Back to Article List
Assessing The Risks of E-Mail Fraud
By Brien M. Posey
March 7, 2004
Pretty much no one who uses E-mail is a stranger to fraudulent mail. My mailbox gets flooded with hundreds of fraudulent messages every single day. These messages promise everything from being able to lose ten pounds in ten minutes to making thousands of dollars a day with no effort. In fact, I once saw a rather humorous cartoon that said to imagine what life would be like if every SPAM that you received came true. The cartoon character was young, rich, well endowed, and was living a rather enviable life style.
Promises of these too good to be true claims are not what Iím talking about though. Iím talking about mail fraud that appears to be completely legitimate. For example, back in November there was an E-mail going around that appeared to be from Earthlink. The message was asking people to go online and update their billing information. The message looked so authentic that many people unknowingly handed over their credit card numbers to a con artist.
The interesting thing about this type of mail fraud though is that companies spend insane amounts of money filtering all of the mail that comes into the organization. Viruses are neutralized and most of the SPAM is filtered, but almost no one attempts to filter the more authentic looking fraudulent E-mail. The ironic part is though that in many ways a fraudulent E-mail message can be even more damaging than a SPAM or a virus.
The Cost of E-Mail Fraud
Before I start discussing E-mail fraud in detail, I want to take a moment and discuss the costs of E-mail fraud. For years now, E-mail fraud has been thought of as a consumer issue. We have all heard of cases of individuals being ripped off by con artists, but you hardly ever hear of a large corporation being ripped off by fraudulent E-mail.
I think that part of the reason for this is that many big companies are publicly traded. If a big company were to disclose the fact that they lost a bunch of money in a scam, it could potentially scare the stockholders and lower the companyís value. Therefore, a lot of companies try to eat the financial cost and prevent the actual amount of damage from ever becoming public knowledge. As such, there are no firm figurers on how much money fraudulent E-mail costs corporations each year.
There are however consumer level statistics. E-mail fraud in the form of identity theft costs consumers an average of $1,400 per incident totaling over $5 billion per year.
Characteristics of E-Mail Fraud
Iíve already explained that companies routinely filter all of the messages that come into the organization to weed out viruses and SPAM, but that these filtering techniques do not get rid of fraudulent E-mail. There are several reasons for this.
First of all, SPAM typically comes from someone that you donít know. A SPAM filterís job is to dispose of SPAM while preserving legitimate mail. Most SPAM filters even have a white list. A white list is a list of trusted individuals whose mail should never be regarded as SPAM regardless of the messageís content. Therefore, if a sender of a fraudulent E-mail can spoof the identity of someone on your whitelist, then the SPAM filter will completely ignore the fraudulent message.
Another reason why SPAM filters are ineffective against fraudulent E-mail is because fraudulent E-mail can be, and sometimes is, generated by an employee at your company. SPAM filters almost never filter locally generated E-mail.
Regardless of a messageís origin or the name of the person who is allegedly sending the message, your SPAM filterís job is to get rid of obvious SPAM and let legitimate sounding messages into your employeeís mailboxes. On the other hand, when someone creates a fraudulent E-mail, their job is to make the E-mail appear to be as legitimate and authentic as humanly possible. After all, if the E-mail doesnít appear to be legitimate and authentic, no one will fall for the scam. In making the message appear to be legitimate and authentic, the sender not only fools the recipient, they almost always fool the recipientís SPAM filter as well.
Of course organizations donít just filter mail for SPAM, they also filter for viruses. However, an anti virus program is powerless to stop a fraudulent E-mail. Remember that the senderís job is to build trust. If the fraudulent E-mail comes in with a virus, you certainly arenít going to trust it. Therefore, itís in the senders best interest not to infect the message with a virus.
Examples of Fraudulent E-Mail from External Sources
As I explained, fraudulent E-mail can come from inside or outside of the organization. An example of fraudulent E-mail that might come from outside of the organization is someone who is posing as a vendor requesting that the company pay an overdue bill. Another example is a request from someone posing as a vendor to update the companyís credit card information. For example, some companies, such as Internet Service Providers, will not provide service unless they have a credit card number on file that they can bill each month. Someone who is sending a fraudulent E-mail might pose as an Internet Service Provider and request that the credit card information be updated in an effort to steal a credit card number.
Yet another common scam that often comes from the outside world is a message from someone posing as Microsoft or as someone from your corporate IT department, asking for a security patch to be applied. This ďsecurity patchĒ could be anything, but usually opens a back door into the system.
Examples of Fraudulent E-Mail from Internal Sources
Fraudulent E-mail can also come from within the organization. Weíve all seen managers that stay logged in all day long even though they are at a meeting somewhere else. Someone could easily sneak into an empty office and use the managerís E-mail to send a message as that manager.
A common variation of this technique is that itís easy to change Outlookís SMTP display name so that it will appear as though messages have come from someone else. The nice thing about this technique is that if a recipient replies to the message, the reply will go to the sender, not to the person that the sender is posing as.
Some Personal Examples
When I said that I had personally seen some examples of spoofed SMTP display names, I wasnít kidding. I have actually been victimized by this type of spoofing on more than one occasion. The first example is a little hard to explain, but I will try.
