they were created by you and not a malicious actor? “When a large number of emails is sent from one IP address in a short time and a user reports it as spam, the email server can penalize the email domain and place the message into the junk folder or not deliver it at all,” explains Cambal.
Many companies also use one domain for all communication via email, including newsletters. A better solution is to separate one-to-one email communication from one-to-many communication, for example, by using a subdomain like thankyou.example.com for transactional conversations instead of example.com. “In this way, if one domain is blocked as spam, there are others you can use,” says Cambal.
Also, how can you determine whether your company email domain has been misused? If you have DMARC reporting enabled and an attacker sends a message under your domain, you should be notified by the incoming mail server. This allows you to monitor the effectiveness of your SPF configuration and to potentially inform you that someone has been trying to abuse your company’s domain. By doing that, you can protect your business’s reputation.