This post was featured in Equipment Connection – the risk management blog authored by our partners at Hartford Steam Boiler, authored by Monique Ferraro.
Whether it’s a phishing scheme or malware, most cyber attacks originate with an email.
The most pervasive and costly cyber frauds affecting businesses this year are phishing schemes in which the perpetrator claims to be a senior executive, such as the CEO or CFO, requesting a funds transfer or employee W-2 records.
Even companies that have information security training and fairly savvy employees have fallen victim to these scams.
How it works
Usually, the sender’s email looks the same as a trusted, known sender but is not. There may be one letter off or the domain name slightly different, which can easily go unnoticed.
For example, you might receive an email from firstname.lastname@example.org, but the real CEO’s email is email@example.com. Most of the time, the deception is noticeable either due to the sender’s email address or the content of the message. This is especially true when the email is one of a large number sent.
But scammers have changed their tactics recently, moving from a “shotgun approach,” where they send a large number of emails in hopes that a few may be effective, to a more sophisticated model in which they target specific companies and individuals.
Cyber criminals have found that investing time to research their target and to focus their efforts pays off. The FBI reported that from January 2015 to April 2016, it saw a 270% increase in CEO fraud.
Businesses can defend themselves against these types of phishing schemes by employing a combination of measures.
Tip 1: Train Employees
A good first step is to train employees and to continue to reinforce training periodically. This should be offered especially to those who are responsible for accounts payable and human resources records.
Training should emphasize scrutinizing email senders’ addresses, being alert to requests for funds transfers, vendor changes of bank account and address information and content and context of messages.
Employees should be directed to refrain from clicking links in emails and to confirm that the sender sent an attachment before opening it. Even if the email appears to be from a trusted source, employees should copy and paste links into a browser to see what the link is before attempting to navigate to the web page.
Tip 2: Policies
Putting a policy in place to have an in-person or telephone conversation to confirm email requests for funds or personal information can also reduce fraudulent transfers. Most of the CEO scam emails attempt to manipulate the receiver into acting quickly in response to a demand by a powerful person in the company.
Having a policy that requires multiple confirmations in more than one method, such as by phone and return call or in person, can support employees who are reluctant to question what may appear to be a direct order from a chief executive.
Tip 3: Employ Email Authentication
Finally, businesses can make sure that incoming email is authenticated. Authenticating email can greatly reduce the amount of potentially malicious messages received, by verifying that the email originated from the domain associated with the email.
So, the email authentication program would verify that an email from firstname.lastname@example.org actually exists and that the email likely originated from that domain.
Email authentication requires some initial setup and monitoring. If your domain is hosted, it’s worth some time taking a look at how your email is set up to ensure that the proper email authentication schemes are used.
The leading email authentication protocols are SPF (Sender Policy Framework), DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance) and best practice is to utilize the three protocols together.
If you host your own domain, it is worth the time to set up authentication and deploy it together with employee training and instituting security policies to prevent fraudulent transfer of funds or employee data.