Two friends of mine, Kevin and Kendall (you know who you are) used to work at the same company as I did. Kendall changed his SMTP display name to my name. He and his accomplice, Kevin, proceeded to have a very explicit E-mail conversation back and fourth. When they were done, Kendall changed his SMTP display name from using my name to using my bossís name. Kevin then sent an E-mail message to Kendall, who was posing as my boss. The message was a complaint that I was harassing and threatening him through E-mail. Kendall, while still posing as my boss, sent me a copy of the E-mail saying that I was to report to Human Resources at 3:00 to face disciplinary action.
When I received the message, I thought that it was from my boss. As I read further through the message, I saw that Kevin was having what appeared to be a conversation with me, yet I knew that I had never sent any of those messages. I assumed that someone had figured out my password and that I was probably about to be fired. Even if I didnít get fired for the harassment charges that I was supposedly facing, I figured that I would get fired for having a password that someone was able to figure out. I knew that I had absolutely no way of defending myself against the charges against me.
I went up stairs to ask Kevin what was going on, but Kevin was nowhere to be found. I was in a panic and decided to go talk to my boss about the problem. Little did I know that my boss was also in on the joke. To make a long story short, absolutely no harm came from the incident, even though I thought that I was going to have a heart attack. This story does illustrate however just how damaging fraudulent E-mail can be.
A few years later, there was another similar problem that wasnít a joke. As you may know, I write technical articles for a variety of publications and Web sites. Someone saw my E-mail address in my bio on one of these Web sites and decided that it would be a lot of fun to spoof my identity and write an angry letter to one of my editors. The letter called my editor some nasty names and also told them that I was never writing for them again.
I got lucky on this one because my editor knew my writing style well enough to know that the letter could not possibly be authentic. He alerted me to the incident and told everyone else at the company that if they got any strange letters from me that the letters should be disregarded. Again, no harm came from the incident, but this example shows just some of the potentially nasty consequences of E-mail identity theft.
Three Main Types of E-Fraud
There are three main types of E-mail fraud; Phishing, bogus updates, and billing fraud. There are other types of E-mail fraud, but other types are almost always variations of one or more of these three techniques.
PhishingConsequences of E-Mail Fraud
So far I have talked about the various types of E-mail fraud, and how easy it is to conduct E-mail fraud, but I want to take a moment and talk about the consequences if a company were to fall victim to an E-mail fraud scam.
The actual consequences depend on the nature of the scam. In the case of a bogus update, the consequences include a compromise of data, which is often worse than loss of money. After all, in many organizations, the data is the business.
If a database is compromised, another consequence might be loss of trust by customers. A few years ago, Playboy Magazine had a security breach in which someone stole the credit card numbers of many subscribers. Although the incident didnít drive Playboy out of business, the incident did make national news and resulted in a lot of bad press for the magazine.
Still another potential consequence is heavy fines by government agencies. For example, HIPPA is designed to protect the privacy of patient information. If a hospital or insurance company does have a security breach which results in the disclosure of medical records, the company could face some hefty fines from the government. Even if the company is not involved in the healthcare industry, some state governments are starting to require the disclosure of security breaches.
Another consequence to a bogus update is the damage to the infrastructure. I have often told people that if a server is hacked, then the only sure way to make sure that the server is clean is to format the drives and reinstall everything from scratch. In the case of a user installing a ďsoftware updateĒ though, you have no easy way of knowing if that update could have been replicated to other systems and if you have cleaned up all of the damage. The process of verifying that your entire network is Trojan free could be very expensive.
Of course, we canít overlook the potential financial damage to falling for an E-mail scam. For example, suppose that someone posing as a vendor managed to convince your purchasing department that they had changed account numbers. If this happened at the end of the month, the purchasing department might pay an entire monthís worth of invoices to the wrong account. The thief makes off with thousands of dollars and the company gets a call from the real vendor a couple of weeks later wondering why the invoices have not been paid.
What Can Be Done?
Now that I have talked about the types of E-mail fraud and the damage that can result, you are probably wondering what can be done to prevent this type of fraud. One thing that you can do is to require all employees to use digital signatures with their E-mail accounts and to verify the signatures on all inbound E-mail. This is only a partial solution though.
The reason is that external mail wonít bare a digital signature. If digital signatures are used, no one will be able to spoof the identity of one of your employees, but nothing is preventing someone from spoofing the identity of someone in the outside world (such as a vendor) because most people donít use digital signatures.
Another reason why digital signatures arenít a total fix is because there is no guarantee that your employees will take the time to verify digital signatures. Often times employees just donít do what they are told. If you donít believe me, then think how many phone calls that you have gotten that start off with the words, ďI know you told us not to open attachments from people we donít know, butÖĒ.
In addition to using digital signatures, I recommend implementing filtering software that is specifically designed to look for fraudulent E-mail. We are just now starting to see first generation fraud detection software becoming available, but we think that anti-fraud software will become essential as it improves.
Finally, if your anti-fraud system (or an alert employee) does detect a scam, notify your employees about it. After all, you probably send an alert to your employees when ever a new virus is released, so why not alert them to E-mail scams too since a scam can potentially be much more damaging than a virus?
|Copyright 1997-2015 Relevant Technologies. All rights reserved | Legal and Privacy | Sitemap
Email: firstname.lastname@example.org | Tel: 240.786.4858 | Fax: 855.451.5466 | 8160 Maple Lawn Blvd, Suite 200, Fulton, MD 20759