editione1.0.0
Updated October 9, 2023🚀 As explained by Erica
We already learned a lot about how valuable our email is, and the power we have to be able to secure it ourselves. Personal email security might just apply to a single inbox. As a small business, employees may need email addresses, and email security applies to the total number of inboxes that represent your business and are in your business’s domain.
Figure: Growing from one email account to many.
In an attacker’s view, your work email inbox has about the same value as an individual email inbox that you use for business. The difference is that as your team grows, there are more inboxes for attackers to access, a higher likelihood that one of those inboxes has a weak or reused password, and a higher possibility of being able to trick someone into revealing information or access that they shouldn’t.
Figure: As the number of email accounts grow, you have more accounts that might get compromised.
You also might be processing more payments and invoices than you did when you were just running the show solo, which means it may be more likely for an attacker to get that invoice payment sent elsewhere.
When thinking about protecting work email for a small business, you (or whoever helps administer your email accounts) need to consider how your employees work and the context of how they use email.
example Common scenarios:
Scenario: Your employees need an email address, which might be their own individual address or a shared email account.
Scenario: Your employees use a shared inbox, which is accessible from a shared device (like one kept in the office for everyone to use) or on their individual devices.
Scenario: You don’t give your employees work devices. They either use their own personal device, or they use a shared device at your physical workplace.
Scenario: You may use many part-time, temporary, or contract workers.
Scenario: Your employees work with people outside your business often—including customers, clients, suppliers, and contractors.
Depending on which contexts apply, you’ll have different steps you need to take. Let’s tackle them together!
While the technology is the same, there are subtle differences between personal and business email accounts. Business email accounts often provide features that would not be used for individuals, like creating multiple users and inboxes, and setting configurations across the entire domain instead of one account. Let’s talk about how to pick or vet the email provider you currently use, and how to keep it secure.
The first step in protecting your employees and your work email is to decide how it will be set up. The ultimate setup that will make it easier for you to manage if your business is growing is to move to a business email account—and this section will take you through the security involved in that.
This is not a one-size-fits-all solution. Moving to a business account usually involves a nominal monthly fee (usually at least a few bucks per month), and involves more work. The good news is that the work is up front—meaning you do it once, and then leave it be.
Are these statements true?
Your employees can do what they need without email, or only use email when logged into a computer accessed only at work.
Your organization does not give employees individual email addresses and has no plans to.
Important, confidential business documents are not stored in shared file storage or drives linked to email accounts (like OneDrive or Google Drive).
The current work email account does not contain personal or sensitive business conversations.
If the answer is yes to all of them, a business email domain may not be needed. You can stick with the work account you have been operating with so far and skip ahead to the next chapter.
You may eventually find yourself needing to give access to this email account to someone else, such as an operations manager or a second-in-command that you hire. Sharing passwords and email accounts is often discouraged in security, but there are reasonable situations where you can if you do it safely. If that is the case, you will need to read the sections below on password managers, especially making sure to pick one with 2FA built in. Also be sure to consider any other shared file storage, drives, or conversations that this email account gives them access to. If you do find yourself sharing access, be sure to move those files somewhere safe—such as your own personal shared drive.
This can also be a workable setup if your business has a laptop at a physical location that employees can use, if that use is limited to just one location and just a small number of staff. For example, a local cafe or restaurant might have a computer setup with access to the email account to be able to respond to reservations or catering requests. If you have more than one location, or three or more staff, then you will thank yourself later for getting a business account. It has both operational and security advantages at that point.
Some companies offer business packages that give you all the tools you need to run a small business—email, website hosting, collaboration tools. If you are small, these providers might even give you tools for free or at a very reduced cost.
If you have made it this far, we will assume that you are in the market for a new business email account. First, let’s make sure to start with the right foundation and a good email provider. If your business organically grew from being just you to now a few people, you might be using a stock-standard personal email account from a popular provider, such as Gmail, Yahoo Mail, or Microsoft Outlook.
It is time to think about upgrading from the second-hand suit to something a bit more tailored for your business. Unless you are setting up your own mail server, using a custom domain name for email requires a business email account. All the major email providers provide free personal emails—a single login and an email account on that email provider’s domain (for example, @gmail.com). When you shift to a business email account, you get the ability to add additional users (who will all have their own username and password to login) and the ability to use your own domain (for example, @safestack.io).
