Business Email Compromised

I have a scary story to share.

Imagine you’re an accountant for your company and you receive an email from your CEO requesting a funds transfer for a time-sensitive acquisition. He says a lawyer will be in touch to provide more details. You get the lawyer’s email, complete with an authorization letter that includes your CEO’s signature and company seal, so you go ahead and make the over $700,000 transfer. The next day you mention the transfer to your CEO, confirming you’d completed it in the timely manner he requested, only to be met with a blank look. He never sent you an email and he never requested a wire transfer.

Horrified yet? As scary as it is, that scenario actually happened to someone last year and is just one example of a growing threat the FBI has dubbed “Business Email Compromise (BEC)”. Between October 2013 and May 2016, 22,143 cases of BEC have been reported to the FBI, in which cyber criminals requested over $3 billion in fraudulent transfers. The FBI’s last tally from February had the total amount requested at just over $2 billion – that’s an additional BILLION dollars that thieves have tried to scam out of companies in the span of just four months.

Request from CEO

(source)

These are not the emails scams of yesteryear that were easy to spot. No, these are extremely sophisticated, organized attacks, involving intimate knowledge of the target company and its usual operations so as not to raise suspicion. In some cases, criminals have used malware to access corporate email systems so they can leverage existing billing and invoice requests.

“They have excellent tradecraft and they do their homework. They use language specific to the company they are targeting, along with dollar amounts that lend legitimacy to the fraud. The days of these emails having horrible grammar and being easily identified are largely behind us.” (source)

Is Digitally Signing All Intra-Office Emails the Answer?

It’s ridiculously easy to spoof email addresses (if the sender is not on a Lightspeed managed server) and cyber criminals are only getting more sophisticated with their use of social engineering and malware to stage attacks. So what can companies do to help protect themselves from BEC attacks? One option is to at least standardize on digitally signing all  emails that financial instructions (purchase orders, invoices etc). Even better if you simply sign all emails – it won’t hurt anyone that can’t verify the signature (unlike encrypted emails, which can’t be opened on some clients).

Email digital signatures, or all digital signatures for that matter, are applied using a Personal Email Certificate (PEC). We issue globally recognized PEC available for a greatly reduced annual fee to customers whose email we manage (we can do identity verification easily).

When recipients open a digitally signed email, they see a little red ribbon indicating that it’s been signed, along with the name of the signer. Since the signature was applied using the sender’s certificate, which was only issued after a strict identity verification process, the recipient can be confident that the email actually came from the sender and is not part of a scam.

signed email

Example digitally signed email in Outlook.

signed email in outlook

Inspection of certificate used to digitally sign an email.

Applying signatures is easy and can be automated

Digital signatures are compatible with most enterprise email clients and applying one is generally as simple as clicking a button. Also, most clients can be configured to automatically sign all outgoing mail, so it’s relatively easy to standardize company-wide.

Is digitally signing emails going to put a complete stop to the threat of BEC? Realistically, probably not, especially since these cyber criminals are always coming up with new ways to trick victims. However, I do think it’s an easy way to get employees to take a second and think about where the email they receive actually came from. Ultimately the best defense against these types of attacks is probably employee education and training – making them aware that these types of attacks exist and what to look for. The FBI also has some helpful suggestions:

  • Be wary of email-only wire transfer requests and requests involving urgency
  • Pick up the phone and verify legitimate business partners
  • Be cautious of mimicked email addresses
  • Practice multi-level authentication.