Email correspondence is second nature in today’s digital world because of all the inherent advantages it affords. The foremost being the fact that it provides a dated written record, which can be easily located and reviewed whenever required. The most exciting thing about email is that it can be accessed from anywhere in the world on a host of different devices. Today, it is an integral to daily life, but what happens when someone hacks your email account?
Recently, two big Indian conglomerates were forced to pay US $5 million each in order to prevent hackers from disclosing information. In one case, the email system of a company got compromised, while in the other, hackers were able to get remote access inside the company’s IT system to steal sensitive information. They kept reading and even downloaded every correspondence between employees and clients.
In another most discussed case, the Oil and Natural Gas Corporation Limited lost Rs 197 crore after cyber criminals duplicated the public sector firm’s official email address with minor changes and used it to convince a Saudi Arabia-based client to transfer payments in their bank account. According to a public service announcement released by the Internet Crime Complaint Center, between October 2013 and December 2014, there were nearly 1200 people in the USA and a little over 900 in other parts of the world who became victims of the malpractice.
Hackers usually target businesses that work with foreign clients/suppliers and make monetary transactions on a regular basis. They usually attack using compromised email accounts as the springboard for diverting company funds meant for legitimate vendors. Most banks where such illegitimate funds got transferred are based in China and Hong Kong.
Primarily, there are three types of business email compromise scams. First, hackers get into the email ID’s of people in the Finance department using simple phishing whereby a user is asked to change their user name and password in a mail seemingly originating from the IT department. Once the mail is compromised client details are identified.
Second, the email sender impersonates an executive at another company. The spoofed sender information uses lookalike domain names that closely resemble the corporate domain names of the organisation being impersonated. The spoofed sender appears to be with an actual reseller or distributor with a pre-existing corporate relationship with the targeted organisation. The body of the email instructs the target to pay all new or outstanding invoices via wire transfer to a new bank account. Attached to the email is a PDF containing wire-transfer instructions, including a bank name and account number. Third, mail IDs and other useful information are collected from professional and social media websites such as Naukri or LinkedIn.
However, there are a few easy steps through which organisations can protect their businesses from email compromises. One has to sensitise employees on such scams to ensure that any suspicious mail is reported to the IT team. Moreover, organisations should adopt "Two Factor Authentication", which helps in integrating mail accounts on disparate platforms and protocols — this makes it much easier for users to secure their credentials. Finally, users can add digital signatures on their mails to validate their authenticity.