Archives For gmail

starbucks

Are You Providing Email Security as Part of Your MSP Offering?

Email Compromise Has Grown by %1300 Over the Past Year

Over 95% of your clients intellectual capital is digital today – more than likely, 50% of that is in clear-text email. Email compromises are now growing at astronomical rates.

Too many of your clients think spam is just a nuisance. It’s also malicious. While spam is responsible for landing bots on client systems, it’s the email scams that are fast becoming an easy win for hackers.

What I’m talking about here is fake email written by scammers, posing as the boss.

How Do Email Scams Work

It works like this…an email is sent from the boss to someone with the ability to transfer funds. The account information is provided, with a request to transfer $10,000 for example.

It may be a partnership deal, customer refund, or payment to a vendor. The person doing the transfer doesn’t have time to research it – they just transfer the money and go on to the next task. The cash is now sitting in a bogus account, controlled by the scammer.

These scams work! Why? Most of the companies you do business with are using technology to block viruses, not social engineering. These emails look legitimate.  They don’t contain malware of any kind. They’re simply a request coming, supposedly, from an executive. No one’s asking questions – they just move to get the job done.

Millions Are Being Lost

Over the past year roughly $3.1 billion worldwide, have been transferred using this scam. In the U.S., WSJ reports that, “as of last month, 14,032 victims of the scam had reached out to the FBI’s Crime Complaint Center within the past three years, with combined losses totaling more than $960 million.”

These losses come from all size companies – large and small business. No one is safe. Most of the transfers are going to China and Hong Kong – no surprise there.

Is There Anything That Can Be Done To Stop This?

Compromised or spoofed email accounts are nearly impossible to detect once the compromise is made. Stopping someone from spoofing by securing email servers and accounts is the first step.  But there’s more…

There are some solutions coming out right now through a cloud-based service, for an annual fee.  These services manage a white-list of approved senders.  Google, Microsoft, and a few start ups are working on this.

There’s also a need for security awareness in this area, as well as some procedures to follow when dealing with requests to transfer money. The technology isn’t there yet – clients may need to communicate these requests using some other means – not email.

I agree with the FBI position on email – businesses should not be using free email services.

© 2016, David Stelzl

 

More on Cloud Computing and Google in today’s WSJ:  These sound bites are relevant when selling against cloud computing giants that threaten to take over your business:

1. Google apps = Cloud computing.  Let’s not mix words here…this is cloud computing. This is not about Google – it’s about any major online target that causes someone outside the company to want or need something inside.

2. China is not happy with Google – this could be anyone not happy with a company you are dealing with such as customer dissatisfaction issues.

3.”gained access to computer code for the software that authenticates users of Google’s email, calendar and other online programs,…”  Simply put, online programs means Google applications that may contain personal or business related content.  Google hosts email for businesses and individuals, as well as a number of online apps that are used in both cases.

4. Hundreds of companies…it’s spreading:  Quote from the Journal…

“But some security experts suspect a group of attackers that has penetrated hundreds more companies since Google went public with its attacks in January. “The exact same group has been exceptionally active,” said one person familiar with the attacks Google announced.

The group, which is believed to be Chinese and has been identified by investigators by its attack methods, has broadened its victims to include law firms and utility companies, this person said. It’s been penetrating companies at a rate of at least 20-50 new companies a week, this person added.”

Also note my video comments following a recent talk I did on protecting assets to Tampa based business leaders: https://davidstelzl.com/2010/03/30/tampa-event-post-interview-part-ii-cloud-computing/

© David Stelzl, 2010

Recent hacks against Google, Microsoft, and Yahoo have successfully compromised email passwords.  While some people rely on these services for innocuous email exchanges, others are using this for business and other important matters.  What about cloud computing.  If email services such as these are not secure, how will companies move to other cloud services using applications such as spreadsheets?

As for these reported email compromises:

  • Microsoft admits that several thousand Hotmail accounts were compromised – one source reported 9843 user names and passwords were posted online.
  • BBC reported lists of both Yahoo and Gmail users exposed as well.

If they’re getting to these email sources, they’ll also get to other applications in the cloud hosted by these companies…and with the investments companies like Google are making in security, it’s hard to believe anyone has it covered out there – yet I hear  this all the time from IT; “We’ve got it covered”.

Read SC Magazine’s report on this:

http://www.scmagazineus.com/Yahoo-Gmail-passwords-also-phished-in-far-reaching-scam/article/151616/?DCMP=EMC-SCUS_Newswire