Picking a provider for your business is very similar to how you would have picked it in Part I. Except the options are a bit more scarce—there are a lot of personal email providers, but not many business email providers. When picking one, you need to make sure it has some key features:
Users can use 2FA using different, strong methods like one-time password (OTP) apps, mobile push notifications, or security keys.
Security settings can be enforced to protect your employees’ accounts (such as requiring 2FA and disabling automatic email forwarding).
Different security settings can be configured for your business account and domain. This includes good security scanning and filtering for emails and attachments, and email header configurations so others can’t impersonate your domain.
Accessibility to logs that tell you what your users are doing (and where they are connecting from), and allow you to easily manage user access in case you need to reset or remove access.
We are going to go into each of these features in detail in this chapter.
danger If an email provider doesn’t give you these features, you’ll need to keep looking. You might find free business email services out there, but if they don’t check these boxes it will be too good to be true. And since email is likely one of the IT tools you use all the time, the money will be well invested.
Generally, you can’t go wrong with using business email from one of the big technology providers, such as Google Workspace (formerly GSuite) or Microsoft 365 Business. You pay a few bucks per user, per month, and you might be able to qualify for credits if you are a special small business (like a not-for-profit).
You might be in a position where you have been operating solo, using a personal email account, and now have to migrate everything over to a business account. Although changing emails can be annoying, it is something you’ll be happy you did (because the alternative of having to manage multiple people with access to one email account sounds like a literal nightmare). While each email provider will have their own instructions on performing each step, here is a list of steps involved in moving from your personal to your new business email account:
Create your new business email account, along with the domain and users you need. If your personal email was configured to use a unique domain, be sure to check with your domain and email provider on moving that to the new business email account.
Configure security settings on your business account (which we will cover soon) before helping your team get set up.
Configure your personal email to auto-forward emails to an inbox on your new business email account.
Export relevant contacts or calendar entries from your personal email into your business email account. You could consider doing this for all your emails if that is helpful.
Let people know. Set up an auto-reply to let people know your email has changed and you will reply from your new business email, or you can send out an email to your contacts to let them know. Be sure to also update things like your website, social media, and anywhere else your old email is listed.
Make sure the password to your personal email account is only known by you (or reset it if unsure), store the password in your password manager, and ensure 2FA is turned on. This cleans up any lingering access others might have had, and gives you full control over that account again.
Change the email account for the accounts and tools used for your business. While any emails that come through for these accounts will be forwarded, it is a good exercise to completely decouple your personal email from your new business email.
While the steps for migrating across are straightforward, the tail on this drags out for a bit and it might be a while until everyone is using your new email address—newsletters, business accounts, and old customers will need updating, and those emails don’t always come on a regular basis.
After picking your provider, set up your own security first. Just like oxygen masks on an airplane, you need to help yourself before assisting others. Not only will you be more familiar with what you are asking your employees to do, but you also are one of the biggest and most valuable targets in the business.
Secure yourself first by taking these steps:
Set a unique and strong password.
Set up strong 2FA.
Store your backup two-factor codes in your password manager.
Provide an account recovery phone number and backup email.
We covered why these steps are so important back in Part I.
As a small business owner, there are a few extra reasons why these steps matter:
Going through the process yourself makes it so you know what your employees can expect. Was a process particularly challenging to set up? Was there an easy way you found to set it up for yourself?
This is a great way to lead your employees by example. It is the start of a “security culture” in your small business that says, “Hey, email is important to us and we need to protect it. Here is how.”
You would probably be surprised to hear that even larger organizations struggle to echo a positive security culture—despite being in charge of lots of data, money, and users. It all starts with the leaders, and what they have to say.
Definition More importantly, you will likely be the administrator, or the person who can make a lot of key configurations or changes that impact all the inboxes, users, and domains.
danger Administrator access is sacred and needs to be protected more than an employee who has access to an inbox and nothing else. The administrator users to your business account are also a very attractive target for attackers. It doesn’t mean the employee users don’t need to worry about security; both account types are valuable, just in different ways and uses.
Now you have an email domain set up, it’s time to ensure your email is protected. Whether it’s brand new or you set up a business email domain in the past, you can revisit these steps:
Set a strong password policy.
Require 2FA for all users.
Provide a password manager to your team.
