The evolution of email fraud: Risks and protection tips

HITBSecConf2019 - The 10the annual HITB Security Conference in The Netherlands - Trainings, Conference track and Haxpo exhibition. Register now.

Marc Chouinard is Email Security Operations Lead at Vircom, an email security vendor based in Montreal, Canada. He has established a reputation as a no-nonsense leader in understanding and acting against threats on a daily basis, and in this interview he talks about email fraud, BEC scams, and the evolution of email threats.

email fraud

What should large organizations be aware of when it comes to email fraud? What are some of the most overlooked aspects of this threat?

Email fraud creates substantial risk for any organization – the FBI just reported, for instance, that Business Email Compromise has cost organizations more than $12 billion since October 2013. Despite all efforts, there’s no way to be 100% secure against this threat.

The most overlooked aspect of this, however, is probably the relationship of account compromise and email fraud. While spoofing and other more explicit forms of fraud that take advantage of email’s structure and inherent openness are a challenge, fraud that is executed through account compromise (either from phishing or a data breach) is maybe an overlooked “side business” within the email fraud landscape. In this situation, users are being impersonated from within their own accounts because a bad actor has gained access to it, allowing them to impersonate them and their level of authority in an organization with near-impunity.

BEC scams have exploded in the past two years, with cybercriminals successfully exploiting global organizations for large amounts of money. What makes these attacks so successful? What can organizations do today to make sure the risk of BEC scams is reduced?

There’s a lot of things that make BEC attacks effective, but there are probably two aspects which most stand out: inattention and lack of awareness. See, most of the time, users are hurried, what to get through with their day, or are simply so overloaded that they don’t stop and think about whether a payment request or other email is fraudulent or not. When you combine this with the fact that most users also don’t know about email fraud threats or what they should be looking for to identify them, it’s easy to see why when such a targeted attack makes it to a user’s inbox it can be so effective.

In trying to prevent BEC scams, the main focus of any organization should be threefold: create awareness among your users, establish safe best practices, and deploy the proper protection.

Education on what a BEC scam looks like and some of the tactics commonly deployed (e.g. trying to get wire transfers in a hurry, using familiar phrases or fake invoices) can allow users to think twice when presented with a real scam. Explaining how the FROM field in email works, and how to identify a fraudulent sender address is another great piece of knowledge that can keep users from falling for BEC attacks.

Safe best practices are crucial, but sometimes organizations may not put enough emphasis on them. On the most basic level, no personal email should be used for business transactions (you’d be surprised how often this happens), and any transaction made through email should be verified by a trusty phone call – as long as you can make sure that the person you’re talking to is who they say they are!

Finally, a solution that identifies and quarantines fraudulent email is essential to preventing most BEC attacks. Your users should be able to identify these emails, but it shouldn’t consumer their time trying to figure out what email is authentic and what isn’t. Deploying the proper protection, which programmatically filters the hallmarks of BEC attacks (like phony FROM addresses) and identifies tactics used in previous attacks significantly diminishes the risk to users while also saving them time, and further allowing your awareness and best practices programs to function as a “last line of defense”, rather than something you need to rely on daily.

How can a newly appointed CISO effectively reduce the threat of email fraud?

Whether it’s a Fortune 500 CISO or simply an IT Director at a 500-employee company, your own awareness of threats and the ability to prioritize your efforts around them is of the utmost importance. We already know that more than 90% of threats start with a phishing email, and hosted malware, ransomware, and fraud directed through email are all on a rapid rise because they’re just so lucrative to cyber criminals. Understanding where a majority of your risks are – and that most of your threats are motivated by the search for easy profits – gives you the ability to anticipate what threats you’ll face going forward. If that’s email, then email protection and cloud security may be your first issues to address, if it’s malicious files or network compromise, then that’s what you’ll need to protect against.

Then, as your effectiveness increases and your priorities evolve, try to look at best practices from other businesses. Learn about their past stories so it will not become one of yours, and if you are ever faced with a crisis, don’t be afraid to temporarily block some services (server ports, traffic, even USB ports) when something occurs to allow for proper investigation of a threat. Often, 30 minutes of downtime is better than a full week of recovering.

Finally, if you’re in the position of addressing email fraud, take the same steps that we’d recommend against BEC. Create awareness, establish safe best practices, and get the right protection. The larger your organization is, the more threats you might face, so vendors and partners with a large breadth of experience and a detail-oriented understanding of threat vectors should give you confidence in the solutions they provide. Your ability to take a collaborative, client-based approach to your security should better suit you all the more.

How does Vircom protect against email fraud? What makes your products truly unique in the marketplace?

Vircom protects against email fraud with specific protection against fraudulent attachments and spoofing tactics. Our modusCloud product leverages cloud-based threat intelligence to identify malicious attachments and imposter threats, while our modusGate product leverages Display Name Phishing Protection, which allows high-authority users within organizations to be specified and extra measures taken against imposters posing as them. Think of cases where a CFO or CEO is being impersonated for a wire transfer, and our products will cover that last mile.

What makes our products truly unique, however, is that we focus on the merging of all available technologies in order to better make filtering and threat protection decisions. Instead of scanning layers on a one by one basis, we compile results on all layers and merge them through a “special sauce” scoring mechanisms to ensure maximum accuracy and limited false positives in protecting against email fraud and other threats. This not only means that we can anticipate threats from a bottom-up rather than top-down approach, but also that we are not too dependent on any one basis of threat intelligence (and its inherent biases) compared to another – we just have things set up to make the optimal ruling on an email every time.

How do you expect email threats to evolve in the next five years? What should CISOs pay special attention to?

In the same way that account compromise is an overlooked risk with BEC, the compromise of email accounts could pose a subtle but systemic risk not just to organizations but users in both a professional and personal circumstance. The spread of virtual assistants, connected devices, the Internet of Things and more all mean that the amount of daily functions and data spread out over multiple devices is growing exponentially – and they’re all often authenticated by the same combination of an email and password.

Vendors in these spaces may be taking steps to make this more secure, but while account compromise can represent access to these devices and services, these devices and services could also then represent points of access to networks, whether they’re corporate, public or otherwise.

I can’t say exactly how these threats will play out, but I think the potential risks are only more dangerous as users continue to stay with single accounts and logins, even as multi-factor authentication for these accounts becomes more prevalent. Early adopters and young, budding techies are the most at risk, they’re always trying new things out and sometimes even authorizing functions without knowing what they are. This is definitely a threat that organizations of all sizes should be more conscious of.