How many times a day do you click send on an email? If you are like most people, hundreds. And you probably never give it a second thought. You assume it's safe. You assume it will go to the person you intend it to.

And there is the problem. Organizations, and the people in them, simply never think about email content being stolen – until it happens. In every organization, individual employees are the weakest link when it comes to email security. Remote working, which is coming more ubiquitous and appealing, makes the use of unsecured email (on personal devices) even more likely, adding another weakness. Employees' use of personal mobile devices to access work-related data or connect to unprotected WiFi networks also put their company at risk.

Put a dollar figure on it 

Hacking emails is the cheapest way for cybercriminals to make a profit because it's easy to access and because of the financial value of having someone else's financial and personal data. According to FBI.gov, "Since 2013, when the FBI began tracking an emerging financial cyber threat called business e-mail compromise (BEC), organized crime groups have targeted large and small companies and organizations in every U.S. state and more than 100 countries around the world—from non-profits and well-known corporations to churches and school systems. Losses are in the billions of dollars and climbing"

Recommended For You

According to SecurityLedger.com, the FBI and international law enforcement recorded more than 40,000 incidents of BEC or other email account compromise attacks in 2016, a 2,370 percent increase since the start of 2015. And reports are accelerating. In just the last half of 2016, the FBI received reports of 3,044 U.S. victims reporting losses of $346 million. 

And HR Pros beware: Among the new trends is W-2 theft! In August of 2017 the LA Times reported an IRS warning involving W-2 phishing scams. Some 200 businesses, public schools, universities and Native American governments and nonprofits were victimized – up from a mere 50 in 2016.

Be proactive instead of reactive


The solution is the right tools, communication, training and an internal, written policy with rules. "These are the tools, these are the rules, and if you don't follow them, these are the consequences."

More often, cybercriminals use spear phishing with human resource departments. Spear phishing means the cybercriminal poses as a person in the organization who has authority, with an email that is very similar (spoof email) and requests money or personal information about employees. Beware of the return email address!

Hold regular mandatory meetings to help IT educate everyone with access to confidential information. And remember, from Social Security numbers to bank routing and account numbers, to something as simple as employee birthdates – it's all a goldmine to a hacker. 

  • Limit internal/employee access to confidential/sensitive information.

  • Use company email – generally it has more security features than personal accounts.

  • Ensure your network is private.

  • Use smart passwords – Use upper and lowercase letters, special characters and avoid complete words or phrases and significant numbers or dates.

  • Think about the username

  • Confirm requests for direct deposit changes, and confidential employee information by using phone verification as part of two-factor authentication; use previously known numbers, not the numbers provided in the e-mail request.

  • Verify changes in vendor payment location by adding additional two-factor authentication

And lastly, before anyone, from the CEO to the receptionist, clicks that send button, think about:

  • Triple-checking the recipient email – correct?

  • What is in the email – What if it went public?

  • If the content is sensitive, is the recipient aware of it?

  • HR people have sensitive, confidential info, like Social Security numbers, direct deposit account numbers, etc.

  • Where is the email is going? Its destination could be the main point of vulnerability.

These points alone will save organizations plenty of legal and financial complications. Adding email encryption capabilities that sit within an organization's email interface gives users the confidence to hit send and know that email is safe in a sea of threats. 

NOT FOR REPRINT

© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.