Technology has changed the way that we do business. This is true of nearly every industry, and it is equally true for criminals and con artists. What started as “Nigerian Prince” email scams have evolved into detailed and targeted attacks using our reliance on technology as a weapon against us. In the InfoSec community, we call this “Social Engineering,” “Psychological Attacks,” or “Digital Con-Jobs.”

A Difficult Situation

It’s Friday afternoon, and your boss emails you, from what looks to be their personal email account, that one of your vendors is demanding a late payment be made immediately. If the payment hasn’t processed by Monday, they’ll be cancelling your orders. The domino effect of this could cost you significant capital. Your boss has included the information you need to make a wire transfer to the vendor in question, and even told you to tap another executive by name to co-sign the transfer.

You look at the email. The signature is right, the name is right, and they even called you by the name you go by (let’s say Danny and not Daniel). There’s an urgency to the language that makes you hesitant to second guess it. Maybe this kind of request is actually routine, and so you don’t even have your guard up. You initiate the wire transfer, and call the second executive to have them endorse it. You’ve just given a conman a nice payday.

This kind of attack, while leveraging technology we use every day, is not technically a digital attack. The email was sent by a legitimate mail server, there were no viruses or malicious links, and they didn’t steal your data. All it took was some knowledge of the key names in your company and a well-crafted excuse. Anti-virus and a firewall cannot stop this kind of attack.

Process Problem vs. Technology Problem

The best way to avoid the situation laid out here, is to have a rigid set of internal policies regarding how payments are requested and executed within your company. Imagine the same scenario, but all employees had been previously trained that they must pick up a phone and confirm by voice before making a transfer over $500. Including a second factor of authentication/identification would have saved this situation from happening to begin with.

Technology Can Still Help

While this style of attack uses an attack vector that can’t be fully stopped by security tools, there are some technology tricks that can help:

  • Your email client can be configured to Flag or Categorize messages originating from outside your company, through the crafting of Rules. If the message says it’s from Your Boss, but it’s Categorized or Flagged with a Purple icon you can give additional scrutiny to the request.
    Your Boss Purple Flag
  • OS X Mail.app can be configured to always show full email addresses next to the sender’s first and last name.
    Expose Full Email Address
  • Many email systems allow you to setup an email address to which only insiders can send messages. Consider that as a matter of internal policy all payment requests are sent to a specific email address (i.e. paymentrequest@yourcompany.com). This email address only receives emails that are sent from inside your organization, and forwards messages along to the appropriate people. In addition, the subject line can be tagged [PAYMENT REQUEST] and/or your mailbox rules could automatically flag, categorize, or organize these messages as you see fit.
  • Using email rules, you could setup a second “Inbox” for all messages that come from or go to email addresses outside of your organization (or vice versa, depending on who you communicate with most frequently).
  • OS X can flag external recipient email addresses in red when you’re composing a message. This visual indicator can alert you that your message includes an outside party as a recipient.
    Fake Boss Real Boss
  • Remember that the body of the message can be altered when on a reply message. Be sure to look at the top of the message for the actual sender, and not at the body where the text could have been changed since the original message.
    Altered Address

Good Old-Fashioned Skepticism

In the end, the best defense against these types of attacks is end-user awareness and strict internal processes. Be aware that scammers are becoming more and more sophisticated all of the time. Be skeptical of any request you get for HR information or payments to be sent via email. Pick up the phone and verify by voice what you’re reading in email. Encourage and reward your employees for being skeptical and hesitant. Do not create a company culture in which your employees fear being punished for double-checking, even when something seems urgent.