Abion / Blog / How to avoid CEO-frauds and falsified emails
fraud-hacker

In May, we sent a newsletter regarding spoofing and other types of email frauds (read it here).

Yesterday, eight people were prosecuted in Sweden for thousands of cases where they have hacked companies, financial institutions, governmental organisations and one political party using falsified emails. The sum of money embezzled exceeds 4 million Euros. [1]

The methods used resembles the one used in the case of Leoni AG, which we have reported on before, where a similar fraud resulted in 40 million Euros were transferred to accounts abroad. [2]

When asked if there was anything that could be done in order to protect ones organisation against these types of hacks, a security expert on one of yesterday morning’s news shows replied that it is “basically impossible”. [3]

We disagree, and that is what this text is about, us knowing you CAN do something about it.

To provide some background, the types of frauds that we are discussing are the ones where an individual, using email, misrepresents him/herself as someone else in an attempt to obtain money, insert malicious code and/or obtain sensitive/secret information.

There are two basic distribution strategies among the email frauds:

  • Phishing
    Phishing is a broad term for fraudulent behaviour where for example an email is made to look like it is sent by your service provider, asking you to update your credit card number. This usually goes out to a large number of people without exact targeting.
  • Spear-phishing
    Spear-phising is a more sophisticated attempt of impersonating someone, for example a colleague/boss of yours, asking you to reveal secret information, transferring money etc. This requires a deep knowledge of the targeted organisation, its structure and internal roles and responsibilities.

You might now ask yourselves; “So, these are the strategies, but how does one succeed in looking like he/she is someone else?”

Here as well, there are two basic methods:

  • Typosquatting/Cybersquatting
    This means using a confusingly similar domain name to the one used by the organisation one is impersonating. One can either register a typo (hence the name Typosquatting) or registering the correct brand/company name on an available top-level domain (Cybersquatting), and hope the recipient does not look too closely at the email address.
  • Spoofing
    The more devious of the two is called “Spoofing”. Because the standard email protocols lack mechanisms for authentication, it is possible to send an email to a recipient and make it look exactly like the one it is meant to impersonate.

As you can see, these two methods are very different, and therefore require different countermeasures.

Although, it is fair to say that to be able to call the bluff on someone who has done his/her homework and sends a sophisticated spear-phishing email using the spoofing method, you would have to have a sixth sense.

Now you are probably asking yourselves; “Fine, since you claim to have the secret sauce for preventing email frauds, what do you recommend we do?”

It needs to be stated that you and your organisation cannot control how other organisations manages the risk of someone using their identities to try and fraud people in that – or another – organisation, such as yours.

The damages of fraud are often both financial and reputational. Every organisation has a responsibility to minimize their own risk of someone trying to use the identity of your company, and/or your employees, in order to carry out frauds, within the organisation or towards others.

As a side note, it is remarkable that companies investments in IT are steadily increasing, but very little is done in order to secure the biggest vector for cyber criminals – email. However, there are exceptions. In the UK, the Government Digital Service agency has made it mandatory for all UK government services to implement many of the actions mentioned below. [4]

Here are our top tips for avoiding CEO-frauds and falsified emails:

  1. Carry out organisational measures, like education and more thorough routines, in order to minimize the risk of someone achieving to fraud you.
  2. Actually realising this is a SENDING problem! It cannot be said enough that this is not fixed by having a great filter for your incoming email traffic.
  3. Monitor your outgoing email traffic in order to identify your actual users (including the unauthorised ones).
  4. A first validation of your sending email servers to minimise the risk of unauthorised users.
  5. A second validation using both a public and a private key.
  6. A comprehensive Domain Name Watch in order to identify potential “cybersquattings” and/or “typosquattings” that can be used to impersonate you. Carry out legal and technical actions simultaneously.

We know most of you are currently working on number 1, and hopefully this message takes care of number 2.

For tip 3 to 6, contact us for more information on how we can help you protect your business!

Sources:
SVT
Leoni3 SVT
Gov.uk

Related reading

Abion Expands Norwegian Presence with Acquisition of Leading Domain Service Provider, Softgarden

Abion Expands Norwegian Presence with Acquisition of Leading Domain Service Provider, Softgarden

Announcements
English
pll_672372ce71107
5, November 2024
We are excited to announce the acquisition of Lane IP, a renowned UK-based IP specialist. This strategic acquisiti...
Domain Names

ICANN Ends Private Auctions for gTLDs

Domain Management
English
16, October 2024
ICANN has announced that private auctions will no longer be allowed — which were previously used to resolve situat...

This website uses cookies

Cookies ("cookies") consist of small text files. The text files contain data which is stored on your device. To be able to place some type of cookies we need your consent. We at Abion AB, corporate identity number 556633-6169 use these types of cookies. To read more about which cookies we use and storage duration, click here to get to our cookiepolicy.

Manage your cookie-settings

Necessary cookies

Necessary cookies are cookies that need to be placed for fundamental functions on the website to work. Fundamental functions are for instance cookies that are needed for you to use menus and navigate the website.

Functional cookies

Functional cookies need to be placed for the website to perform in the way that you expect. For instance to remember which language you prefer, to know if you are logged in, to keep the website secure, remember login credentials or to enable sorting of products on the website in the way that you prefer.

Statistical cookies

To know how you interact with the website we place cookies to collect statistics. These cookies anonymize personal data.

Ad measurement cookies

To be able to provide a better service and experience we place cookies to tailor marketing for you. Another purpose for this placement is to market products or services to you, give tailored offers or market and give recommendations on new concepts based on what you have bought from us previously.

Ad measurement user cookies

In order to show relevant ads we place cookies to tailor ads for you

Personalized ads cookies

To show relevant and personal ads we place cookies to provide unique offers that are tailored to your user data