Often referred to as the internet's cockroach, email has outlived all other forms of internet communications and has infested every corner of the globe. Operating your business without email is unimaginable. Hackers, fraudsters, and con artists know this, making your inbox their attack vector of choice. Email based attacks are easy to automate, cost nothing to send and they work because people keep opening their messages. Spam is undeniably one of the biggest threats to the cybersecurity of any organisation.
- Trend Micro detected over 30 million phishing URLs in 2021 via its security software alone.
- The FBI's 2021 Internet Crime Report saw over US$2.3b lost via business email compromises.
- IBM says "phishing was responsible for breaches 16% of the time" in data breaches they've handled.
- The ACSC's 2020-2021 annual report claims business email compromises made up 7% of all cybercrime reports.
- The Australian Institute of Criminology found that almost 10% of all spam emails contained malware.
Clicking a seemingly innocent link in an email can result in a total compromise of your business. Not paying close attention to the details in an email can turn into a data breach, the loss of money and even property. A combination of strong email vigilance and robust anti-spam software can reduce the chances of falling victim.
We've all experienced email spam relentlessly clogging up our inboxes with ads for miraculous penis pills, Nigerian princes offering riches or unbelievable deals on gift cards. As dumb as these emails appear, they're a reliable way to get people to click a malicious link or install compromised software. It's important to separate "harmless" spam and malicious spam, better known as phishing.
The Australian Communications and Media Authority (ACMA) regulates spam in Australia and defines it as "an unwanted marketing message you receive by email, text message or instant message. To be spam the message must be commercial. That means it must contain one or more of the following: offers, advertisements or promotions". To many people's surprise, marketing messages from "registered charities, education institutions contacting you as a former or current student, government bodies and registered political parties" are permitted under Australia's spam laws.
Businesses can and are fined for sending these unsolicited messages to people. ACMA has fined the following Australian businesses in the last few years for sending consumers emails after they unsubscribed from a mailing list:
- Optus - $504,000 fine in January 2020
- Kogan - $310,800 fine January 2021
- Sportsbet - $2,500,000 fine in February 2022
- Woolworths - $1,003,800 fine in July 2020
If you are a business that relies on sending emails as a marketing method it's important to have consent of whoever you're sending the marketing emails to, otherwise you could end up on the receiving end of ACMA's increasingly big stick.
You may have heard the phrase "phishing" used when in the vicinity of computer nerds. The unusual spelling comes from 90s computer hackers that used phone lines to connect to the internet, so instead of fishing using a rod and reel, they're "phishing" using a phone line to catch their next unsuspecting victim.
Like an angler sitting on a pier all day waiting for a nibble, phishing emails are dropped in the vast ocean of the internet to see who bites. Unlike spam, phishing emails are designed to fool you into handing over personal information or install malicious software on your computer.
Images, PDFs, Office documents - you name it, it can be weaponised. Hackers sneak malicious code into these attachments so when you open them on your computer, they leverage a vulnerability in that program, allowing them to have their way with your computer. Most mail clients don't allow you to open an attachment before it is scanned to check if it's going to damage your computer, but this scanning isn't 100% reliable, so it pays to make sure the email is legitimate before opening the attachment. Some high-risk environments don't allow attachments at all, that's how severe of an attack vector they are.
It's common for hackers to set up convincing looking clones of popular websites and send emails pretending to be from the genuine website, with a link to their fake one. The email might say something like "log in now to verify your account within 24 hours it will be closed!" that scares you into action. Once they've got someone on their fake site, the aim is for the victim to log in with their real username and password. The log in will appear to fail but gives the hacker operating the fake site your credentials. The hacker can then use the captured credentials to log in to the real site.
Unlike a fake website designed to steal your password, some fake websites exist to make you click a specially crafted web address (URL) that takes advantage of flaws in a web browser or other application to open a hole in a network or download malicious software. Installing the latest software patches go a long way to preventing this type of attack as they fix the bugs and flaws these attacks use to operate.
Business Email Compromise
When a scammer sends emails impersonating the real owner of that email address, it's called a business email compromise (BEC). These are different to phishing emails that are predominately sent at random hoping to nab a victim. BEC's involve more effort and are targeted at customers or colleagues of the compromised email address. Why might a hacker want to impersonate someone via email? To trick someone else into handing over money or passwords!
There are three common BECs:
The Fake Executive - cyber criminals identify an executive they can impersonate, often via social media. They'll infiltrate that executive's email account (most likely via a phishing attempt) and request a fake invoice to be paid or request a change in a worker's bank details. An inattentive or busy accounts payable department makes payment to the scammer’s account not realising the bank details are different or that the invoice is fake.
The Fake Invoice - once cyber criminals have an email account with access to invoices, they edit contact and bank details on those invoices. They then send the invoices to customers through the compromised account, and those customers inadvertently send money directly to the criminals not noticing the change in bank account or payment details.
The Fake Customer - criminals register a domain using a name very similar to a large known and well-trusted company. They then impersonate that business by sending an email to the target requesting an order for goods the business sells. The criminals negotiate for the order to be delivered prior to payment, but the actual invoice is sent to the organisation the criminals were impersonating for payment, resulting in free goods for the scammer.
Business owners also need to consider the poor cybersecurity status of their customers. As the following example demonstrates, despite best efforts to secure your systems the actions of a customer can cause a huge headache:
Mr WM is buying a property and is expecting an email from his conveyancer to make payment for it.
