Relevant Technologies: Assessing The Risks of E-Mail Fraud

Back to Article List

Assessing The Risks of E-Mail Fraud
By Brien M. Posey
March 7, 2004

Pretty much no one who uses E-mail is a stranger to fraudulent mail. My mailbox gets flooded with hundreds of fraudulent messages every single day. These messages promise everything from being able to lose ten pounds in ten minutes to making thousands of dollars a day with no effort. In fact, I once saw a rather humorous cartoon that said to imagine what life would be like if every SPAM that you received came true. The cartoon character was young, rich, well endowed, and was living a rather enviable life style.

Promises of these too good to be true claims are not what I’m talking about though. I’m talking about mail fraud that appears to be completely legitimate. For example, back in November there was an E-mail going around that appeared to be from Earthlink. The message was asking people to go online and update their billing information. The message looked so authentic that many people unknowingly handed over their credit card numbers to a con artist.

The interesting thing about this type of mail fraud though is that companies spend insane amounts of money filtering all of the mail that comes into the organization. Viruses are neutralized and most of the SPAM is filtered, but almost no one attempts to filter the more authentic looking fraudulent E-mail. The ironic part is though that in many ways a fraudulent E-mail message can be even more damaging than a SPAM or a virus.

The Cost of E-Mail Fraud
Before I start discussing E-mail fraud in detail, I want to take a moment and discuss the costs of E-mail fraud. For years now, E-mail fraud has been thought of as a consumer issue. We have all heard of cases of individuals being ripped off by con artists, but you hardly ever hear of a large corporation being ripped off by fraudulent E-mail.

I think that part of the reason for this is that many big companies are publicly traded. If a big company were to disclose the fact that they lost a bunch of money in a scam, it could potentially scare the stockholders and lower the company’s value. Therefore, a lot of companies try to eat the financial cost and prevent the actual amount of damage from ever becoming public knowledge. As such, there are no firm figurers on how much money fraudulent E-mail costs corporations each year.

There are however consumer level statistics. E-mail fraud in the form of identity theft costs consumers an average of $1,400 per incident totaling over $5 billion per year.

Characteristics of E-Mail Fraud
I’ve already explained that companies routinely filter all of the messages that come into the organization to weed out viruses and SPAM, but that these filtering techniques do not get rid of fraudulent E-mail. There are several reasons for this.

First of all, SPAM typically comes from someone that you don’t know. A SPAM filter’s job is to dispose of SPAM while preserving legitimate mail. Most SPAM filters even have a white list. A white list is a list of trusted individuals whose mail should never be regarded as SPAM regardless of the message’s content. Therefore, if a sender of a fraudulent E-mail can spoof the identity of someone on your whitelist, then the SPAM filter will completely ignore the fraudulent message.

Another reason why SPAM filters are ineffective against fraudulent E-mail is because fraudulent E-mail can be, and sometimes is, generated by an employee at your company. SPAM filters almost never filter locally generated E-mail.

Regardless of a message’s origin or the name of the person who is allegedly sending the message, your SPAM filter’s job is to get rid of obvious SPAM and let legitimate sounding messages into your employee’s mailboxes. On the other hand, when someone creates a fraudulent E-mail, their job is to make the E-mail appear to be as legitimate and authentic as humanly possible. After all, if the E-mail doesn’t appear to be legitimate and authentic, no one will fall for the scam. In making the message appear to be legitimate and authentic, the sender not only fools the recipient, they almost always fool the recipient’s SPAM filter as well.

Of course organizations don’t just filter mail for SPAM, they also filter for viruses. However, an anti virus program is powerless to stop a fraudulent E-mail. Remember that the sender’s job is to build trust. If the fraudulent E-mail comes in with a virus, you certainly aren’t going to trust it. Therefore, it’s in the senders best interest not to infect the message with a virus.

Examples of Fraudulent E-Mail from External Sources
As I explained, fraudulent E-mail can come from inside or outside of the organization. An example of fraudulent E-mail that might come from outside of the organization is someone who is posing as a vendor requesting that the company pay an overdue bill. Another example is a request from someone posing as a vendor to update the company’s credit card information. For example, some companies, such as Internet Service Providers, will not provide service unless they have a credit card number on file that they can bill each month. Someone who is sending a fraudulent E-mail might pose as an Internet Service Provider and request that the credit card information be updated in an effort to steal a credit card number.

Yet another common scam that often comes from the outside world is a message from someone posing as Microsoft or as someone from your corporate IT department, asking for a security patch to be applied. This “security patch” could be anything, but usually opens a back door into the system.

Examples of Fraudulent E-Mail from Internal Sources
Fraudulent E-mail can also come from within the organization. We’ve all seen managers that stay logged in all day long even though they are at a meeting somewhere else. Someone could easily sneak into an empty office and use the manager’s E-mail to send a message as that manager.

A common variation of this technique is that it’s easy to change Outlook’s SMTP display name so that it will appear as though messages have come from someone else. The nice thing about this technique is that if a recipient replies to the message, the reply will go to the sender, not to the person that the sender is posing as.

