Social Engineering Targets: Email Compromises - A Quick Prevention Guide
By: Frank Gillman & Sean Hoar
More than ever before, malicious actors are targeting email platforms in an attempt to access and monetize sensitive personal information. They often gain access to email accounts through the use of social engineering – inducing unsuspecting account owners to open email attachments that contain malicious computer code (malware). Malware may take the form of a key logger that allows a malicious actor to capture the account user’s credentials. If you have an occupational role in which you may be perceived as handling sensitive information, you are a target of malicious actors. If you serve in an executive role, you are an enhanced target of malicious actors. If your responsibilities involve financial or human resources matters, you are at an even heightened risk of being socially engineered via email.
How it works and why people fall for it
Malicious actors recognize that the email account of a Chief Financial Officer may provide lucrative opportunities to fraudulently redirect wire transfers. They also recognize that the email account of a Human Resources Director may contain a treasure trove of sensitive personnel information, including W2 images that can be used to create and file fraudulent tax returns – and harvest the stolen refunds.
In order to execute their exploits, malicious actors are constantly conducting reconnaissance on executives who may receive, process, store, or transmit sensitive information in their email accounts. Once they identify a solid target, they launch sophisticated phishing attacks to gain access to the email accounts.
Unfortunately, email compromises often go unrecognized until significant damage has been done. This is due in part to the sheer, unending volume of daily email traffic entering employee accounts, combined with numerous occupational deadlines and tasks that often obfuscate the presence of a malicious actor. Managers and employees appropriately treat any communication from an executive with a sense of urgency regardless of context. Email messages that create an increased sense of urgency about a sensitive matter prey upon the diligence and responsiveness of dedicated employees. They often cause employees to overlook “red flags” that would help identify a malicious message – requested rapid response, sensitive content, and requested confidentiality.
The end result can often be significant damage to the information systems of an organization. The best way for an organization to prevent these types of email compromises is to implement a substantive system of administrative and technical checks and balances in order to ensure the authenticity of important time-sensitive messages, especially those involving the potential transfer of sensitive information or wired funds.
The benefits of multi-factor authentication
From a technical perspective, one of the most effective ways to defend information systems is to implement multi-factor authentication. In addition to requiring a user name and a password to access the system, including an email account, multi-factor authentication requires at least one additional piece of information to access the account. This requires authorized individuals to utilize both something they “know,” such as a user name and password, with something they “have,” such as a unique code sent to the authorized user’s smart phone, or something they “are,” such as a fingerprint or other biometric measurement, in order to gain access to the account.
The concept of multi-factor authentication is to provide a secondary level of protection for organizations in order to validate online accounts beyond solely a username and password. Multi-factor authentication tools help prevent malicious actors from hijacking corporate accounts and using them to send fraudulent messages.
The DMARC defense
The other immediate defensive step is to establish a Domain-based Message Authentication, Reporting & Conformance (DMARC) record on the domain of the organization so that emails attempting to spoof the actual domain are blocked from delivery.
For organizations that prefer to outsource this responsibility, or other elements of email security, there are several third party products available on the market that are alternately sized for both enterprise level companies and for small businesses.
Regular review and other protective procedures
Whether you are managing email systems internally or relying on external help, ensure that members of your information security team regularly and formally review and audit rule changes within Microsoft Exchange.
It may also be prudent to establish group policies that preclude certain types of rules, like forwarding rules. This is especially true for organizations actively using Microsoft Office 365. When malicious actors compromise an email account, they often establish a forwarding rule so that incoming email messages are forwarded to the malicious actor’s account.
As an example, if a malicious actor intends to fraudulently redirect a wire transfer, they will establish rules with search terms such that all incoming messages containing the words “wire,” “transfer,” “bank,” and” account” are deleted from the inbox and forwarded to the malicious actor’s account. Another rule will cause all such deleted messages to be erased from the deleted box. The legitimate owner of the account will have no idea that a malicious actor is monitoring wire transfer-related communication in the account. Typically, the harm is not discovered until the owner of the account contacts the client in order to collect on an overdue invoice, only to learn that the bill was paid on time, and that directions from what appeared to be the owner of the account caused the funds to be sent to a fraudulent account.
Administratively, procedures should be implemented to ensure that any potential transfer of electronic funds must be manually, and/or verbally, verified by another human being. Be aware that voicemail authorization should not be considered as a form of verification. It is easy to create and distribute fraudulent voice messages as part of a sophisticated attack. These protocols should be extended to any financial institutions or financial services firms that may be the source of the funds so that they do not unwittingly enable the fraudulent transfer of funds.
Another defensive move worth considering, depending on the organization, is to set a maximum limit on the funds anyone in the organization can individually authorize from the bank at one time. This will force requests exceeding that amount to be verified directly with the bank.
Train your workforce to recognize threats
Finally, engage in regular employee training about the ever-expanding digital threats we all face. Security awareness training should have an interactive component as well. For example, regularly scheduled phishing simulations will help your personnel become best equipped to recognize and defend themselves from the inevitable phishing attacks they will receive from malicious actors.
For more advice on how to protect you and your business from socially engineered phishing attacks, contact the authors of this post. Read more about Lewis Brisbois’ Data Privacy & Cybersecurity Practice here.