Disable the use of insecure third-party apps.
Turn on message scanning.
Disable automatic forwarding.
Turn on basic logging.
Prevent your emails from being labeled as spam and identity misuse.
We’ll now walk through each of these steps. The theme we are going to follow is “setting up email so it is secure by default.” This means security is on and protecting you, your employees, and your domain without having to take action yourself. This is ideal to save time and avoids requiring technical skills to understand what is going wrong if something bad does happen.
You aren’t a security expert, and that is OK. It is kind of like paying an accountant to take care of tax filing or accounting needs. You could probably do it if you tried—but why spend the time? We can set up your business email accounts so a few steps are taken up front to protect it, and you don’t have to think about it much after. You can trust your business email provider to do it for you.
At this point, we assume your business email domain is set up, and you have your own administrator account. Now we need to make sure when your employees log into their accounts, they can set everything up safely.
Most major business email account providers will already have strong rules that users have to follow when making their first password. These rules are password characteristics like numeric, alphanumeric, upper-case, lower-case, and special characters. Those of us with scar tissue from old, enterprise workplaces might remember needing to reset your password every 90 days too.
Times have changed, even if the old enterprise workplace password policies have not.
danger The most important characteristics of secure passwords is that they are unique and long. You might not be able to tell if a password an employee uses is unique, but you can ensure that your business email account settings require passwords over 12 characters in length.
Another helpful business email account setting is account lockout, where the system disables or delays user login after a defined number of unsuccessful access attempts. This can help prevent automated attacks, such as an attacker cycling through a list of common passwords. This won’t always be available, but is a good one to have enabled if you can.
For most major email providers, you won’t have to actually change anything in the password policy and can usually go with out-of-the-box configurations.
important If the out-of-the-box settings require things like resetting your password every 90 days or requiring one of every possible character type, it is actually better to disable those in exchange for requiring a longer password. Ideally, your employees will be able to take advantage of the password manager you provide them to auto-magically make passwords for them (which we will get into later).
Now is a great time to check just to make sure the password policy encourages and guides your users to make strong password choices. Advice from NCSC UK and CERT NZ can be helpful resources that follow our advice of having a configured policy that requires long passwords and no password age.
It’s also important to require 2FA for all your employees. Your business email provider should allow you to toggle a setting that requires it to be set up for everyone, and if not, should at least tell you who has and who hasn’t set it up.
Remember how we discussed the different types of two-factor authentication? This is the point where you have to think a bit more about which types of two-factor authentication you use. You are going to start having accounts that have really sensitive access, like the administrator account to your business email provider. They have what is referred to as “privileged access,” which means they have permissions to perform risky actions like changing users or security configurations, so you want to make sure the security measures for accessing these accounts are as strong as they can be.
For your administrator accounts, you want to use stronger 2FA setups. This includes using hardware security keys or push notifications to your phone. It is unfair to assume that your staff know how to use a security key (or even know what they are, and how to keep them safe)—they don’t get security training and are not expected to be technically skilled. It is OK for them to use the other forms of 2FA, such as a code delivered via text message, if their accounts don’t have any administrative access.
In 2010, 2FA was a weird, new, crazy thing security people did. Google Authenticator (the app for getting one-time password tokens for 2FA) had just been created and published.
In 2015, 2FA was still not mainstream, but was picking up popularity. This was around the time sales of Yubico (the maker of the popular hardware security key, Yubikey) started booming after some successful partnerships and system integrations.
In 2018, 2FA was gaining popularity as the main step you could take to protect your digital accounts. Yet at that time, Google revealed over 90% of Gmail users did not have 2FA enabled.
Today in 2022, 2FA is indispensable. Even the popular video game Fortnite gave their users free in-game content to entice them to turn on 2FA.
If employees are still unfamiliar with 2FA, you may use this as an opportunity to echo the security culture and values you want your business and employees to live.
There may be some valid reasons for having challenges with 2FA, such as:
You want to give a copy of your passwords to someone else “just in case” you can no longer access them.
The 2FA options available are not accessible to employees with disabilities, or employees don’t have a smartphone to receive a call, text message, or app notification.
While these are valid challenges, there are always other options to explore, such as:
Using 2FA features available in your password manager. This means when you share the password with another employee using your password manager, they get the 2FA code along with it.
