First up, while this incident relates to a new customer of ours, all of the names (including the service providers in question) have been changed to fictitious ones. We’re not seeking to point the finger at any one system or individual but would like to illustrate how easy it is to become a victim without the proper systems and procedures in place.
Hello, it’s Robert, how can I help?
Can you help us, we’re looking for someone to provide secure email and possibly build us a new website?
Yes of course, that’s what we do! Have you got a problem?
Yes, our email account has been hacked!
It turns out the company, a very small SME, had recently had their on-line email account hacked and someone was using it to send emails to their customers. The email was pretty straight forward and business-like but it asked the recipient (the customer) to change their (the supplier) bank account information.
That, for me, would have sent alarm bells ringing, but for this customer it seemingly didn’t and they duly did as they’d been asked.
Two weeks later the supplier chases their customer for non-payment of last weeks invoices, via email. He then receives a response, he thinks from their customer, claiming they had an issue but that was cleared up and the payments would go through in the next day or so.
Another few days pass and still no money has been transferred.
A telephone call and more emails eventually establish something is wrong. Then the fake emails and account changes come to light, including several emails where the fraudster has intercepted the check/response emails and had substituted his own messages back and forth so that both the supplier and his customer had thought things were all OK.
The last time I spoke to the supplier, the customer had still not paid him in full and although the police and solicitors were now involved he has no confidence in their ability to fix anything for him.
The whole incident raises many questions, not least of which is “who had been defrauded?”
We haven’t done any forensics on the hack, things had gone too far for that and anyway that’s not our bag. However, there were a couple of issues I raised immediately to try and help understand what had happened and what to do next.
What were the online email service and the account/users that were compromised?
It turns out that it’s one of the most well-known and well-used email systems but with a very generic username which was being used by multiple people within the business, and they therefore shared passwords.
I did ask them about passwords and they did give me examples of what they had used and assured me that they changed them regularly. It seemed to me to be, on the face of it, a reasonable approach. However they hadn’t turned on any two-step or two factor authentication, and as we all know, passwords (especially shared passwords) will be compromised, eventually.
Generic email accounts
Generic email accounts like firstname.lastname@example.org, don’t give a great impression from a business perspective and can’t really be controlled in the same way as a domain specific account such as email@example.com can. This makes them more vulnerable to spoofing and misuse.
Sharing of passwords is never a good thing. Sharing inevitably will mean they get shared with the wrong people. Shared passwords mean that it’s impossible to identify the actual person who used the password and your audit trail is compromised.
The customer in this case should not have changed the bank account details on such a “flimsy” request, i.e. just a generic email. However, in the light of no other reasonable means of validating the request or written policy, the individual concerned may have thought they were doing just what they were asked.
Who Was Defrauded?
The big question, the £50,000 question indeed, for this was the amount stolen or misdirected to the fraudster’s bank account. The customer was indeed the person who was defrauded.
How Can You Protect Your Business?
There are many things you can do to protect your business data including implementing two-factor authentication, but you need to start with staff education. No matter how sophisticated your systems are – if employees aren’t vigilant and don’t know how to spot a sophisticated phishing attack then you are vulnerable. If you’d like to see just how many of your corporate emails are exposed online please click here.