Fraudulent Email in Business
Have you ever been contacted by a customer, vendor or other business associate asking the question “Did you send me this email?” As a cybersecurity professional, I applaud people who take this step to verify fraudulent emails before acting on them.
Do not be alarmed, upset, or embarrassed if you receive such a question. Email is inherently forgeable. Anyone can register an email address and fake the sender’s name. For example, anyone can set up an email address “firstname.lastname@example.org” or something similar, and fill out the new user form stating their name is “Bill Gates”, even when it is not their name.
Once a forged email address is set up, one simply has to craft an email that tricks the recipient into disclosing information or clicking on a malicious web site link. If the fraudster has even one copy of a legitimate email from Bill Gates, in this example, the faked email can be made all the more convincing, complete with email signature and fonts that match legitimate email.
Gone are the days of bulk email spammers. We are now in the brave new world of focused fraud attempts using email. Spammers harvest email addresses from web sites of complimentary businesses, hoping to play them off each other.
For example, realtors emails are being forged and sent to mortgage brokers, bankers and title companies, and vice versa. Spammers attempt to trick the recipients into disclosing financial information.
Another example is forged emails from construction companies to bankers, escrow finance companies, and commercial real estate brokers.
What should I do?
What can you do about spammers sending fraudulent emails with your name on them? In short, not a lot.
Technology solutions to the problem have been tried, but have not worked, to date. Sender protection framework (SPF) was intended to be a “caller ID” for email, proving that email sent from Company X really did come from email servers that Company X has approved as valid senders. The flaw is that until everyone receiving email requires that email have the “SPF stamp” in place, spammers can still forge any email they wish. Still, consider establishing and using SPF for your outbound email. It may not solve the problem but it can help.
Focus on ensuring that your employees are regularly educated on cybersecurity risk, and that they are on alert to fraudulent email attempts. It’s always better to verify an email request with a phone call than it is to trust email exclusively for a conversation. If you would like help in educating your employees on cybersecurity risk, please contact Michael Senkbeil at Chortek for more information: email@example.com