What is email fraud?
Email is a company’s most common mean of communication. It has therefore been an enabler of fraudulent behaviour since its very conception. Email fraud is any kind of fraud where someone falsifies an email address with intent to claim to be someone else in order to get his or her hands on money, sensitive information and/or spread malicious code.
How does email fraud work?
Previously, email frauds has primarily been about registering a confusingly similar domain name in order to fool a company’s clients and/or employees. This is called “typosquatting” when using typos in the domain name, and “cybersquatting” when registering a company name/brand on another top-level domain, such as .co instead of .com.
Lately however, so called ”spoofing” has emerged as a big problem. Spoofing means sending an email to a receiver that looks exactly like it is coming from the person whom one wishes to impersonate. The classic example is a CFO receiving an email from the CEO of the company, asking him or her to transfer money to an offshore account. Hence the term “CEO-fraud”.
The emails are often quite sophisticated and the result of a longer period of analysing the company internal structure, roles and even email signatures. This is called “spear-phising”, in contrast with the commonly used method of “phishing” which means sending a large number of general emails to a much larger group of receivers.
How do you protect yourself against email fraud?
The first misconception we need to address is that spoofing is a ”receiving” problem that can be fixed with spam filters or anti-virus programs. However, spoofing is a sending problem enabled by the lack of mechanisms for authentication in the standard email protocols. The first step in order to protect oneself against email fraud is realising the difference between a receiving and a sending problem.
The other misconception that needs to be addressed is that email frauds can be counteracted by organisational measures alone. Creating awareness within the organisation is important. However, email frauds are not just directed internally, but also against other companies such as clients and/or providers. Just creating awareness about email fraud within the organisation is therefore not enough from a bigger perspective.
Every organisation therefore has a responsibility to protect both themselves, and others, against fraudulent behaviour.
The second step is thus to secure one’s IT environment and close the security holes that the vast majority of companies still have regarding their outgoing email traffic.