We talk a lot about how insecure email is.  It’s an open technology that was never designed with security in mind.

What many don’t understand is the power a seemingly genuine email has over our actions.

Business Email Compromise (BEC) scams have exploded in recent years.  The FBI reported that it has cost organisations more than $12 billion since 2013.

There’s a lot of things that make BEC attacks effective – but it’s human behaviour that stands out.  We don’t see what’s happening and weren’t looking for it in the first place.   When we’re using email we’re usually hurried, trying to get through our day and don’t stop to think about whether an email (and it’s content and attachments) is genuine or not.

Here are two examples that show what an email and a little bit of contextual knowledge can create:

Example 1

The email from the boss looked kosher. He said a new supplier needed paying urgently – £50,000 to secure an important contract.

He wanted it done as soon as possible because he was on holiday and didn’t want to worry anymore about work.

This rang true to the finance director because his boss had already posted a photo of his Greek island getaway on Instagram. His email address looked genuine too.

This was a small manufacturing firm.  It ended up losing £150,000 to a skilled fraudster who had done nothing more than his homework.

Taken from BBC Article “Three Words to Set Alarm Bells off For Every Firm”  

Example 2

A senior partner broadcast on social media full details about a business trip to Barcelona (flight, meeting plans, weather etc).

A criminal gang based overseas used this information to initiate a phishing attack against the firm’s accounts team. An accounts clerk received an email from an account spoofing the senior partner’s email address, instructing her to pay an invoice and imploring confidentiality.

Even though the firm had in place a number of policies and procedures that systemised the payment of invoices, they were able to persuade the accounts team to bend the rules, under the pretext of urgency, confidentiality and seniority.

The criminals also knew that the accounts team were tied up in installing a new accounting package and training on the new system, as a staff member had mentioned it on Facebook. It was at this time that the criminals convinced the clerk to make an authorised payment of £35,000.

The firm only realised it had fallen victim to phishing when another senior partner later queried the transaction.

Reproduced from the National Centre for Cyber Security (NCSC) Report “The Cyber Threat to the Legal Sector” 2018

What’s Going On?

There are common factors across both examples:

  • It was a senior person’s email address that was used (we’re conditioned to do what the boss says)
  • There was some contextual knowledge (both senior people had broadcast the fact that they were away)
  • The individuals on the receiving end thought they were communicating with their boss because it looked like it was their email address

One way of looking at this is to be wary of posting details of your foreign trip if you’re the boss.

Another would be to take a look at why BEC attacks have taken off.   There are many financial transactions that follow a predictable path – here are just a few examples:

  • A property transaction with a conveyancing solicitor will see emails exchanged over a period of time before final contracts are ready to exchange and payment to be made
  • Probate and Estate Management cases where emails are exchanged until finally the estate is settled and money distributed
  • Building and construction projects where work is completed and an invoice presented for payment

In each of these examples, if both parties can be identities can be established and if either party’s email account can be compromised then the cyber criminal with a motive is now equipped with means and method to perpetrate a fraud.   All they need to do is time their email appropriately.

This is exactly what happens with ‘Friday Afternoon Fraud’ – the fraudster identifies a number of transactions taking place and emails as either the solicitors firm or the buyer / seller at the point where funds are most likely to be transferred.   With an email as simple as a claim that the bank details have changed, this particular fraud continues to rise even in the face of publicity.  Check out the latest ActionFraud figures here.

There are a number of technologies that attempt to stop Business Email Compromise, but even they will all admit that they cannot be 100% effective.

The reality is that email, our habits and the fact that we are not conditioned to check the validity of a message that appears to be from somebody we trust, its contents and any attachments.

The solution lies in policy and procedure.  Not the policy of putting disclaimers on email footers – but a policy that prevents confidential or sensitive information being exchanged on email.   Policies that ensure that payment requests or bank details cannot be provided by email.

The alternative could be a very real feeling of ‘how on earth did that happen?’ when one of your employees explains how it was ‘your email asking me to do it’ that caused them to transfer the sum of money into an enterprising fraudster’s bank account.