Email scams and social engineering attacks are a huge security risk. When we describe security incidents that involve criminals scamming individuals or businesses out of money, security professionals often use terms like “CEO fraud”, “fake boss scams”, or “impersonation fraud” and “business email compromise” interchangeably for convenience. But there’s a case for treating business email compromise as a specific threat that deserves special attention.
Let’s put this into context. Phishing scams in general, and CEO fraud in particular, have the same goals: to convince you that the sender is genuine and then to trick you into doing something they want. Wombat Security’s State of the Phish 2019 report showed the scale of the risk. It surveyed almost 15,000 infosec professionals and found that almost all said the rate of phishing email incidents grew or stayed the same as last year. Last year, 83 per cent said they experienced phishing, up from 76 per cent in 2017.
The Wombat report said that attacks have one of three impacts on victims: credential compromise, malware infections and data loss. Credential compromise increased by more than 70 per cent since 2017, becoming the most commonly experienced impact in 2018. As Wombat noted, this is worrying because multiple services often sit behind a single password. Reports of data loss grew more than threefold since 2016. All three impacts have grown since 2016.
After analysing over a billion emails daily, Proofpoint concluded that attackers increasingly focus attention on people, rather than technical defences. “Attackers are adept at exploiting our natural curiosity, desire to be helpful, love of a good bargain, and even our time constraints to persuade us to click,” its report said.
Before scammers get to the serious business of extracting our money or making us download malware, scam emails have to pass the smell test by seeming legitimate (if it smells of ‘phish’ it probably is a ‘phish’). Most of them do this with simple spoofing techniques. They might involve misspelling the company name in a fake email domain or amending the email address slightly so it appears normal but is sent somewhere else. These tricks rely on people being so busy that they don’t spot the difference. The fake just needs to be good enough to fool the naked eye, and maybe also be smart enough to get past a basic email gateway.
But here’s where I believe there’s a distinction with business email compromise that many people are missing. Email spoofing is one thing, but what if an attacker actually took control of your email account? Think about the impact of that for a moment. An email account is the source of so much data about a person, it’s the proverbial keys to the kingdom.
Email has all the trappings of how we “speak” virtually to our contacts, from introductions (“Dear valued customer”), to signoffs (“Best wishes, Dave”). That’s a goldmine for any attacker who wants a foolproof way of impersonating someone and copy your style and email writing tone. From a business point of view, an email account will have contact details for clients and colleagues ready to hand.
Think of the potential damage to business relationships. How long would it take to send damaging emails to destroy your credibility, your career, or even your company? The attacker is no longer just impersonating you – as far as the email proves, they are you. And you, as the victim might not even realise you’ve been compromised right away. An attacker who takes over your account could send stealthy emails to a manager or customer and then delete all traces of it from the ‘sent items’ folder. Imagine if they found an old message with company product plans or sales prospects; where might that end up?
And that’s not all; think for a moment how much information your email account has on all of your other activities, from utility bills to records of purchases. Email’s tentacles reach into so many parts of our digital lives.
For just about every online service we use, where do all the password resets go? That’s right, to your email account.
There are two misconceptions to put right here. We might not fully value the security of our email account. We might also mistakenly assume that someone else is looking after it and keeping it secure – especially in these days of cloud services. But you know what they say about assumptions! For individual accounts, changing to a strong password, passphrase, or better yet multi-factor authentication (where something like a text message can be used to authenticate your access), will at least strengthen the protection.
In my experience, many companies just use cloud-based email with default settings. Instead, they should tailor the level of security to their risk. The potential impact from true business email compromise is so damaging that there is a strong argument for making companies focus attention on protecting their email above all other systems. There are plenty of security controls to help do this, from two-factor authentication to data loss prevention, and security awareness training. An attacker only has to get lucky once, as the old security saying goes. And if one finds their way in, you might as well switch off the lights on your way out.