We are all aware of the potential for spam and phishing emails to hammer our inboxes on a daily basis. This is why it’s prudent to protect your network with a hosted email filtering service, such as Trend Micro. However, even with the best email filtering service in place, an amount of spurious emails will most likely still make it to your inbox. This is mainly because the criminals who send out such emails are employing ever more sneaky ways to fool their victims.
Although there are hundreds, if not thousands of different types of dodgy emails being sent round, there are two particular types which merit taking immediate action to protect your data and your bank balance. These two types of emails have taken things to the next level in terms of how far these crooks will go to part you or your company from your cash or data.
Urgent Request from the MD to make a bank transfer
An email arrives from your MD, or other senior person who can authorise payments. It instructs you to make an urgent payment to the company detailed in the email. The MD will usually be out of the country or away when this email arrives. The crooks know this as they have most likely sent a phishing email and received an out of office response with the recipient’s job title. They then do some research on your company and establish the hierarchy and who would deal with bank payments. The crooks edit the “From” field of the email so it does indeed look like the MD’s email address and usually use the signature: “sent from my mobile” or similar.
We are aware that globally this type of email con has managed to trick some pretty large companies out of some significant amounts of cash. In one instance a US company transferred a six figure sum to the fraudster’s bank account. This may seem incredible but remember these crooks have done their homework on their victim’s company. They probably know the turnover of the company and possibly some of their clients or suppliers. They have even been known to hack their way in to the company’s email system, and obtain their contact database. This means that when they send the request for payment, the name may even be that of one of the company’s clients or suppliers, just with a different account number and sort code.
So what can be done to try and prevent this type of targeted attack?
In terms of preventing this type of email arriving, it is actually quite hard as they look like genuine emails. However, there are a number of measures that can be taken to protect your company.
1. Make it the company policy to never make bank transfers based upon the receipt of one email, even if it is from the MD. Do not reply to the email. Use an alternative contact method such as a text or phone call to confirm the payment request. Admittedly this is more about the company’s internal payment methods than the email system but it is an effective way to prevent this type of fraud.
2. If your company has a hosted email filtering service, then implement a policy that will detect any email with the words “Sort Code” as this is pretty much a unique term which relates to banking. The email can be tagged in the header with a message of your choice such as “Warning potential phishing email”. The warning should alert the recipient to the potential risks. It is also possible to Quarantine emails with these trigger words although this may cause disruption to your accounts department. If there are a number of genuine emails received containing these phrases, these will need to released from the quarantine.
Crypto locker Ransomware in older Office documents (Word, Excel etc.)
This type of threat has been doing the round for some time but we are now seeing a huge increase in the frequency of them. These emails are worded with titles that are deliberately chosen to lure you into opening the attachments with subjects such as “Invoice for service” or “Your Order Receipt”.
Opening the attachment will usually run an application which will encrypt your data. Not just on your PC but on any network drive that you have access to. Once all of your data has been encrypted, a message from the hackers will appear on your screen advising you that your data has “been secured” for you. If you would like access to the data they will decrypt it for a sum of money that must be paid in Bit Coins. The amounts demanded vary around $500 but can be as much as $5000.
Unfortunately once your data has been encrypted there is no way to decrypt the data without the decryption key, which only the crooks know. You will have to restore your data from the most recent backup, which is not ideal to say the least.
So what can you do to protect yourself from this type of threat?
So far these types of attacks only use old style Office documents, such as .doc/.xls. If you have a hosted email filtering service, then it would be very easy to quarantine all old style Office documents. However, with so many companies still using these old document formats, it means that there might be quite a lot of genuine emails caught in the spam filter that will need to be released.
Alternately, emails containing attachments with old document formats could be tagged in the message title with a warning to alert the recipient of the potential danger of opening the attachment.
The most obvious and easiest form of protection is not to open any attachment unless you are expecting it and it has been sent by the correct person/company. However, in the heat of the day in a busy office, it is so easy to accidentally open an attachment. In the event you believe you may have accidentally opened an infected attachment, speed is of the essence. Steps to follow:
1. Unplug the network lead from the back of your PC, or shutdown as soon as possible
2. Call the IT support provider
The above outlines just two of the many thousands of online threats, which are growing rapidly by the day. If you would like to discuss any of the above, or if you have any other questions, please contact us at [email protected] or call 01279 464 470.