Good practice, Part 6: Protect against business e-mail compromise and fraud
E-mail is perhaps one of the most important attack vectors for cyber criminals today. Companies have lost a lot of money due to e-mail compromise and fraud. You should take steps to protect your organization. Here are some scenarios and how to mitigate the risk of becoming the next victim.
E-mail account compromise
The worst scenario is where an attacker get access to one or more executive e-mail accounts in your organization. This would give them insights in potential sensitive information and total control over the victims e-mail.
It would be hard for the victim to notice that anything is wrong. The attacker can send e-mails requesting money transfers while the receiver have no way to tell the request is not legitimate.
Because they have control over the victims inbox, they will be able to reply to any response, and remove all tracks from such communication.
Since the above requires access to valid credentials, attackers often set up a auto-forward rule in compromised inboxes. This sends all incoming e-mail to the attackers e-mail inbox. Just in case the victim change their password.
This will give the attacker insight in the victims communication and enable them to employ other tactics if they loose access to the credentials.
How to mitigate the risk of e-mail account compromise?
- Train users to guard devices they are signed in to.
- Enable multi-factor authentication.
- Globally deny the option to auto-forward e-mail to external domains on your e-mail server.
Domain impersonation fraud
This scenario is a bit more tricky, since it isn’t exploiting your systems directly. Lets say you own the domain “modern-technology.com” and an executive has the e-mail address “email@example.com”. How many would notice that something was off with an e-mail from “firstname.lastname@example.org”?
An attacker could use such spoof domains to communicate with your customers or even some of your other employees.
If they had an forward rule as mentioned earlier in this article, they could create extremely convincing frauds based on information they are able to intercept.
How to mitigate the risk of domain impersonation fraud?
- Train users to be suspicious of e-mail that request money or credentials.
- Configure an incoming e-mail filter to detect e-mail addresses that looks similar to an internal address and flag such e-mails as suspicious or delete them.
- Implement a policy where payment requests via e-mail must be verified on a second channel (ex. phone) if the amount is larger than x.
- Buy similar looking domains and configure a “deny all” SPF rule (v=spf1 -all) on them. This will tell external receivers with well configured e-mail filters to drop any e-mails from such domains.