Email frauds have been on the rise since the early 90’s. The first phishing attack recorded was carried out by a group of hackers that called themselves the warez community. The group created an algorithm that allowed them to generate random credit card numbers to open AOL accounts. Those accounts were then used to spam others in AOL’s community.
Since then, the explosion of the internet has not only helped connect people all over the world but has also left business and organizations open to attacks. According to Symantec’s 2018 Internet Security Threats Report, “Spear-phishing emails emerged as by far the most widely used infection vector, employed by 71 percent of groups.”
A case of Human Error
Given the nature of the email eco-system, it is well known that no matter how secure the email platform is, the weakest link is the operator, who is a human.
Organisations regularly remind users to beware of phishing attacks, but many users don’t really know how to recognize them. According to a Verizon cybersecurity report, an attacker sending out 10 phishing emails has a 90 percent chance that one person will fall for it.
- If your domain is acmecorp.com and your customer receives a mail from acmecarp.com (o changed to a), the customer may not notice the difference and may act on the contents of the email.
- A malicious user can send a mail to your customer from another mail server, masquerading your domain acmecorp.com. If the receiver mail server is a good quality mail server, such a mail will be marked as SPAM since the receiver server would inspect the DNS records of acmecorp.com and confirm the SPF, DMARC, DKIM records and figure out that this particular mail never originated from an authorized acmecorp.com mail server. However, if the receiver server is a low-quality mail server, it will deliver the email to the user and now it is up to the user to recognize the fraud.
In both the cases, technically your email id has been spoofed, without even using your email platform. The consequences of the actions of your customer are neither your responsibility nor of your email platform.
How does Mithi SkyConnect control email fraud?
Our solution is enabled with and protected by strong controls to ensure that emails sent and received from our system cannot be intercepted and modified. Some of the controls we deploy:
- All traffic to and from our service is encrypted, which prevents eavesdropping or tampering.
- All access to the service is via authentication, which is controlled by strong password policies
- While sending emails from our service, the system checks for spoofed email, to ensure that the “sender email id”, “sender’s password” and the “sender’s claim as sender” are all in sync. This means that only I can send a mail from my ID.
- We recommend and work with you to deploy DKIM, DMARC and SPF records in your DNS to help you receivers confirm that mail coming from your email domain are actually sent by authorized mail servers
For a full list of security controls, please read this.
Introducing processes to minimize instances of Fraud
To help secure our customer’s email flow, we recommend a combination of Process and Technology. We suggest the following policies to be deployed, in addition to the tight security controls provided by SkyConnect:
- While making financial transactions, the customers/vendors have to be sensitized to review the information they receive by an alternate method like a phone call. Alternatively, we strongly suggest not to use email but instead use an authenticated application portal, where you can enter requests for payment etc. This would be something similar to a ticketing system.
- If you must send sensitive information over email, then encrypt and digitally sign the email to secure the communication. Limit it to ONLY the 2-3 people who are privy to this conversation. This can be done from Thunderbird or Outlook by using the sign email feature.
Thus, by using strong security controls and a strong process to compliment that, you can minimize instances of email fraud in your business.