Using a physical security key locked within an office safe, that you and another team member can access.
Picking a business email provider that provides multiple 2FA options, and helping your employees pick and set up one that works for them.
Working closely with an employee who can’t access 2FA to make sure they set a long, unique password and can keep it somewhere safe. That password will be their account’s only line of defense, so making sure the employee sets that up safely will be very important.
danger Disabling 2FA for an account needs to be an exception, not the rule. As mentioned earlier, we are aiming for “secure by default.” If you deviate from that rule, exceptions need to be made on a case-by-case basis.
Password managers are a handy tool you are already familiar with since you use one for your personal life (especially after reading and going through Part I). You probably already store the password you use for your business in your personal password manager because that is the safest thing to do. Great!
Password managers aren’t specific to email, but while we are on the topic of shared and individual email accounts, it is an important elephant in the room to address: how will my employees create and store their passwords?
We can remove any thinking about “unique and strong passwords” by using a password manager to auto-generate a strong one for you. We can also remove any thinking about “safe storage” by storing them in a password database that is protected by layers of security. All we need to memorize (to access all our passwords) is one master password.
But what makes a business password manager different? Should you use the same password manager for your business as you do your personal life? What about your employees? Do they really need one? These are all valid questions, and possible to solve with some upfront thinking now:
Do they need to access any applications or emails that have a single, shared account?
Do your employees have an individual email account they need to access?
Do your employees have their own individual online applications or systems they need to access?
If the answer to (1) is yes, you need a password manager for your team to share the password. This is the best, safest way to keep that password safe so that it isn’t lost or stored in the open, such as on a Post-it Note under the keyboard of the office computer. (Sorry, that might have felt too real!)
If the answer to (1) is no and both (2) and (3) are yes, you need a password manager.
If it is only yes for one of (2) or (3), let’s try flexing and developing some security risk exercises and thinking:
What would happen if their account was accessed by someone else? What is the worst that could happen with that access?
How would I know if their account was accessed by someone else? Would it just go unnoticed until something bad happened?
If the “worst-case scenario” makes you nervous, give your team and yourself the tools needed to avoid that situation:
If your employees only have access to an online system where they record their timesheets or clock ins/clock outs (and there is no other sensitive information), you probably don’t need a password manager.
If your employees have access to online systems where all your suppliers, customers, and order details are stored, a password manager is a good idea.
If your employees have access to the shared email you use to communicate with all your customers, or if they have access to your social media accounts (which are usually shared accounts), a password manager is a required tool.
If ever in doubt on which side of the “do I, don’t I” risk thinking you are, opt for peace of mind and go with the additional security. If your business is growing, it will be a part of your organization eventually, and it would be good to practice and promote that good security culture now.
Password managers often provide their products under the banner of “personal or family use” or “business or enterprise use.” Under the hood, the technology is the same. Whether you create a “family account” or “business account” doesn’t matter—what matters are the features you have access to.
We won’t re-explain the other characteristics that are important to consider when we pick one for your personal use. Instead, we will introduce the “step up,” or additional features, you will need now that you have a different context that you are using it in.
The password manager for your business requires a few features that you might not have needed before.
Ability to set up accounts for each individual, and give them access to different groups or folders that store passwords. This is what us technical and manager folk call granular access controls and enforcement of the principle of least privilege. It means being able to give people access to the things needed to do their job, and nothing else. Less access means fewer mistakes and less chance for something to go wrong. It is something good to practice now, as it will be a skill and way of thinking you exercise a lot more as you get systems you need to give people access to.
Being able to create a folder, vault, or group that has access to specific passwords is a great way to practice granular access controls. You might have employees that only need access to one or two applications, and a second-in-command who needs access to four to six applications, and then yourself who needs access to them all. You can have a folder with your basic tools, a folder for your management tools, and then a private folder just for yourself. Ideally access could be granted to these folders individually.
Ability to set up 2FA so your password manager will provide you a one-time password or token (just like your phone and mobile app does). So, it already makes sense why you need to be able to share passwords. But how do we share passwords to accounts AND have 2FA? Surely, it just can’t be done. Can you imagine having to call your teammates every time you want to log in, to have them give you a code sent to their phone? Nightmare.
