The FBI 2017 Internet Crime Report stated that “business email compromises” caused more than US$5 billion in losses since 2013, with an additional $675 million in adjusted losses in 2017 – “the highest estimated out-of-pocket losses from any class of cyber-facilitated crime during this period.”
Spoofed emails are emails appearing as someone from your company, usually asking for something unusual that might cause some financial or data confidentiality loss. Spoofed emails usually appear to come from someone high up in the company. As an example, spoofed emails might ask for a wire transfer to settle an outstanding debt, or even gift card voucher numbers to be urgently transferred to help with company business. Even Chief Financial Officers have fallen for spoof email scams, so anyone is vulnerable.
Spoof emails are usually:
- From someone senior in the organisation;
- Time sensitive;
- Involve international funds transfers or anonymised currency such as gift cards;
- Sent to mid-level employees who might not deal directly with those matters; and
- May also be other communications (announcements, regulations, processes and procedures, etc.) that are false or misleading.
Spoof emails can be reduced by configuring email systems to filter out the spoofed emails, training staff in the detection of spoofed emails, and ensuring policies and procedures are developed to foil attempts by the email spoofers.
If your organisation is feeling the effects of spoofed emails, or you simply wish to mitigate the risk before it causes any impact, Agilient has skilled and experienced consultants, auditors and policy writers to assist in any or all of these tasks.
Author: David Steele, Agilient Cyber Security Consultant