Why your email security is your financial security
Smart policies and training can help you stay a step ahead of cyber crime
On average, U.S. companies lose $15.4 million per year to cyber crime, according to research conducted by the Ponemon Institute of Cyber Crime and sponsored by Hewlett Packard Enterprise. In many cases, employees are unwitting accomplices—through common email practices and habits. Email security isn’t just about company secrets—it’s the number one way cyber criminals gain access to financial accounts.
Email has become the standard mode of business communication. It is also a common starting point for online fraud and identity theft. Cyber criminals constantly find new and ingenious ways to exploit email. Once an email account is compromised, the thief can fraudulently gain access to corporate or consumer cash, or simply disrupt daily business operations by disseminating malware and viruses.
The rise of social engineering
Many forms of online or offline business fraud are based on the concept of social engineering, in which the perpetrator psychologically manipulates an employee into taking action that will ultimately cost your company time and money.
Social engineering preys on your employees’ good intentions. Most professionals, from rank-and-file to senior leadership, are motivated to help clients, solve problems quickly and protect their own positions. Faced with a seemingly legitimate request for assistance, a well-meaning employee will naturally respond to a carefully crafted fraudulent request without pausing to consider fraud risk.
Typical social engineering approaches result in the following:
- Transferring cash
- Divulging login data or account numbers
- Executing a wire transfer
- Downloading malicious software
- Allowing someone to remotely control the employee’s computer
Phishing relies heavily on social engineering, often by exploiting the public trust in well-known corporate brand names. Phishing emails and websites can be very convincing and closely mimic legitimate brands.
First, the perpetrator sends an email message that appears to be from a legitimate, recognizable company, asking the recipient to verify his or her account or update their billing information by clicking a link. The link opens an online form or web page that appears genuine—but actually was created by the cyber criminal to collect logins, account numbers or other sensitive data from gullible users.
Variations of phishing scams include spear phishing (targeting individuals), vishing (phishing via telephone or in a face-to-face encounter) and SMiShing (via SMS text messaging).
Email account hijacking
Even in our password-protected society, an email account hijacker is able to take control of an account and use it to send emails, often spreading malware or viruses.
Attackers may hijack hundreds of accounts at once or target an individual user to gain control of their identity and access to confidential information. Cyber criminals can also hijack online accounts, including those used for cloud-based services, or even an entire desktop computer or server.
Business email compromise (BEC)
Companies that regularly make wire transfer payments to foreign suppliers or other businesses are particularly at risk for BEC scams, in which an employee unwittingly authorizes a wire transfer or electronic check payment to a wrongdoer.
BEC attackers typically research their victims to target those in a position to execute large electronic cash transfers, and they use phishing tactics and/or email hijacking to do their dirty work. In a common scenario, someone masquerading as the CEO emails the corporate controller with an “urgent” request for a funds transfer to a particular trade account. Or a “vendor” sends an urgent demand for payment to ensure continued delivery of goods or access to an account.
One of KeyBank’s local family-owned business clients recently fell victim to a hacker who sent an email from the father and founder of the company to his son, who is the company’s treasurer, requesting that he transfer money to pay a vendor. The son completed the wire transfer only to find out later that his father had not, in fact, requested that he do so.
Another local client responded to an email that appeared to be from a trusted, legitimate source that resulted in an ACH transfer of $250,000. The error was caught quickly, but recouping the full amount of the transfer was a cumbersome and time consuming process that included FBI intervention.
What can you do? Train, test, repeat.
While no one can predict every form of cyber crime and fraud, every company can protect itself by training employees in ways to safeguard sensitive data and protect corporate resources. Most important, employees should understand—and always follow—company policies and practices regarding Internet safety.
One-time training is not enough. Ongoing awareness and periodic testing will help keep employees on the lookout for email intruders and imposters, and in compliance with security policies. At KeyBank, this includes “false phishing” test emails, whereby the company sends what appears to be a phishing email to employees, which can then be used as a coaching incident for employees who were tricked into opening it.
Critical email policies include the following:
- When in doubt, delete. Advise employees to avoid downloading “.exe” attachments that may introduce malware or viruses. These emails should be deleted without opening.
- Avoid unfamiliar links from unknown sources. Never click on an unfamiliar link embedded in an email, and don’t provide confidential information in response to an unsolicited email or SMS text message.
- Keep passwords strong—and secret. Account passwords should be long, with a mix of uppercase and lowercase letters, numbers and symbols. All passwords should be kept private and should never be provided via email. Update passwords regularly.
- Stay suspicious. Employees should be especially mindful of emails requesting specific and significant cash transfers—especially if the CEO or CFO is on vacation. If an email requests an “urgent” electronic payment, the employee should contact the requesting person or organization directly via a trusted phone number to confirm whether the request is valid.
- Keep software updated. Communicate with employees when software and security “patches” are available.
- Consider dual control. Require approval from two people for wire or ACH transfers. If an attacker is tracking an employee’s keystrokes, he or she can easily obtain that person’s passwords. Requiring signatures from two people helps prevent a stolen password from resulting in stolen money.
Cyber crime is a threat for all businesses, but smart policies and consistent employee training can help you stay a step ahead of the perpetrators.