24, September 2020
3 tips on how to protect against extortion emails
This weekend, several Swedish newspapers reported a wave of email frauds. For example, Göteborgsposten reported on extortion emails that reached thousands of people in Western Sweden, resulting in more than 1,000 police reports, while Aftonbladet reported on emails spreading malware within the Karlstad municipality.
What these cases had in common was that the emails in question appeared to come from a legitimate sender, like a colleague in the case of the Karlstad municipality, or even – as in the emails received by many in western Sweden – oneself. In the latter case, the purpose of sending the message from the person in question's own e-mail address to himself/herself was to "prove" that he or she was hacked and thus be able to extort the person.
”How is this possible?” many are now asking.
So, what’s going on?
Actually, it's not really that complicated, let's break it down in a number of bullets:
- It is a relatively unknown fact that the email system basically lacks authentication mechanisms that ensures that the stated sender is the actual sender.
- In practice, this means that an email can be sent with a falsified sender appearing exactly as the person you want to claim to be, including the email address your email program (such as Outlook, Apple Mail, etc.) states the message is sent from.
- Despite the widespread misunderstanding that one cannot do anything about this, there are security mechanisms to implement.
- It is important to understand that the responsibility lies with the sender, i.e. the owner of the domain/email address, to prevent fraudulent behaviour directed against one's self - as in many of the cases reported this weekend - and/or within an organisation. Email fraud can also be directed externally against a company's customers, suppliers or individuals in a person’s network. The recipient can neither, nor should, be the one responsible for ensuring this.
- In fact, the majority of large Swedish companies today lack this type of security mechanism and therefore risk having their identity stolen.
- When looking at the consequences, the cases reported this weekend was resulted in personal financial damage as a result of extortion. However, the financial injuries that can arise for companies can reach almost astronomical sums (two examples being industrial giant Leoni and football club Lazio). One question that is seldom discussed however is the potential damage to the brand. It is very common that attempts to fraud occurs by the fraudster uses the identity of one company as a mean of contacting other companies and/or individuals in order to get his or her hands on money, sensitive information and/or spread malicious code.
3 tips on how to protect against extortion emails
- Awareness
In an organization, one should start by carrying out organisational measures, like education and more thorough routines, in order to minimize the risk of someone achieving to fraud you. As an individual, you should also be updated on what is happening in the digital world. If you are unsure, you should always contact your email provider. - Basic email authentication
The foundation for the authentication of an email is laid with a so-called "SPF record" which verifies which servers are allowed to send emails from a domain. However, this is usually not set up by default as many companies are using several different providers, for example for sending newsletters. If this is carried out without having the complete picture, it can result in legitimate emails not being sent. If you are uncertain of which legitimate "sources" you have, you can make an analysis of the flow of emails. - "Best practice" for email management for organizations
Through a combination of security mechanisms that limit the illegal use of a domain, verifies legitimate sources and continuously analyses and reports the status of overall email flow, the risks of email fraud are minimized.