The good news is password managers help here too. Just like your OTP mobile app generates a random code every 30 seconds, so can your password manager. This is important because you will have to share some very important accounts. Think about shared inboxes, social media accounts, and online banking. These need to have 2FA, and you can use the one in your password manager to avoid any disruption to your lives.
I can hear the chorus of security folks out there screaming against this advice. Having your 2FA AND password in the same place? Then what is the point of 2FA?! I am not saying this is the perfect, ideal situation for protecting an account, but is the one that will work for you and your employees without causing any rift or frustration. The two-factor code still rotates, the same way an app does. And the password manager enables you to make strong, unique, long passwords. These are two valid defenses against an attacker trying to break into your account or trick you into giving them access—and they help you run slightly faster than the bear that is chasing you.
An important factor to also consider is price. Good news: most of them are very cheap. We are talking anywhere from $1-4 a month, per user. You can even get by with a “family plan,” if you are going to stay a small team, and still get the features above that you need. Family plans usually give you at least five users to invite, and charge you a flat monthly rate for the whole group. The difference between the two options are just a few bucks a month, so be sure to give everyone in the business an account if they have passwords they need to protect.
Most of the password managers that you would have researched for personal use tend to provide team or business plans that have the important features we covered. I have personally found 1Password and LastPass quite easy to use for a small team.
If you don’t want to get into the business password manager game just yet, I understand. It is probably already daunting to use one for your everyday life; teaching your employees about them might be a step you are not ready to take.
The time will come where password managers are more of a “norm” rather than an exception. In truth, this has already started—browsers have their own built-in password storage options that require little effort on your part. Password managers will also become a much more effective tool when you reach the next stage of growth; you won’t be able to avoid it then.
The options we have discussed so far are cloud-based password managers, which store passwords as a service online (in the cloud). We recommend these in most cases as they tend to provide you the features you need to work with multiple devices and multiple team members.
There are also self-hosted password manager options that store passwords locally on your computer or device. The downside of these is that it requires your employees to protect where the password database is hosted, which is often a step in the wrong direction in terms of ease of training and use.
Browser-based password managers are the password managers offered by your browser, such as Chrome, Safari, or Microsoft Edge. These are a decent middle ground if your employees don’t share their devices with non-work people, and if the device is protected with a PIN or password, and not left unlocked and lying around in open spaces. If that is not the case, cloud-based password managers are still your best option.
One of the great features of newer browsers is that they come with new password management features. The latest versions of Firefox, Chrome, and Edge all have their version of this feature, and you have seen it in action if you have seen pop-ups asking to save your password to your browser when you log into a website.
The downside to browser-based password managers is that you can’t share access to passwords with your team, which also means you also can’t revoke access to that password when your employees no longer need them. When you give your employees any shared passwords, you will have to communicate with each other when it changes to make sure you don’t lock each other out. This option also depends on your staff keeping the device they log in with safe. So if they use their personal device, if they share the device with people outside the business, or if they often leave the device unlocked and accessible by anyone—this option won’t be a great idea.
At the end of the day, something is better than nothing—this is better than the alternative of using a Word document on their desktop, a pad of paper they keep at their desk, or “hidden” in a note field in their Contacts. They can rely on this browser feature to use different layers of encryption to keep those passwords safe.
Remember how we covered third-party apps and systems back in Part I? The same goes here, except now you can control it at a central level and protect your employees from any oopsies or quick (and unsafe) setups.
Third-party access to your work email comes up often and in very similar situations to your personal email. It gives an easy way to sign up and into apps and accounts, and from a security perspective it has a bunch of perks:
The work email administrators can see who has linked their work email account to third-party systems, which can help to see what third-party apps are used.
The end user doesn’t have to set up yet another unique, strong password and save it to their password manager.
That app or system’s login is now secured and managed by the work email provider, which is often a good idea, as they probably have a lot more experience and resources to build a secure login flow—more so than the third-party app owner.
It is a win-win-win! What is the harm?
It comes back to the same problem we have when it comes to third-party apps for personal email accounts—those third parties might be (or could turn) malicious. When your employees hit “allow” on giving that third-party app access to their work email, the risks include:
Apps asking for too much access, or more than you expect them to need.
Access terms that are confusing to understand, especially when an employee is focused on getting a job done.
Access terms that are difficult to translate, especially for your employees with little to no tech background.
Access that changes over time—that third party app could go from safe hands to dangerous ones.
