You are firstname.lastname@example.org. You receive an email from email@example.com asking you to please transfer $1.83MM to bank account 9900000005 routing 321174851 and to code it to "Operating Materials and Supplies Held for Use" for the Contoso project. This makes you suspicious, so you reply, and ask, "Are you sure you need this today?" The response comes quickly, "Yes, we need this to transfer today." You head down to accounting and have them make the transfer post haste, because you want the president to see how efficient you can be and how useful you are in a pinch.
Be Aware of the Problem
Sorry bub, you and your company are now victims of fraud and you are the heel. This fraud happened without any email accounts being compromised or passwords stolen. What happened? In this case, it turns out that youremail.com and youremall.com are not the same domain. The president has his name and picture on the company website, so do you. A little googling for "@youremail.com" reveals the standard format for email addresses. A little more googling reveals that your company is engaged in a big project with Contoso. "Operating Materials and Supplies Held for Use" is a reasonable general ledger code. All of this together constitutes a social engineering attack. This may sound far-fetched, but the FBI tabulated more than 2,000 instances of this type of crime with losses totaling more than $200MM in 2014.
Wire transfer requests are not the only payloads for this type of compromise. An impersonated executive might ask her assistant for a "forgotten" password. An impersonated husband might ask his wife for the kids' social security numbers. The impersonated head of the social media team might ask for all of the social media account credentials. The impersonated head of casting might ask for copies of background checks. An impersonated clinical researcher might ask his boss for a patient's medical information. The possibilities are endless and hackers are patient.
What can we do about this? We have to be aware of the problem, understand a little bit about email, and act like we want to protect ourselves from these attacks.
A Little Bit About Email
Email is about as secure as paper mail:
- It can be read in transit.
- It can be forged.
- It can be intercepted.
- It can be stolen before delivery.
- It can be stolen after delivery.
- It can be copied without your knowledge.
- It can be intentionally destroyed.
- It can be unintentionally destroyed.
- It can be mis-delivered.
- It can be misaddressed.
- Its authenticity is not easy to verify.
People treat email as if none of those things are true. People ignore the realities of email security because of ignorance. People also ignore the realities of email security because email is incredibly convenient, and because security is inherently inconvenient.
Act Like we Want to Protect Ourselves
Giving up convenience is hard, but we do not have to be extreme about it. We do not want to become impossible to defraud, we just want to be harder to defraud than most other people and companies. We do not have to outrun the bear. We can ease the inconvenience burden by spreading it across multiple domains, political, cultural, and technological.
In our example case, you would have been saved if you had taken the time and inconvenience to call your president to verify the transfer. You would have gone from heel to hero. Unfortunately, if your company is like most, taking the time to voice-verify the request had the request been legitimate would have been met with impatience or anger. The politics of the office have to change to permit security. The change must be company-wide and be top-down, a choice to mitigate some risk by sacrificing some convenience.
Culturally, we want to foster security and awareness. We can use the same types of tools that we use for safety. Written procedures and occasional drills can improve security policy compliance and weed out bottlenecks. Regular security newsletters and meetings can help staff keep security at the front of their minds, or at least near the front. The hackers who succeed are asking us to do things that we already do or things that are not very unlike what we already do, and so seem innocuous. A small change in procedure, habit, or vigilance can shift this balance in our favor.
Yes, there are ways technology can help. People make the mistake of turning to technology first, mostly because it is something that can be bought, not something that one must do. Without people being aware of the problem and accepting a political and cultural change, new or enhanced technology will not help improve security. People can and will bypass security technologies to avoid inconvenience. Consider a propped-open back door. The same sorts of things happen to security technologies if people do not buy into and understand the justification behind the inconvenience that the security technology creates.
What is Next
Call us. Duh.
Feedwire can help improve your personal or corporate security posture and help you protect yourself from this and other attacks and exploits. We can help with culture, policy, and technology.