The FBI recently posted a warning (https://www.fbi.gov/phoenix/press-releases/2016/fbi-warns-of-dramatic-increase-in-business-e-mail-scams) which details how between October 2013 and February 2016 US Law Enforcement received reports from over 17,000 victims of fraud totalling over $2.3 billion in losses. Sadly, this is an escalating problem (since January 2015 the FBI has seen a 270% increase!) and one that is here to stay for a while.
Whilst the statistics focus on the US it is safe to say that this is a reflection of world wide criminal activity. This is something that we routinely hear when working with our clients and we are routinely asked if the activity can be blocked.
The answer to this is yes….and no. There are certain modifications we can make to a company’s infrastructure and mail services which can dramatically reduce the chances of this happening; but we can only go as far as hardening the IT assets. The people that work in the business are the key players in the completion of a scam. We find that they can really benefit from an understanding of the lifecycle of an email scam through end user education, something I have assisted with during a visit to a client site. During a meeting with the business owner it became apparent that the business had already received some of these emails, but luckily, hadn’t become a victim. We worked through an example of how this fraud occurs and decided on a course of action which included some end user education and an upgrade of a perimeter firewall which offers a unified threat management engine to help combat cyber threats in general.
I’ve shared the example we discussed below. The general concept of this scam is ‘quality over quantity’. Different cyber criminals want different results, some want to create and control a ‘bot net’ which will involve sending tens or hundreds of thousands of malware laden emails out hoping for success; but this type of scam is usually a bit more tailored and the emails sent are in the hundreds so rarely get picked up as bulk spam. They will look to find out details about the organisation and use this to tailor their emails and ensure they go to the correct recipient.
The criminals will often use open source sources of information to find out the details of a business; think about the company’s Website or the individuals LinkedIn, Facebook and Twitter. Rarely secured properly and contains all the information they need to understand the business and the structure. Once they know the targets they might, in some occasions, send virus laden emails to the targets with the intention of gaining the users email account credentials. They can then read the emails to ensure that they are being written in the correct tone and with the right vocabulary. However, this is much rarer.
More often than not once they know the target company and are aware of the key people within the organisation (typically the Managing Director and Finance staff) they move on to the attack phase. They will typically spoof your domain so, at first sight, it looks like the email is actually coming from the MD (hint, it isn’t!). This is something that we can look to mitigate against with some hardening of your email configuration.
They might also buy a domain, to send the emails from, that’s one or two letters out so it looks very similar:
Complete-it.co.uk – Original domain
Comp1ete-it.co.uk – substituted ‘L’ for ‘1’
The emails will typically take the form of the MD asking the Finance Manager for an urgent transfer of funds to an account which is actually under the criminals control. There is nothing strange about this sort of request, quite often in SME’s unscheduled or delayed payments are rushed through after instruction over email.
Once the payment has gone, it’s gone. You could have just lost thousands of pounds which is likely to be unrecoverable unless you have certain insurances.
How can you protect your business against this sort of threat?
- Configuration of infrastructure to reduce the chances of fraudulent emails entering the company’s email ecosystem. Talk to your Technical Consultant to discuss the options available.
- Keep Anti Virus and Anti Malware subscriptions up to date on all endpoints and servers.
- Use a form of two factor authentication for money transfers. Have a key word or phrase that should be included in an email for it to be known as a valid one. Never discuss this over email. Or make sure that every instruction for payment is confirmed verbally.
- Change your email and computer passwords regularly, yes it is pain but it’s essential.