Publishing your email address isn't a security disaster

30 Apr 2012
Keys on at sign

Davey Winder says businesses have no good reason to hide their email addresses online

Every now and then, some well-meaning but completely bonkers advice comes my way from a most unlikely source.

I wasn’t too amazed when an elderly relative of mine expressed surprise that his PC was heavily infected despite the installation of internet security software years ago. It didn’t particularly faze me to discover a man who thought he knew everything there was to know about computers, but who didn’t realise that you have to pay your annual subscription fee to continue receiving threat protection database updates.

I was fazed, though, when an IT security vendor seemed to be suggesting that a business that publicly reveals its email address is somehow compromising data security and putting itself at risk. I understand that risk is relative, and an exposed business email address creates a corporate data security risk – from social engineers, phishers, hackers and cybercriminals – than if no such email contact points were disclosed.

The cherry on top of this farrago of nonsense was the advice to employers to discourage staff from sharing email addresses on Twitter

However, I also understand that the dictionary definition of an address is a place where a person or organisation can be found or communicated with, and that’s just as true of a street or an email address. The point of having a business email address is to enable people, including potential as well as existing customers, to get in touch with you, and there’s no point having one at all if you don’t let anyone know what it is.

So what on Earth were the folk over at the Websense Security Labs on about when they informed me that “thousands of businesses and consumers are putting themselves at risk each day by publicly revealing their email addresses on Twitter”, and which went on to argue that because those addresses are “connected with their inboxes, social media identities and bank accounts”, it leaves these business users exposed to the potential for “advanced social spear phishing attacks”. The cherry on top of this farrago of nonsense was the advice to employers to “re-evaluate acceptable use policies to discourage staff from sharing email addresses on Twitter”.

To be honest, I think that in this particular case the security vendor was well intentioned, but perhaps got a little carried away while preparing its email security risk message. Yes, indeed, there are people out there with bad intentions, who target business users on social networks in order to infiltrate their systems using an old social-engineering strategy known colloquially among security types as “spear phishing”. It’s so called because such an attack is focused upon an individual within a specific department, rather than adopting a scattergun approach to the problem of how to get a RAT (remote access trojan) or similar piece of malware installed within the corporate network security perimeter.

By concentrating upon a vulnerable individual, especially one who is active on Twitter or Facebook, it’s possible to build up an accurate profile of that person both personally and, most importantly, professionally. Assuming the targeted person hasn’t opted to make their information available to only friends, for example, it’s all too easy to quickly scan through their friends list and, after putting in a bit of graft, compile a dossier of work colleagues and customers.

Link this information to conversations posted to the target’s wall on Facebook, and that previously mentioned business email address, and the bad guys have the ammunition required to impersonate someone already known to that employee. Exploiting this basis of trust allows the attackers to then attach an “important document” or a link to something they may be interested in, and by so doing solicit the vital click that installs malware.

So, yes, I can see where the Websense chaps were coming from, but I’m afraid that it all sounds a little bit too Chicken Little for me. The sky will not fall in if you post your business email address on Facebook, and acceptable use policies shouldn’t be altered to make doing so a hanging offence. Especially since it’s oh-so-easy to guess specific email addresses, given the standard address format used by just about every company, which is going to use one of only two or three formats.

Tracking down which is used is only a matter of visiting the company’s website and taking a quick look at the “about us” page, or the list of contact options for the directors or sales executives.