Some Personal Examples
When I said that I had personally seen some examples of spoofed SMTP display names, I wasn’t kidding. I have actually been victimized by this type of spoofing on more than one occasion. The first example is a little hard to explain, but I will try.

Two friends of mine, Kevin and Kendall (you know who you are) used to work at the same company as I did. Kendall changed his SMTP display name to my name. He and his accomplice, Kevin, proceeded to have a very explicit E-mail conversation back and fourth. When they were done, Kendall changed his SMTP display name from using my name to using my boss’s name. Kevin then sent an E-mail message to Kendall, who was posing as my boss. The message was a complaint that I was harassing and threatening him through E-mail. Kendall, while still posing as my boss, sent me a copy of the E-mail saying that I was to report to Human Resources at 3:00 to face disciplinary action.

When I received the message, I thought that it was from my boss. As I read further through the message, I saw that Kevin was having what appeared to be a conversation with me, yet I knew that I had never sent any of those messages. I assumed that someone had figured out my password and that I was probably about to be fired. Even if I didn’t get fired for the harassment charges that I was supposedly facing, I figured that I would get fired for having a password that someone was able to figure out. I knew that I had absolutely no way of defending myself against the charges against me.

I went up stairs to ask Kevin what was going on, but Kevin was nowhere to be found. I was in a panic and decided to go talk to my boss about the problem. Little did I know that my boss was also in on the joke. To make a long story short, absolutely no harm came from the incident, even though I thought that I was going to have a heart attack. This story does illustrate however just how damaging fraudulent E-mail can be.

A few years later, there was another similar problem that wasn’t a joke. As you may know, I write technical articles for a variety of publications and Web sites. Someone saw my E-mail address in my bio on one of these Web sites and decided that it would be a lot of fun to spoof my identity and write an angry letter to one of my editors. The letter called my editor some nasty names and also told them that I was never writing for them again.

I got lucky on this one because my editor knew my writing style well enough to know that the letter could not possibly be authentic. He alerted me to the incident and told everyone else at the company that if they got any strange letters from me that the letters should be disregarded. Again, no harm came from the incident, but this example shows just some of the potentially nasty consequences of E-mail identity theft.

Three Main Types of E-Fraud
There are three main types of E-mail fraud; Phishing, bogus updates, and billing fraud. There are other types of E-mail fraud, but other types are almost always variations of one or more of these three techniques.

Phishing
Phishing, which oddly enough is spelled with a PH in this case, is a technique by which the sender of the fraudulent message is fishing for information. Remember that any user in your company has information which should only be given out on a need to know basis. The sender or fisherman poses as someone with a legitimate need to know.

Ideally, the sender will already know something about the individual employees in the company and will target the message to some of the more naive users. The reason for this is because a naive user won’t generally question the E-mail. Instead, they will reply to the message or blindly follow its instructions and think nothing of it. The fact that the user doesn’t suspect a thing greatly increases the sender’s odds of not getting caught.

Although naive users are preferred, there have been documented cases in which the sender will send the same E-mail to a whole lot of people in hopes that one or two will respond. This is more the exception than the rule though. Remember that a fisherman is not a spammer. A spammer’s job is to attract attention. A fisherman’s job is not to attract attention.

In either case, the E-mail will convey a sense of urgency. For example, an E-mail might say something like “Your password is about to expire. You must reset your password to prevent your account from being terminated”. Nine times out of ten, if the user trusts the source of the E-mail, they will follow the instructions and do the supposed password reset.

Most of the time, the link will take the user to a Web site that looks official. This site will ask for the user’s username, old password, and new password. The new password is completely disregarded because the user isn’t actually resetting a password, and the user’s login name and password is logged to a database so that it can be exploited later.

A variation of this technique is a letter that appears to be from a financial institution. I recently received an E-mail from one of the more well known banks saying that they had a computer glitch and that although everything appeared to be fixed, I needed to log in and check to make sure that my account balance was correct. The most suspicious thing about this E-mail…I don’t even have an account at that bank.

Even so, the E-mail looked so official that I decided to check it out a little bit more. Even the URL at the bottom of the message pointed to the bank’s real Web site. The catch was though that although the hyperlink appeared to go to the bank’s Web site, hovering your mouse over the link revealed that the link actually went to a different site.

The creators of the message weren’t stupid though. They didn’t use their site’s URL in the hyperlink. They used an IP address instead. They even went so far as to design the fraudulent Web site, which looked just like the bank’s real Web site, to display the bank’s URL in Internet Explorer’s address bar. This was such a well orchestrated message that I’m sure that a lot of people probably fell for it.

I’m sure that the bogus site was designed to collect account numbers and passwords whenever someone logged in.

Bogus Updates
I briefly touched on bogus software updates earlier, but I want to take a moment and discuss them in a little more detail. When someone sends a bogus software update, the update is almost always some sort of Trojan that opens back door access into the system that it is installed onto. However, the Trojan may perform other functions as well. It is common for such a Trojan to replicate itself to other computers on the network. The Trojan might also harvest information from SQL databases or even launch a denial of service attack against someone.

