Email Phishing background
Email phishing frauds have been on the rise since the early 90’s.
A group of hackers that called themselves the warez community carried out the first Email phishing attack.
The group created an algorithm that allowed them to generate random credit card numbers to open AOL accounts. Those accounts were then used to spam others in AOL’s community.
Related: 9 Popular Phishing scams
The internet has not only helped connect people all over the world but has also left business and organizations open to attacks.
According to Symantec’s 2018 Internet Security Threats Report:
Spear-phishing emails emerged as by far the most widely used infection vector, employed by 71 percent of groups.
A case of Human Error while handling email phishing
Given the nature of the email eco-system, no matter how secure the email platform is, the weakest link is the human.
Organisations regularly remind users to beware of phishing attacks, but many users don’t really know how to recognize them.
According to a Verizon cybersecurity report:
An attacker sending out 10 phishing emails has a 90 percent chance that one person will fall for it.
- If your domain is acmecorp.com and your customer receives a mail from acmecarp.com (o changed to a), the customer may not notice the difference and may act on the contents of the email.
- A malicious user can send a mail to your customer from another mail server, masquerading your domain acmecorp.com.
If the receiver mail server is a good quality mail server, such a mail will be marked as SPAM since the receiver server would inspect the DNS records of acmecorp.com and confirm the SPF, DMARC, DKIM records and figure out that this particular mail never originated from an authorized acmecorp.com mail server.
However, if the receiver server is a low-quality mail server, it will deliver the email to the user and now it is up to the user to recognize the fraud.
- A user received a mail from his chairman, with some instructions. The user responded to the email with the required information, before realizing that the mail was actually not from the chairman.
While the name of the sender was the same as chairman’s name, the email id was a public email id. So technically it’s a legitimate email from valid email id. The display name can be set to anything.
Most email clients simply show the display name, when you read the email. So it may be misleading.
In all these cases, technically your email id has been spoofed, without even using your email platform.
The consequences of the actions of your customer are neither your responsibility nor of your email platform.
How does Mithi SkyConnect control email Phishing and Email Fraud?
Our solution is enabled with and protected by strong controls to ensure that emails sent and received from our system cannot be intercepted and modified.
Some of the controls we deploy:
- All traffic to and from our service is encrypted, which prevents eavesdropping or tampering.
- All access to the service is via authentication, which is controlled by strong password policies
- Mithi SkyConnect is running ATP (advanced threat protection) and uses sand-boxing to filter malware.
- While sending emails from our service, the system checks for spoofed email, to ensure that the “sender email id”, “sender’s password” and the “sender’s claim as sender” are all in sync. This means that only I can send a mail from my ID.
- We recommend and work with you to deploy DKIM, DMARC and SPF records in your DNS to help you receivers confirm that mail coming from your email domain are actually sent by authorized mail servers
For a full list of security controls, please read this.
Our Recommendation: Introducing processes to minimize instances of Email Phishing
To help secure our customer’s email flow, we recommend a combination of People, Processes and Technology.
We suggest the following policies to be deployed, in addition to the tight security controls provided by SkyConnect:
- While making financial transactions, the customers/vendors have to be sensitized to review the information they receive by an alternate method like a phone call.
Alternatively, we strongly suggest not to use email but instead use an authenticated application portal, where you can enter requests for payment etc.
This would be something similar to a ticketing system.
- If you must send sensitive information over email, then encrypt and digitally sign the email to secure the communication.
Limit it to ONLY the 2-3 people who are privy to this conversation.
This can be done from Baya3, Thunderbird or Outlook by using the sign email feature.
- Put in a filter on the inbound mail scanner to insert a message for mail coming from external domains to alert the users.
- Build awareness among the user community to be more vigilant before responding to external email asking for personal information, financial information and other classified information.
This should be done on an ongoing basis using classrooms, videos, FAQs, and email alerts.
Report the mail as abuse on the sending platform, so they can take appropriate action.
We propose that you also report this to the local cyber-crime unit of your region.
These units can authoritatively ask the public email solution provider or the sender’s IT team for more information to locate the user via the IP address.
Strong security controls and a strong complimentary process can minimise instances of email phising and email fraud in your business.