• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Industry News   »   Email may not be a safe mode of communication

Email may not be a safe mode of communication

  • Posted on:March 7, 2016
  • Posted in:Industry News
  • Posted by:
    Noah Gamer
0
Email may not be as secure as many people might think.

Email has moved into the center of communications. This is especially true within the business sector, seeing as The Radicati Group discovered that the average employee sends and receives 122 emails every day. This digital means of discussion is incredibly convenient and quick, but it is far from a perfect system. 

A new form of cyber crime has been ravaging business and shaking confidence in email communications. Dubbed business email compromise (BEC), this malicious act involves hackers accessing a certain company email address in order to request fraudulent fund transfers. 

What does BEC look like?

A BEC attack, like just about every other scam, generally starts with a lot of research. The hacker needs to know who is in charge of the money within an organization as well as the people this employee regularly communicates with over email. Once all the relevant information is gathered, the real work can begin. Actually accessing the intended email account can involve more sophisticated techniques including keylogger malware, or it can be a much simpler social engineering attack. 

Although the end results are usually the same, there are different types of BEC that Trend Micro researchers have observed. The first involves a hacker using an email to pose as a supplier, asking an employee at a separate company to send money for a fraudulent invoice. If a cyber criminal doesn't think staying outside the company will work, he or she might opt to leverage the email of a worker within the organization. One example of such a case would be the opposite of the previous, where the hacker poses as an employee at an outside company for bogus invoice payments. 

However, perhaps the most important BEC for the average worker to know about is CEO fraud. As the name would suggest, this is where the cyber criminal gains access to the email of an authoritative body – such as the CEO or other high-ranking official – and asks a lower employee to send a wire transfer to a fake account. People are often quick to please the higher-ups of their company, a level of loyalty cyber criminals are banking on. 

Even the CIA is at risk of email compromise

The reason BEC is such a frightening concept is that it doesn't take a whole lot of technological knowledge. There are obviously more advanced techniques to access emails, but the hack of CIA Director John Brennan's AOL account shows that human error is incredibly easy to exploit. 

The cyber criminal involved in this plot used a simple social engineering scheme to gain access to Brennan's email. By collecting data online about him, the hacker was able to fool Verizon into giving up personally identifiable information that would then be used to reset Brennan's AOL password. 

This particular event culminated in the cyber criminal posting Social Security numbers and other information found in the account on Twitter. While this attack didn't directly involve fraudulent money transfer like a standard BEC scam, it shows just how easy it can be to gain access to a person's email. If the Director of the CIA can have his personal account compromised, who else is at risk?

What can the average administrator do to fight BEC?

Trend Micro recommends that company officials wishing to avoid BEC should begin by educating their employees. The only reason a hacker was able to gain access to Brennan's account was the fact that a Verizon employee gave the criminal the information he needed without adequately verifying who this person was. Workers need to know that hackers are willing to pose as someone else for a payday, and they need to stay vigilant to avoid a major financial catastrophe. 

On a similar note, any transfer of funds that can be considered out of the ordinary – such as a change in account information from the other party – should be confirmed in a secondary mode of communication outside of email. Preferably, this would take the form of an in-person meeting about the matter, but this obviously isn't possible in all cases. A phone call to a number that is known to be correct is the next best option, as it at least allows the employee to decide if the person's voice is correct. 

Related posts:

  1. That’s not my boss: How to know when business email accounts have been hacked
  2. Business email compromise: Who’s most at risk and what’s at stake?
  3. Email breaches: All it takes is one to wreak havoc on an enterprise
  4. What do you need to know about email security?

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Detected Cyber Threats Rose 20% to Exceed 62.6 Billion in 2020
  • Trend Micro Recognized on CRN Security 100 List
  • Trend Micro Reports Solid Results for Q4 and Fiscal Year 2020
  • Connected Cars Technology Vulnerable to Cyber Attacks
  • Trend Micro Asks Students How Their Relationship to the Internet Has Changed During COVID-19
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.