When someone sends this type of fraudulent E-mail message, they usually pose as Microsoft, the company’s IT department, or as some other software company. The message will be worded in a helpful tone, but is also designed to scare the user into loading the update. For example, the message might tell the recipient that there is a horrible new virus going around and that the only way to protect their system against that virus is to download and install the security patch.

Billing Fraud
One of the most intricate types of E-mail fraud is billing fraud. The idea behind this scam is that the purchasing departments or accounting departments in big companies pay hundreds, if not thousands, of bills every single month. Because of this, there is no way for someone in the purchasing department to remember every single invoice and whether it has or hasn’t been paid.

Consequently, the sender of the fraudulent E-mail will pose as a vendor that the company routinely uses and will send the company a notice indicating that payment for some product or service is overdue.

The sender will usually do several things to help them have the best chance of success. First, they will use a well known vendor. For example, if the sender poses as FedEx, they will have a much better chance of the company paying the bill than they would if they posed as some company that no one has ever heard of before, like Bob’s Small Engine Repair.

Another critical element to the scam is the amount of the invoice. If a big company receives an overdue invoice from FedEx for $40, they probably aren’t going to question it. They will probably just go ahead and pay the invoice and forget all about it. On the other hand if the sender wrote out an invoice for $100,000 then the accounting department or purchasing department would scrutinize the invoice very closely. Remember that the sender’s whole agenda involves not attracting attention to themselves, so it is in their best interest to keep the amounts small.

So if the sender of the fraudulent message is asking for a small amount of money, how is their scam profitable? There are two different ways that fraudsters make money off of this deal. First, they might send the same invoice to a lot of companies. Imagine for instance is someone got a thousand different companies to pay a two hundred dollar invoice. The con artist could make nearly a quarter of a million dollars for one day’s effort.

That’s really the tip of the iceberg though. When the sender creates the fraudulent E-mail they almost always offer an option to pay by credit card. If the company does pay by credit card, the con artist not only gets their money, they also get the company’s credit card number. They can now spend all sorts of money and it could be weeks before the company even realizes that the card number has been compromised. In some instances, people have stolen corporate credit card numbers and gone so far as to even sell the card number to other people.

Consequences of E-Mail Fraud
So far I have talked about the various types of E-mail fraud, and how easy it is to conduct E-mail fraud, but I want to take a moment and talk about the consequences if a company were to fall victim to an E-mail fraud scam.

The actual consequences depend on the nature of the scam. In the case of a bogus update, the consequences include a compromise of data, which is often worse than loss of money. After all, in many organizations, the data is the business.

If a database is compromised, another consequence might be loss of trust by customers. A few years ago, Playboy Magazine had a security breach in which someone stole the credit card numbers of many subscribers. Although the incident didn’t drive Playboy out of business, the incident did make national news and resulted in a lot of bad press for the magazine.

Still another potential consequence is heavy fines by government agencies. For example, HIPPA is designed to protect the privacy of patient information. If a hospital or insurance company does have a security breach which results in the disclosure of medical records, the company could face some hefty fines from the government. Even if the company is not involved in the healthcare industry, some state governments are starting to require the disclosure of security breaches.

Another consequence to a bogus update is the damage to the infrastructure. I have often told people that if a server is hacked, then the only sure way to make sure that the server is clean is to format the drives and reinstall everything from scratch. In the case of a user installing a “software update” though, you have no easy way of knowing if that update could have been replicated to other systems and if you have cleaned up all of the damage. The process of verifying that your entire network is Trojan free could be very expensive.

Of course, we can’t overlook the potential financial damage to falling for an E-mail scam. For example, suppose that someone posing as a vendor managed to convince your purchasing department that they had changed account numbers. If this happened at the end of the month, the purchasing department might pay an entire month’s worth of invoices to the wrong account. The thief makes off with thousands of dollars and the company gets a call from the real vendor a couple of weeks later wondering why the invoices have not been paid.

What Can Be Done?
Now that I have talked about the types of E-mail fraud and the damage that can result, you are probably wondering what can be done to prevent this type of fraud. One thing that you can do is to require all employees to use digital signatures with their E-mail accounts and to verify the signatures on all inbound E-mail. This is only a partial solution though.

The reason is that external mail won’t bare a digital signature. If digital signatures are used, no one will be able to spoof the identity of one of your employees, but nothing is preventing someone from spoofing the identity of someone in the outside world (such as a vendor) because most people don’t use digital signatures.

Another reason why digital signatures aren’t a total fix is because there is no guarantee that your employees will take the time to verify digital signatures. Often times employees just don’t do what they are told. If you don’t believe me, then think how many phone calls that you have gotten that start off with the words, “I know you told us not to open attachments from people we don’t know, but…”.

In addition to using digital signatures, I recommend implementing filtering software that is specifically designed to look for fraudulent E-mail. We are just now starting to see first generation fraud detection software becoming available, but we think that anti-fraud software will become essential as it improves.

Finally, if your anti-fraud system (or an alert employee) does detect a scam, notify your employees about it. After all, you probably send an alert to your employees when ever a new virus is released, so why not alert them to E-mail scams too since a scam can potentially be much more damaging than a virus?