There’s an imposter in your email, and it’s trying to steal your organization’s money or sensitive information.
Unlike malware, imposter email does not contain attachments or links intended to infect your system. Rather, this scam is harder to detect because the emails appear to come from high-level executives instructing employees to send money or data.
“This is a new trend and it’s a dangerous one,” said Jim Love, CIO of ITWC and host of the recent webinar, The Imposter in the Machine.
Sponsored by cyber security company, Proofpoint, the session examined this problem and what organizations can do to protect themselves.
A growing threat
The threat from imposter emails is increasing at a rapid rate, said Mark Guntrip, group manager, email protection at Proofpoint. According to the FBI, there was a 270 per cent increase in identified cases of imposter emails in 2015, but Guntrip said the growth rate is now closer to 1000 per cent. The FBI estimates that losses due to business email fraud were $3.1 billion worldwide over the past three years.
“We’re programmed to think about malware,” said Guntrip. “This is a new breed and all of the solutions that look for malware are missing it.” That’s why hackers are increasing their focus on imposter emails, he added.
Everyone is a target
Imposter emails are a global issue and no one is exempt, according to Guntrip. Successful attacks on big companies make the headlines, but for the small ones, it could be the end of their business.
For individuals, “it’s personal”, Guntrip said. He cited a case of a CFO in New Zealand who lost her job after being tricked by an imposter email. CFOs are targeted almost 50 per cent of the time, followed by employees in HR, Finance and Payroll. The most common requests in the emails are for wire transfers, or for tax information on employee earnings.
“These emails work because they are highly researched and well timed,” said Guntrip. The attackers review corporate web sites and social media to check on the internal reporting structure. They will even wait until the CEO is traveling because it buys a “big window” of time, said Guntrip. In this scenario, an employee might receive urgent instructions from the CEO to transfer funds for a corporate acquisition at a time when it’s difficult to reach the CEO to confirm things. In this case, said Guntrip, “there’s a higher likelihood that the employee will follow the instructions”.
An organization will receive only one or two of these emails, noted Guntrip, making it even more difficult to find them among the thousands sent on any given day.
The solution: battle lines on all fronts
“There’s no silver bullet here,” said Guntrip. “It’s people, process, and technology that really need to come together to stop this threat because it’s so difficult to identify.”
User training is key to addressing the problem because employees are the targets of the attack. It’s also important to have financial authorization policies in place which could, for example, require more than one approval for transactions beyond a certain threshold.
From a technology perspective, it starts with email authentication, said Guntrip. As well, Proofpoint provides a solution that analyzes and classifies email according to a series of risk factors. This is an automated system that assesses the reputation of the sender by analyzing thousands of email attributes, including the sender/recipient relationship, headers and content. It applies a risk factor score to each email, which can then be flagged or sent to quarantine, according to rules set by the user. The organization’s administrator need only review the reports and determine if further action, such as more training, is needed.
The important thing to remember, said Guntrip, is “that these threats are more than malware and we need to change the approach to take action across the organization to stop the imposters.”