Most work email providers give you the ability to turn on third-party restrictions by default, and it is something we recommend you do.
important Go hard now on the controls—your team is small enough to raise any blockers now. If your employees don’t use any third-party apps or accounts for work, turn off the ability to use them entirely. If they have some accounts, you could configure your work email provider to only allow those on a specific allowed list you give it. If you have gone with a larger work email provider (which we do recommend), they often have robust processes to warn you or ban third parties that are seen to be abusing their integrations.
If I can convince you with a hilarious mental picture and metaphor: picture the internet as an ocean. It is vast, and some parts of it are unsafe. Your employees sometimes need to swim. Each of them might have varying levels of swimming ability, and you don’t want to just throw all of them in the middle of the Atlantic and expect them to survive without incident. Depending on your employees, their needs, and what you expect from them, you might give them two flags to swim between (using an allowed list of third-party apps), or you might even put them in a paddling pool (disabling third-party apps entirely). Just don’t throw them a pair of floaties and expect them to survive (not configuring anything). Regardless of what controls you put in place, with a large work email provider acting as lifeguard, they will help keep an eye on them too.
The theme of this chapter has been “set it and forget it.” This step is no different. Your employees might get unsolicited emails from people trying to trick them into downloading bad attachments, clicking on links to go to bad websites, or replying back with important information. Even as a small business, these things can happen. They aren’t targeted—it is just really easy to set up an automatic script that sends the same bad email to thousands of people. It is a game of odds for an attacker: if just one person reacts, they can win big.
On the bright side, larger email providers realize this, and recognize that they are in the best position to protect people. Not all providers do this; that is why it was important at the very get-go to go with a good provider. Your Googles and Microsofts will definitely have these settings available.
Larger email providers host your mailboxes for you, which means they can also check it for any badness before letting you and your users see emails. They have some default protection already in place that will send obvious spam messages, like those about pharmaceuticals and that million dollar inheritance that you are missing out on, to the spam folder.
Email providers tend to turn the sensitivity dial down quite low and give you the options to dial it up if you want. The reason why they can’t dial this up automatically for you is because it can accidentally pick up and put things in spam that are actually legitimate. We recommend that you do dial it up because it is unlikely, due to how you operate, that it will catch too many false positives. The benefit of protection far outweighs the occasional checking of spam for a mismarked email. You likely send text files, Word docs, spreadsheets, images, and PDFs; hardly ever send things like macro-enabled spreadsheets; and never send things like password-protected zip files to people you have never interacted with.
When your business grows or you become more dependent on your mailbox and non-standard attachments, this setting may not be as easy as setting and forgetting. For now, though, it is very handy for keeping all those lures out of your and your employees’ mailboxes.
Enhanced scanning will look for things like attachment file types that are outside the normal .docx or .pdf, and links to websites that have been flagged as “bad.” They might also choose to deliver an email that checks off a few of the suspicious boxes, but add a big disclaimer at the top of the email so users can make their own call. Like when my business partner emailed me from a new email account, asking for help. There were no links or attachments, but something was certainly not normal, as “Laura Bell” doesn’t often contact me this way.
Figure: Enhanced scanning (in this case from Google) can flag suspicious emails prominantly.
Each email provider will refer to enhanced message scanning slightly differently, and you can most likely find it in the administrator settings. The keywords might read:
enhanced pre-delivery message scanning
enhanced phishing and malware protection
mail flow rules to check for malicious attachments or links
safe attachment policies
safe links policies.
While you are deep in the administrative settings of your mailboxes, there is a setting you need to turn off. Automatic forwarding allows any user to set up a rule where all mail is forwarded on to someone else. It probably seems harmless, such as automatic forwarding of emails for ex-employees to a current employee’s inbox. However, let me reframe how this setting is misused.
When an attacker successfully gets their hands on a pair of valid login credentials for an email, often the first thing they will do is try to “maintain access.” They want you to continue to use the inbox, not suspecting anything, while they wait for the best moment to strike. A common setup for maintaining access looks like this:
Setting up automatic forwarding to a different inbox, usually a throw-away one where they can see copies of emails that are forwarded. All incoming and outgoing mail sent will also send a copy out to this mailbox.
Once they see a message come in (such as one asking for bank account or PayPal details) or see a message going out (such as an invoice with payment details), the attacker will log back into the stolen account.
