Email Security and Business Policy
Email security and Business policy
Out of convenience companies rely on email as a secure medium for sharing financial transaction information.
Email security and business Policy should dictate that electronic payments should be verified over the phone no matter how much credible information is provided in the email. Modifications to electronic payments should be scrutinized even harder. Make sure your accounting department gets Security Awareness Training and monitor their systems and accounts extra close for tampering.
More targeted attacks are getting into the email threads between customers and their suppliers.
Here are a couple quick examples of actual attacks:
- A customer’s email password is compromised and a forwarding rule is configured in their email account to allow the scammer to see details of a transaction even after the password is reset. The scammer then uses those forwarded emails to Social Engineer a new account for payment. In the attached case a fake domain name (e.g. google-us.com vs. google.com) similar to the supplier’s was set up hours before emailing a transaction modification request so the email would look more authentic to the customer. Having details of the transaction from the forwarding email hack greatly increased its believability.
- In other cases the email header is spoofed so the From line appears to be a coworker requesting a wire transfer however the Reply-To line sends the responds to a different email address.