With huge databases of personal security credentials and passwords now publicly available on the dark web (see: Threat to data is real: passwords won’t protect you or your company anymore), emails are an increasingly unsafe way to conduct financial business. Fraudulent emails are very often the starting point of a cyberattack. According to research by PhishMe, 91 per cent of successful cyber attacks begin with a phishing email.
In his article – Keeping ahead of invoice fraudsters – Tungsten Network's Alphus Hinds looks at some recent cases of high-profile corporate fraud that began with an unfortunate instance of someone believing a fraudulent email to be genuine. In the scam, a nine art galleries or individuals in the art world were targeted by criminals who hacked into their email account. The criminals were able to track messages containing invoicing details, then send out a duplicate fraudulent invoice from the gallery's or individual's email address, asking the client to make payment to the account detailed in the second invoice. Of course, the second invoice gave details of the criminals' bank account. It's striking that in one of the examples given, a whole invoicing exchange, for a high-value deal, is conducted entirely by email, without the art dealer or client picking up the phone even once to confirm details or receipt of messages.
How do we tackle email fraud?
It is unfair to blame the victims of such scams, particularly as email fraud seems set to become even more common. So what can be done to protect individuals and companies from email fraud?
- Tungsten Network's Alphus Hinds writes: “One thing that might have prevented the fraud is greater scrutiny of the perpetrators by the banks where they opened fraudulent accounts.”
- Hinds adds that legislation could also tackle the problem – he gives the example of the EU's General Data Protection Regulation (GDPR), which comes into effect on 25 May this year and “could result in significant fines for businesses that fail to protect client email addresses and other personal identifiable information”.
- Another strategy companies need to take is to raise awareness among employees to ensure they have a finely-tuned sense of which types of email are genuine communications from colleagues, clients, suppliers or the bank. This needs to cover text messages, which are increasingly used as a communication channel by genuine banks as well as by criminals.
- To help raise awareness, UK Finance has run a campaign on how to spot fraudulent communications, including this Too smart to be scammed test.
- One of the key actions seems to be corroborating requests for payment through a trusted channel, either in-person or a trusted phone number. UK Finance says: “Always double-check with the person you are sending money to by ringing them and ensuring that the email came from them and the details are correct. Always call them using a number that you trust – such as the one on their official website.”
‘Fraud Analytics: - complete self-assessment guide’ shows how to tackle fraud
Book by Gerard Blokdijk provides a Fraud Analytics roadmap on how to understand and move forward in the right direction, based on verifiable data
Threat to data is real: passwords won’t protect you or your company anymore
A recent discovery of a huge database of stolen security data and the potential for quantum computing to make current cryptography useless poses huge problems for data security
40% of European firms – 67% globally – unprepared for GDPR
With four months to go, just a third of companies globally have a plan in place to comply with the General Data Protection Regulation, which comes into force on 25 May 2018