They will reply back or follow-up on the email with “new payment details,” saying they forgot they changed banks or accounts.
They then set up rules so all replies on that email thread are deleted after they are forwarded. That way the poor mailbox owner is none the wiser that they are not going to actually get the money they expect.
These attacks happen very often, and can be particularly damaging to small businesses because one or two big payments paid to the wrong person can put you out of business. In most cases, the money can’t be reversed and you get stuck in a legal battle.
Automatic email forwarding is a setting that you, as a small business, will rarely have to use.
danger We recommend you search through the administrative settings for “automatic forwarding” and disable it for everyone. This setting is misused so often that large providers make it easy for you as an administrator to turn it off for everyone. It will serve you better to turn this off entirely, and find alternative ways for those one or two use cases where you need to forward emails on.
The last setting to turn on in the administrative settings is alerting. This is the one setting you shouldn’t overdo. It can be easy to turn on “all alerting,” then later hit a point called “alert fatigue.” This is similar to the little kid who cried wolf one too many times, so when there was a real problem no one reacted.
The best way to not overdo alerting is to turn it on for events that you need to respond to (or higher-risk events). If your business grows, you might have people who are responsible for reading through alerts that just need to be “watched closely” (or lower-risk events), but for now we need to make the best of the resources we have. These high-risk events won’t happen often, so when you do get a notification, you know you need to act now.
important Here are a few high-risk security alerts that would cause you to sit up and take action, and what you can do when they happen:
User-reported phishing. This means someone in your business reported an email they received as being dangerous and suspicious. If this happens, talk to the employee: congratulate them for doing the right thing, and look at the message they received. This is a great way to reinforce positive actions on your employee’s part, while also being aware of attempted attacks on your business or people. (Who doesn’t like a pat on the back for a good job?)
Multiple failed logins or suspicious logins. This is either based on the upper limit of failed login attempts you have set, or on an algorithm your email vendor has set based on the “normal login behaviors” they see. This is a good alert to have on because given the context of how you operate, your employees will rarely log in from new locations other than the standard home, office, or local community. These algorithms usually also have the intelligence to detect that your employee was just logged in from Wellington, New Zealand, and has somehow teleported across the world to log in from Virginia in the US. Note that this setting might be noisy if your teams are using virtual private networks (VPN), which changes where their internet traffic is coming from. You can action these alerts by again phoning up, texting, or speaking to that employee. If they don’t respond and it isn’t too disruptive, a quick reset of that user’s passwords can give you some peace of mind before they get in touch.
Leaked or lost passwords. This is an alert that won’t always be available, but is a good one if it is. Large email providers like Google tend to have this option, and you can search through your email provider’s support pages to see if it is available. This can alert you when your email provider discovers a data leak posted online containing you or your employees’ passwords. Large email providers tend to have specialized teams that are responsible for sifting through the internet, looking for indications of breaches to protect their customers and warn them of problems. Hopefully your employees are not using the same password across all their applications, especially with all the tools and controls you have set up to enable them to use unique passwords. But it can happen, and this alert can help you protect them. If this alert triggers, the first thing to do is reset that user’s password yourself. Then follow up with a phone call or in person to explain what happened.
There will be a lot of other alerts you can set up, but until your business gets bigger or you get more employees using email, these alerts will help you stay alert to the most common issues you might face.
We spent a lot of time thinking about work email and enabling your employees to be secure; now we need to think about the stuff around the edges of that. What about the people on the other end of the email message?
At the end of the day, email is just a digital way we communicate with customers, suppliers, and others. When a supplier comes by to drop off some goods and hands you an invoice, you instantly know and trust that they are who they are. They might be wearing the supplier uniform, driving a supplier branded vehicle, they might even be the same person from the supplier you have worked with for ages. You can trust who they are, what they are doing, and more importantly that the invoice they have handed you is real.
When applied in a digital sense, it is tricky, as you need to rely on cues you find in the email or elsewhere online. Most of the time this cue is the senders’ email address. Sadly, this can be easily spoofed, or faked. It is like a stranger coming into your business, with a handwritten and fake supplier name badge, asking to pick up that payment you missed last month.
