Every time a large organisation suffers a high-profile cyber-attack, the assumption grows that it’s always the big names that fall victim to cyber criminals. And that’s just the way they like it. Why? Because while the media is reporting on the latest hack at Marriott, Sony and Yahoo – smaller organisations (and their people) get a little bit more relaxed.
Surely it won’t happen to us? Well, yes – it could. And if 2018 was anything to go by, the humble email will be their most effective way in to your organisation. But, with some awareness, training and protective measures, it doesn’t have to be this way.
In this article we cover why email hacking or, ’Business Email Compromise (BEC), as it’s known in cyber security circles, can be such a threat. We’ll also suggest what your organisation can do to prevent it happening to you.
What is it?
It’s where a cyber attacker gains access to a corporate email account, usually by copying or ‘spoofing’ the owner’s identity. On the basis that the emails they receive look genuine, employees and customers can be defrauded by an action encouraged by a fraudulent email – usually to send money to the attackers account.
The attacker is using email as a means to exploit, but the real weakness in the system is often the naivety of people. Employees are often too trusting and time pressured to be as alert as they need to be.
Businesses can also be hit by phishing attacks – where scammers send fake emails asking for sensitive information. They might try to trick the recipient into revealing bank details or sending money. Forget that obviously fake African prince asking for your help in unlocking his ‘fortune’, business email fraud is getting very sophisticated, convincing and difficult to spot.
And to make matters worse, many email compromises aren’t spotted until some time has elapsed – leaving the hacker free reign to work undetected within a victim’s email system
The problem is so big that Forbes put BEC and phishing attacks as their top cybersecurity trend for 2019, reporting that attacks were up by 297% across 2018.
Some examples – how do they manage it?
If you think you are covered because you’ve got anti-virus software or you consider yourselves too smart to fall for it, you’ve probably already been compromised.
Anti-virus software is of no use here. The attackers are logging in with either the right credentials, or they are brute forcing their way into accounts. For example, taking a compromised account and then using variations of the password, or common passwords against different services.
Your email hosts might have a huge team trying to prevent these kinds of attacks but they can’t stop all of them. Anti-spam doesn’t work either, because the attackers design their emails so that they will not be detected by the anti-spam software.
- CEO fraud – impersonating a senior figure to request a payment is made…
- Bogus invoicing scams
- HR impersonation – to gain personally identifiable information
- Email address harvesting
- Fraud emails – such as ‘You’ve been filmed watching porn’. Sent out on mass, this is a current scam that accuses people of being caught watching an adult website. It looks like an email from a friend (at first) but can make your blood run cold. Read the full story here
What can you do about it?
A combination of better awareness, common sense and workplace training is a good place to start, such as:
- Better employee awareness and training – build a ‘think cyber security’ culture. Train people to look for signs of suspicious activity. Look out for poorly written emails, those sent from a mobile, using wrong signature lines etc.
- Put in place a process that doesn’t rely on email to verify unusual financial or sensitive data requests – by standard non email channels. You can even call colleagues to check using the phone – remember how we use to talk to each other?
- Introduce 2 Factor Authentication. This is a is an extra layer of security that requires not only a password and username but also something that the user has on them. A common example is a text message containing an additional password. Due to the increasing number of incidents we are seeing across all clients we feel you should mandate that all your staff have this turned on, whilst understanding that there may be some downsides to doing this.
- Introduce password managers – and a good password policy. A password manager like 1Password can help to ensure your staff don’t use the same password more than once and so help ensure that an account that is breached is not used to access other un-related accounts.
- Stop using lazy passwords! Believe it or not, the most hacked passwords seem to be the same each year such as ‘StarWars’, ‘1234’ or ‘QWERTY’. Passwords that are actually password phrases are even harder to crack, especially combined with numbers. “20peterandjanewenttothecinema19” etc
- Spoof phishing attack training. We partner with a security specialist call KnowBe4 and a number of our clients have taken up this service which allows us to setup spoof phishing attacks so we can spot who is most likely to be susceptible and provide mandatory training for staff so that they better recognise the threats.
- Ensure DMARC, DKIM and SPF all defined for your email domain. DMARC, which stands for Domain-based Message Authentication, Reporting & Conformance, is a standard that helps email users ensure that the messages they receive are from a recognised source – read more on our blog Improve your email safety with DMARC.
How to identify the risks in your organisation
We’ve covered what it is, how it happens and what you can do about it – but what if you wanted to take a more specific look at your organisation? Particularly if you’re worried you’ve been compromised and you want to discover who might have been affected or is at risk?
You could start by visiting haveibeenpwned.com and try any other email addresses you use. We have links to other free to use email security tests, please contact us and we’ll be happy to send those that fit your need.
We’ve already mentioned our work with security awareness specialists KnowBe4. It’s a commonly held view that people are both your weakest link in all forms of security including email, but much can be done to rectify that with security training. We can help you identify where the weak links might be, and where the risks lie.
Start protecting your organisation from email fraud today
Contact us today for an informal chat about how to improve email safety and any business email compromise concerns you may have.
We’ll give you a steer on the topic and, if it sounds like you need some support, we’ll tell you more about how our training services can protect your organisation and turn your people into your best line of defence.