XXXX Conveyancing emails Mr WM with instructions, bank details and the amounts to be paid.
A hacker with access to Mr WM's email account sees XXXX Conveyancing's email before Mr WM, deletes it and sends an email from a fake address claiming to be XXXX Conveyancing.
In that fake email the payment details have changed to the hacker's account.
Mr WM does not notice the poor grammar, different formatting for the payment section of the email compared to the rest or the incorrect email address (did not come from XXXX Conveyancing).
Mr WM makes payment to the hacker's account instead of XXXX Conveyancing's trust account.
Despite this unfortunate event not technically the fault of XXXX Conveyancing, there are steps they could have taken to further protect their customers:
- Adding DMARC and DKIM records to their domain that can tell an email server to authenticate emails from that domain as genuine.
- Communicate to customers via multiple methods to confirm information in emails.
- Educate customers of the risks of fake emails at multiple steps throughout the customer journey.
Tips for Identifying Phishing & Business Email Compromise Attempts
Millions, if not billions, of automated phishing emails are sent daily trying to pass off as legitimate messages. Most are immediately deleted by spam filters on your email server. Those that get through can be identifiable as fake by applying a healthy dose of scepticism to your inbox.
Impersonation - just because it says the email is from a supplier or a known customer, that doesn't mean it is. A hacker may be impersonating them so you'll open their malicious emails! Be sure to check the email address to confirm the true sender and if something doesn't look right, you can always pick up the phone and ask the sender if it's genuine.
Generic greetings - if the greeting "valued customer" or "Dear (insert title here)" is used instead of your name, by someone who has used your name before, it's another signal that someone could be impersonating a known contact.
Attachments and links - as explained earlier this chapter, hackers like to trick you with an enticing attachment or link. It might have an unusually long name, a fake icon (e.g: Excel, but isn't a spreadsheet), or be a failure notification that you are told to fix urgently. It never hurts to double check the issue or log in to systems yourself, instead of clicking a link or opening a file.
Weird URLs - hover or mouse over parts of the email without clicking on anything. If the alternate text description of the link or image looks strange or doesn't match what the link description says, don't click on it. Hackers use oddly spelt or unrelated domain names in their URLs to trick unsuspecting victims. Misspelled URLs (i.e: combank.com.au, comm-bank.com.au or commbnk.com.au instead of commbank.com.au) are common.
Poor spelling and grammar - Check for spelling errors particularly in company or staff names. These emails are often sent by people that don’t have English as their native language, so certain turns of phrase may be used incorrectly or number formatting (i.e: commas instead of decimal places) can be a sign the email isn't from the expected source.
Too much info - legitimate companies are unlikely to ask for personal information in an email. It may be obvious, but things like PINs, two factor authentication codes, answers to password recovery questions, credit card numbers and of course, the passwords themselves are not to be sent via email. If in doubt, give the organisation asking for the information a call, but use their publicly available phone number, not a number in the suspicious email.
Measure twice, cut once - double check phone numbers, payment details, names on invoices, etc. before sending money or sending further information. Ask colleagues to verify details. Call suppliers or customers to check if their request is genuine.
Email signatures - most legitimate senders will include a full signature block at the bottom of their emails, particularly if they're from another business. If there's no signature there, that's a red flag. If there is a signature, double check the details are correct.
Gift cards/cryptocurrency - hackers love these forms of payment as they can collect and spend it with a much lower profile than cash, which needs ID and is strictly regulated. If you receive an email asking for payments to be made in these forms instead of good old dollars and cents, that's a sign something's not quite right.
Urgency - a common theme in BEC messages is that payment needs to be done right now. By rushing a victim, the hacker hopes they ignore any unusual aspects and don't ask others for help. If an email states how urgent a request is, that might be the moment to slow down and make sure everything's above board. A genuine request will not be that urgent to avoid due diligence.
Available Technical Solutions
Despite the best efforts to remain sceptical when it comes to email, it's only a matter of when, not if, someone in your organisation is fooled by a phishing email. Phishing emails are getting so sophisticated that even cyber security professionals are tricked into opening them. Luckily there are multiple technical solutions that can be implemented to reduce the risk of these scams doing damage.
Multi-Factor Authentication - you know when you're asked to enter a number that's sent to you via SMS or in an authenticator app before you can log in to something? That's multi-factor authentication (MFA). In the context of email, enabling MFA makes it exponentially more difficult for an attacker to gain control of an email account as they need that number as well as your password to log in. Multi-factor authentication (MFA) is so important as part of an overall cybersecurity posture that there is a chapter in this book dedicated to it.
Antispam Software - all email providers have spam filtering functionality, but you can install additional anti-spam software on your email server that takes it to the next level. Tougher rules filter out more spam but can have the adverse effect of preventing legitimate emails from arriving. These emails are kept in quarantine and can be released on-demand after reviewing a daily summary of emails suspected to be spam. Anti-spam software also allows for verified email addresses to be added to a permitted list so they always get through. FortiTech
DNS Filtering - adding known phishing URLs to your DNS server's block list means that if someone does click a link in an email, there's a decent chance the site won't load because the computer blocks it before it loads. Hackers keep generating new URLs all the time but at least the ones we know about can be blocked before any damage is done.
Security Awareness Training - there's a whole blog about security awareness training coming up soon, but when it comes to email it's vital everyone in your organisation knows how to spot a potentially dangerous email. This training can consist of online quizzes, seminars, and practical simulations where a cyber security professional deliberately sends a phishing email to catch out employees not paying attention.