You need to think about this as if you and your business was spoofed. What if someone could send an email from your domain? Not only would this be a bad look, but the possibilities could be endless. Someone could impersonate you to your customers, future customers, employees, suppliers, or anyone. Even something as innocuous as sending a very obvious scam email could cause people to raise concern that your work email domain is not safe. That can have a domino effect on your email’s reputation, ability to send emails without problem, and even the indirect impact of people not trusting your business.
The solution to this is a one-time configuration setup on your mail domain (so long as you don’t change mail providers or domains). The solution also includes a lot of acronyms, so bear with me.
It starts with setting up Sender Policy Framework (SPF). This is a setting that tells mail servers who can send mail for your email domain. For example, if you use Google Workspace for your mail, only Google Workspace should be sending email for your domain. If someone tries to send an email from your domain from a different mail provider or server, it would be sent straight to the receiver’s spam folder or covered from top to bottom with warnings saying “this email sender might be spoofing their domain.”
The configuration relies on a specific value being stored within a text field (also called TXT record) for your domain (also called Domain Name Service, or DNS, records). It might look something like this:
v=spf1 include:_spf.google.com ~all
It is like pinning a note to your work email that says, “Here is where we send our mail from.” It looks a bit technical, but don’t get overwhelmed. You will set it up once, then enjoy the benefits of security without having to worry much about it again. Your email provider can usually give you the line of text you need for this too, so take a search through the support pages for “SPF” and you should be sorted.
As the reader of Part II, you are a small business. As you grow, though, or as you use more online email marketing, you might have to change the SPF setting. For example, if you use a mail marketing platform to email your customers, you might need to add that platform as having permission to email on behalf of your domain. It is just something good to keep in mind as you grow, or start getting into email-focused work.
Next, you can set up what is called DomainKeys Identified Mail (DKIM). The theme here is to set up multiple security controls, so if one fails, you are still safe. Using SPF and DKIM together is like that. SPF is not foolproof; DKIM takes it one step further by digitally signing all outgoing emails. Proof of what your signature looks like (or your public key) is displayed in a similar domain (or DNS) record as SPF.
Remember back in grade school, when you would come home with bad grades and you had to have your report card signed by your parents? And when you tried to hand in a forged signed report card to your teacher, they laughed and made you go to the principal’s office? (No, just me?) Well, it is the same thing. Except the teacher is a recipient’s mailbox, and the report card is an email message, the teacher’s laugh is a “DKIM failure response” because the signature is not legitimate, and the principal’s office is a spam or quarantine folder where all emails go to die.
The good thing is that setting up DKIM for large email providers can be quite easy. Although larger businesses might create their own signature, as an early small business you can get by with simply using DKIM that your large email provider gives you. As with SPF, this is set up by adding a TXT record to your domain record so others know what a real signature looks like.
There is a third acronym out there called DMARC (or Domain-based Message Authentication, Reporting, and Conformance), an email authentication protocol that sets rules about how to handle emails that don’t align with your SPF and DKIM policies. Setting up DMARC can be quite technical, and will become more important as your business grows. For now, SPF and DKIM alone can prevent others from impersonating you or your work domain.
One last thing you can do for SPF and DKIM is to set rules on how your own mailboxes will handle mail that fails these checks, preventing spoof messages from being received by you or your employees. Most large mail providers are good at at least flagging failures with a bunch of warnings by default (big yellow and red ones too, so they are hard to miss). If this isn’t the default setting, sending those failures to spam is the best setting to have.
Don’t worry—any messages that don’t have these SPF/DKIM records set at all will still be received; you just won’t really be protected if someone spoofs those domains. But you can’t really do much about that. That is exactly why we have multiple other controls—like alerts when phishing is reported, or uncommon attachments and links turned off—to protect us instead.
resourcesMore on SPF and DKIM:
Postmark App’s SPF guide and DKIM guide
If you want to take the next step into DMARC, these two guides are a great place to start:
🚀 As explained by Erica
The minimum operating expectations for any business nowadays is to have a basic website with service or product information, and contact details. Depending on whether you sell products/services via your website, you may just set it up and forget about it, or regularly interact with it.
Either way, your website is valuable real estate. That might seem silly considering how cheap and easy it can be to set one up. Anyone can make one, right? While this is true, let me explain the economics behind why someone else might want to just take advantage of yours rather than set up their own. We’ll then explain the few things you can do to stop an attacker from misusing yours.