Written by Dave Stelzl CISSP

How Secure Is Email?

starbucks

Are You Providing Email Security as Part of Your MSP Offering?

Email Compromise Has Grown by %1300 Over the Past Year

Over 95% of your clients intellectual capital is digital today – more than likely, 50% of that is in clear-text email. Email compromises are now growing at astronomical rates.

Too many of your clients think spam is just a nuisance. It’s also malicious. While spam is responsible for landing bots on client systems, it’s the email scams that are fast becoming an easy win for hackers.

What I’m talking about here is fake email written by scammers, posing as the boss.

How Do Email Scams Work

It works like this…an email is sent from the boss to someone with the ability to transfer funds. The account information is provided, with a request to transfer $10,000 for example.

It may be a partnership deal, customer refund, or payment to a vendor. The person doing the transfer doesn’t have time to research it – they just transfer the money and go on to the next task. The cash is now sitting in a bogus account, controlled by the scammer.

These scams work! Why? Most of the companies you do business with are using technology to block viruses, not social engineering. These emails look legitimate.  They don’t contain malware of any kind. They’re simply a request coming, supposedly, from an executive. No one’s asking questions – they just move to get the job done.

Millions Are Being Lost

Over the past year roughly $3.1 billion worldwide, have been transferred using this scam. In the U.S., WSJ reports that, “as of last month, 14,032 victims of the scam had reached out to the FBI’s Crime Complaint Center within the past three years, with combined losses totaling more than $960 million.”

These losses come from all size companies – large and small business. No one is safe. Most of the transfers are going to China and Hong Kong – no surprise there.

Is There Anything That Can Be Done To Stop This?

Compromised or spoofed email accounts are nearly impossible to detect once the compromise is made. Stopping someone from spoofing by securing email servers and accounts is the first step.  But there’s more…

There are some solutions coming out right now through a cloud-based service, for an annual fee.  These services manage a white-list of approved senders.  Google, Microsoft, and a few start ups are working on this.

There’s also a need for security awareness in this area, as well as some procedures to follow when dealing with requests to transfer money. The technology isn’t there yet – clients may need to communicate these requests using some other means – not email.

I agree with the FBI position on email – businesses should not be using free email services.

© 2016, David Stelzl

 

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s