As mail server administrators, we may have extensive knowledge on how to use email safely and securely, but what about end users? You do everything you can to block spam & malware, but if you don't educate your users and one of them clicks on a link in a spam message, your network can be made vulnerable. Consider these recent cases that could have been avoided if users were armed with the right information to identify phishing scams and other threats.
1. Northern Territory Government Agency (Australia)
In November 2024, a fraudster impersonated a contractor via a Business Email Compromise (BEC) phishing email, sending forged documents with fake banking details. The agency transferred AU$3.58 million (≈ US$3.5 M); about US$11,600 remains missing after most was recovered.
2. Datavant (USA, Health IT)
In May 2024, a targeted spear‑phishing email compromised a staff member’s credentials. Hackers accessed the employee’s email account, resulting in a breach that exposed sensitive information—including children’s names, addresses, and Social Security numbers - affecting thousands.
3. American Airlines
In July 2022, attackers executed a phishing attack to gain access to several employees’ email accounts. This led to a data breach involving internal communications and potentially sensitive information, though exact figures - and financial implications - were not disclosed.
4. Experi‑Metal vs. Comerica (USA)
On January 22, 2009 (a historically notable case), one employee clicked a phishing link and revealed login credentials. Within just over 6 hours, 93 fraudulent wire transfers totaling approximately $1.9 million were made from their company account.
These are just a few high-profile incidents among many others that could have been prevented if the user had been better informed on email safety and security.
Email security isn't just the email provider or administrator's responsibility. It's everybody's responsibility. Here is a list of safety tips all mail server administrators should share with their users to help keep spam & malware to an absolute minimum.
- Change your password often.
MDaemon admin tip: Configure password expiration settings to ensure users are changing their passwords regularly. Review this article for instructions. - Use long, strong passwords with a variety of character types (upper & lower-case letters, numbers, and special characters). Never use a password that contains "password" or "letmein."
MDaemon admin tips:
- Configure password strength settings
- Configure the Bad Passwords file
- Enable Compromised Password Checking
- Use a different password for each of your accounts. If you use the same password for your bank account as you do for your email account, you become much more vulnerable to data theft.
- Use app passwords to protect against hackers. App passwords allow MDaemon users to use a different password for each of their connections to their email account. For example, users can have one password for Webmail, one password for their ActiveSync connection, and one for their IMAP connection.
You can review this article to learn more about these best practices for stronger email passwords:
Protect Accounts from Hackers: 9 Tips for Stronger Passwords
- Don't open an attachment unless you know who it is from & are expecting it.
- Be cautious about email messages that instruct you to enable macros before downloading Word or Excel attachments. Malicious macros can unleash malware onto your network and potentially cripple your business.
- Use anti-virus software on your local machine, and make sure it's kept up-to-date with the latest virus definitions.
- If you receive an attachment from someone you don't know, don't open it. Delete it immediately.
- Learn how to recognize phishing:
- Generic greetings
- Messages that contain urgent or threatening language
- Requests for personal information such as passwords or Social Security numbers
- Forged or suspicious sender email addresses
- Poor writing or bad grammar (however, with the proliferation of AI tools, phishing emails are more likely to sound professional and legitimate)
- Mismatched branding (logos or formatting may look off – blurry images, wrong colors, or unusual layouts) - Hover your mouse over links before you click on them to see if the URL looks legitimate.
- Instead of clicking on links, open a new browser and manually type in the address.
- Don't give your email address to sites you don't trust.
- Don't post your email address to public websites or forums. Spammers often scan these sites for email addresses.
- Don't click the "Unsubscribe" link in a spam email. It would only let the spammer know your address is legitimate, which could lead to you receiving more spam. Instead, block the sender or mark the message as spam.
- Don't send personal information in an email message (Reputable businesses will never ask for personal information via email).
- Don't reply to spam. Be aware that if you reply to a spam email, your reply most-likely will not go back to the original spammer because the FROM header in the spam message will most-likely be forged.
- Don't share passwords.
- Be sure to log out. Leaving an email account logged in on a device, especially a public or shared one, leaves your personal information vulnerable to unauthorized access, potential hacking, and identity theft.
In many ways, your network is only as strong as its weakest link. Don't be that weak link. In addition to the tools administrators use to keep unwanted threats out, user education is key to keeping your network secure.