You’ve undoubtedly heard a lot about ‘fake news‘, and ‘deep fakes‘. Those issues are big but they’re fairly easy to resolve. In short, if you rely on social media for your ‘News’ you are being manipulated. It is 100% guaranteed. I can give you lots of reasons why, but in short, it is a source with zero oversight of accountability that only exists because people can be seduced by gossip and inevitability rumours spread like wildfire. This is the dark side of social media.
The Cambridge Analytica scandal and the dangers associated were explained well in this CNBC post, when this particular incident first broke last year. Unfortunately, this is not a unique instance. To combat fake news and deep fakes, simply don’t get your news from social media. Get it from reliable news sources who have accountability and oversight.
What are Fake Emails or BEC?
‘Fake email’ are emails you receive from a ‘trusted‘ source that give false information. We call this BEC or Business Email Compromise. It is when the email system of a business is breached or otherwise compromised with the intent of either…
- Gathering Intelligence (Industrial Espionage)
- Gaining a position of trust to commit a criminal act
- Gaining access to the businesses systems to perpetrate further harm.
This is a massive problem at the moment and we are seeing the cases skyrocket of late and this problem will not go away in the near future.
A few ways to guard against BEC.
Unless you AND your correspondent have highly secure email systems (statistically if you own a SME/SMB in the western world only 5% are secure) you can safely set your scepticism meter to high, for any email requests you receive, particularly if they contain sensitive information.
If you need to verify sensitive information (banking details changes, money transfers, requests for privileged access or the like) it is essential to have robust policies and procedures in place in your organisation to always, without exception, verify email requests BEFORE the request is processed. An example of this may be, if a request from anyone comes via email requesting any sensitive information (‘sensitive’ needs to be defined in your policy), it must be verified either in person, or from two trusted sources via telephone calls to known numbers. This may be annoying, however an effective precaution.
A lot of businesses have separate internal communication systems that do not use email, so if an email is received from a member of staff they are instantly on high alert. This creates a very secure email protocol! If our CFO receives an email from my email address requesting a money transfer, I am instantly called on my mobile to verify any request of this nature.
Why is it so?
The internet was designed with access in mind, NOT security. We are all using a system that was not designed for the purpose of cyber security. People are dealing with this ‘not designed for task’ internet by tacking lots of add-ons on to their systems. Some of those help, some do nothing. Personal VPNs for example are a complete waste of time and money for security. Have you seen those adds on TV lately with celebrities saying how a VPN stopped them getting hacked? Not true. They’re great at getting you an international feed of your favourite TV program. But that is all they are useful for.
Some email systems are starting to have the security capability added on. Two of the most popular email systems are Microsoft Exchange / O365, and Gmail by Google, both ‘out of the box’ systems are extremely insecure! There are however add-ons you can purchase from Microsoft and Google (and some third parties), however they are not part of the standard package. Be aware that if you have an email system that came pre-packaged with your web site, it has no security options at all and is very insecure most likely.
There are also the foundational components that make up the internet. DNS is a great one as an example. DNS is the wonderful system that translates those pretty names like google.com into the IP addresses that it really is. (e.g. when you type google.com.au into a browser, DNS translates that into 220.127.116.11 if you are in Australia) – that’s how the internet works. As a basic, out of the box ‘product’, DNS is very insecure. It CAN be secured so you can trust it, but by default, Swiss Cheese as far as security is concerned. But there are solutions to that also SPF, DKIM, DMARC, and DNSSEC are some of them. But let’s not get too technical here.
Can we fix it? Yes We can!
With all due respect to Bob the Builder, it will take more than his incredible skills to fix it. There are ways we can make email systems very secure, and we can make DNS very secure. But the problem remains that BOTH parties need to have secure systems for you to be able to trust email. In most circumstances, you don’t know how good your correspondents’ system are. You can only be sure how secure yours are, (and if it is ‘out of the box’ it is Swiss Cheese).
The good thing about Swiss Cheese, is that is you lay enough pieces on top of one another the holes slowly vanish. That’s why we always recommend a layered approach to security. You can fix the problems, but it requires many layers. People and Polices are very important in these layers.
So what can you do? Continue to educate yourself and others on the preventive measures you can take in order to protect yourself as an individual or as a business. In summary these are the 5 top tips to protect against BEC or Business Email Compromise:
- Have the right security policies in place to mitigate the risk. (e.g. verify requests for sensitive information like money transfers) Cost? $0
- Add the appropriate setting and add-ons to your email systems to improve its security – Cost? minimal
- Secure the rest of your email systems and DNS. This requires some technical expertise – Cost? depends on your system
- Have an overall layered approach to your business’ security. -Cost? Depends on your system
- Don’t send highly sensitive information via email. (e.g. passwords, etc) Cost? $0
About the author: Ross Marston
BIS (Business Intelligence Security Pty Ltd) aim is to remove the fear from cyber security. Their goal is to give SMB leaders the vital tools they need to make informed and proactive decisions, to build resilient and robust businesses.
Ross Marston is Founder and Chief Security Strategist for Business Intelligence Security with over 30 years of technical experience and works extensively with business in breach prevention and resolution, as well as incident response and management.