19, September 2017
How to avoid CEO-frauds and falsified emails
In May, we sent a newsletter regarding spoofing and other types of email frauds (read it here).
Yesterday, eight people were prosecuted in Sweden for thousands of cases where they have hacked companies, financial institutions, governmental organisations and one political party using falsified emails. The sum of money embezzled exceeds 4 million Euros. 
The methods used resembles the one used in the case of Leoni AG, which we have reported on before, where a similar fraud resulted in 40 million Euros were transferred to accounts abroad. 
When asked if there was anything that could be done in order to protect ones organisation against these types of hacks, a security expert on one of yesterday morning’s news shows replied that it is “basically impossible”. 
We disagree, and that is what this text is about, us knowing you CAN do something about it.
To provide some background, the types of frauds that we are discussing are the ones where an individual, using email, misrepresents him/herself as someone else in an attempt to obtain money, insert malicious code and/or obtain sensitive/secret information.
There are two basic distribution strategies among the email frauds:
Phishing is a broad term for fraudulent behaviour where for example an email is made to look like it is sent by your service provider, asking you to update your credit card number. This usually goes out to a large number of people without exact targeting.
Spear-phising is a more sophisticated attempt of impersonating someone, for example a colleague/boss of yours, asking you to reveal secret information, transferring money etc. This requires a deep knowledge of the targeted organisation, its structure and internal roles and responsibilities.
You might now ask yourselves; “So, these are the strategies, but how does one succeed in looking like he/she is someone else?”
Here as well, there are two basic methods:
This means using a confusingly similar domain name to the one used by the organisation one is impersonating. One can either register a typo (hence the name Typosquatting) or registering the correct brand/company name on an available top-level domain (Cybersquatting), and hope the recipient does not look too closely at the email address.
The more devious of the two is called “Spoofing”. Because the standard email protocols lack mechanisms for authentication, it is possible to send an email to a recipient and make it look exactly like the one it is meant to impersonate.
As you can see, these two methods are very different, and therefore require different countermeasures.
Although, it is fair to say that to be able to call the bluff on someone who has done his/her homework and sends a sophisticated spear-phishing email using the spoofing method, you would have to have a sixth sense.
Now you are probably asking yourselves; “Fine, since you claim to have the secret sauce for preventing email frauds, what do you recommend we do?”
It needs to be stated that you and your organisation cannot control how other organisations manages the risk of someone using their identities to try and fraud people in that – or another – organisation, such as yours.
The damages of fraud are often both financial and reputational. Every organisation has a responsibility to minimize their own risk of someone trying to use the identity of your company, and/or your employees, in order to carry out frauds, within the organisation or towards others.
As a side note, it is remarkable that companies investments in IT are steadily increasing, but very little is done in order to secure the biggest vector for cyber criminals – email. However, there are exceptions. In the UK, the Government Digital Service agency has made it mandatory for all UK government services to implement many of the actions mentioned below. 
Here are our top tips for avoiding CEO-frauds and falsified emails:
- Carry out organisational measures, like education and more thorough routines, in order to minimize the risk of someone achieving to fraud you.
- Actually realising this is a SENDING problem! It cannot be said enough that this is not fixed by having a great filter for your incoming email traffic.
- Monitor your outgoing email traffic in order to identify your actual users (including the unauthorised ones).
- A first validation of your sending email servers to minimise the risk of unauthorised users.
- A second validation using both a public and a private key.
- A comprehensive Domain Name Watch in order to identify potential “cybersquattings” and/or “typosquattings” that can be used to impersonate you. Carry out legal and technical actions simultaneously.
We know most of you are currently working on number 1, and hopefully this message takes care of number 2.
For tip 3 to 6, contact us for more information on how we can help you protect your business!