I have a scary story to share.
Imagine you’re an accountant for your company and you receive an email from your CEO requesting a funds transfer for a time-sensitive acquisition. He says a lawyer will be in touch to provide more details. You get the lawyer’s email, complete with an authorization letter that includes your CEO’s signature and company seal, so you go ahead and make the over $700,000 transfer. The next day you mention the transfer to your CEO, confirming you’d completed it in the timely manner he requested, only to be met with a blank look. He never sent you an email and he never requested a wire transfer.
Horrified yet? As scary as it is, that scenario actually happened to someone last year and is just one example of a growing threat the FBI has dubbed “Business Email Compromise (BEC)”. Between October 2013 and May 2016, 22,143 cases of BEC have been reported to the FBI, in which cyber criminals requested over $3 billion in fraudulent transfers. The FBI’s last tally from February had the total amount requested at just over $2 billion – that’s an additional BILLION dollars that thieves have tried to scam out of companies in the span of just four months.
(source)
These are not the emails scams of yesteryear that were easy to spot. No, these are extremely sophisticated, organized attacks, involving intimate knowledge of the target company and its usual operations so as not to raise suspicion. In some cases, criminals have used malware to access corporate email systems so they can leverage existing billing and invoice requests.
“They have excellent tradecraft and they do their homework. They use language specific to the company they are targeting, along with dollar amounts that lend legitimacy to the fraud. The days of these emails having horrible grammar and being easily identified are largely behind us.” (source)
Is Digitally Signing All Intra-Office Emails the Answer?
We’ve demonstrated how easy it is to create spoof email addresses and cyber criminals are only getting more sophisticated with their use of social engineering and malware to stage attacks. So what can companies do to help protect themselves from BEC attacks? One option is to standardize on digitally signing all intra-office emails.
Email digital signatures, or all digital signatures for that matter, are applied using a Digital Certificate*. These certificates are issued to individuals (or machines, devices, servers – like with SSL for websites) only after the individual’s identity has been verified by a third party entity called a Certificate Authority (CA), such as GlobalSign.
When recipients open a digitally signed email, they see a little red ribbon indicating that it’s been signed, along with the name of the signer. Since the signature was applied using the sender’s certificate, which was only issued after a strict identity verification process, the recipient can be confident that the email actually came from the sender and is not part of a scam.
Example digitally signed email in Outlook.
Inspection of certificate used to digitally sign an email.
*Note: This is a very simplified explanation. For more details, check out our article on public key cryptography.
Applying signatures is easy and can be automated
Digital signatures are compatible with most enterprise email clients and applying one is generally as simple as clicking a button. Also, most clients can be configured to automatically sign all outgoing mail, so it’s relatively easy to standardize company-wide.
Adding digital signatures to all outgoing messages is as simple as checking a box in Outlook.
Is digitally signing emails going to put a complete stop to the threat of BEC? Realistically, probably not, especially since these cyber criminals are always coming up with new ways to trick victims. However, I do think it’s an easy way to get employees to take a second and think about where the email they receive actually came from. Ultimately the best defense against these types of attacks is probably employee education and training – making them aware that these types of attacks exist and what to look for. The FBI also has some helpful suggestions:
- Be wary of email-only wire transfer requests and requests involving urgency
- Pick up the phone and verify legitimate business partners
- Be cautious of mimicked email addresses
- Practice multi-level authentication.
Learn how digitally signing and encrypting emails protects against phishing and data loss. Download our free eBook: "Email Security Using Digital Signatures & Encryption"
