Email Spoofing Scenario

September 20, 2018

The accounts team receive an email from their MD (who is currently on holiday in sunny Spain), asking them to pay the attached invoice as a matter of urgency, but no need to reply as they are going on a boat trip all day and won’t have access. The invoice wasn’t real and neither was the email from the MD, but the accounts team don’t know this and they’re being asked to ignore the usual policy of 30 day payment terms.

The payment is made and the company are now £2500 out of pocket.

 

That was a bit too easy wasn’t it?

This type of attack is unfortunately becoming an everyday occurrence and its too easy for cyber hackers to gather the information they need in order to carry out a very well-planned attack.

Proper staff training and regular awareness guidance are crucial, it’s of no benefit to your company’s security if you skim over the basics in a session and then its forgotten. Plans and procedures need to be put in place if anything suspicious or out of the ordinary ever happens, and the training should be continuous.

The hacker will have gained sufficient knowledge about the company before executing the attack and he chose this as the most likely method of getting money very quickly.

 

So how did he know so much about the company?

It’s all too common for organisations to list team members and company structure on their websites these days, plus also in many cases, providing email addresses as well. Realistically a name and job title is all they need and the rest is made up of calculated guess work, but if you’re providing them with all that information up front, unfortunately their attack is made even easier.

 

How did they know the MD was on holiday?

Social media – it’s all over his news feed and publicly accessible. When people hear the words ‘cyber security’ its often associated with the business world, but these safeguards also need to be adopted into personal lives outside of work as well. Attackers will use any means they can to get information about the person or company they are targeting and if you have 2 factor authentication on your emails, but the privacy settings on your social media aren’t locked down, you’re more vulnerable than you think.

 

What should have happened and could it have been prevented?

First and foremost, the company in question didn’t have the proper cyber security measures in place. They weren’t cyber essentials certified, so a lot of it was guess work and assumptions.

Staff members weren’t receiving regular cyber awareness training. In this particular case they should have been trained to spot a spoof email, even if it looks real and appears to be sent from a known email address.

The email request from the MD was very out of the ordinary and although this seems like an obvious trap to fall into, the attackers prey on the fact staff members are busy and sometimes not concentrating on what they are doing. Even if the request from the MD is questioned, they might skim over that email address that looks real and not spot the cleverly added ‘extra letter’ within the domain name, therefore not questioning whether it was actually sent from the known source or not.

If proper security procedures were put into place, the chances are that email would never have arrived in the first place, but they do still get through sometimes and it’s in these instances that we must be cyber aware and vigilant.

This is just one example of the tactics that are used by these criminals, not everybody falls for this scenario, but some do and its your ‘human firewall’ rather than any technical measure you have in place that will stop it.

There are far more complex and clever tactics if need be and therefore little point in having the best software security in place, if your staff are the weakest link in the chain.

Most attacks happen from the inside, sometimes on purpose, but majority of the time very innocently and unintentional. If you don’t have the proper internal safeguards then what you have on the outside becomes very vulnerable.

For more information on training your ‘Human Firewall’ or becoming Cyber Essentials certified, click here, or feel free to give us a call on 01323 287828.