A local independent mortgage broker has run into trouble. A loan payment that was expected to go into a client’s account has not materialised. After contacting the lender to find out what has happened it transpires that it received an email purporting to be from the broker asking for deposit account details to be changed. The broker feels sick knowing that he did not send such a message. Unfortunately, the request was made by cybercriminals who had compromised and eventually taken over the broker’s email address to make the message appear legitimate to the lender. The result is that the loan was paid into the cybercriminals’ account, while the lender, the broker and the client have all been victims of an elaborate email fraud.
While this is a fictitious scenario, the threat of email fraud to the financial sector is very real. And the above fictitious scenario can happen to any organisation that has a supply chain or is part of one. The wealth of data and funds that businesses within the industry have access to makes them an attractive target for threat actors, regardless of the organisation’s size. Indeed, with vast interconnected networks of advisors, brokers, subsidiaries and suppliers, criminals have many opportunities to hijack the identities of trusted contacts and insert themselves into the supply chain. Firms need to deploy defences that spot and stop incoming email fraud and prevent their brands being used to commit such scams.
Identity impersonation is no laughing matter
Threat actors are becoming increasingly sophisticated in their methods for fraudulently extracting money or information from unsuspecting victims. Through social engineering and detailed research, they will gain insight as to what their phoney email should look like, when it should be sent and who from. It is this last element of “who from” that scammers try to make as convincing as possible to fool both email defences and end users.
Identity impersonation is the most common method we see of threat actors trying to impersonate a trusted contact, as it is both easy and effective. It will commonly involve changing the email header to make the message appear as though it is coming from a trusted source. For example, an email header could be CEO@yourbank.com whereas the actual sender is MB5746836@gmail.com.
Financial institutions need to take a two-pronged approach to identify deception to protect their vital assets and their reputations. They need to defend themselves against incoming email purporting to be from trusted contacts, including insider impersonation, while at the same time they need to be alerted to any incidents of their own brand being impersonated to attack others.
Protecting your customers
The threat of an organisation’s brand being be used to perpetrate fraud is very real and could lead to serious reputational damage. The UK Government’s Cyber Security Breaches Survey 2019 found that 28 percent of organisations reported that they had been impersonated by fraudsters through email or online. Some leading banks are so concerned about the impact of brand misuse that they have demanded all third parties in its supply chain implement a raft of email security measures including DMARC, DKIM and SPF.
SPF (Sender Policy Framework) sits on the Domain Name Server and lists those server names that are permitted to send an email from a specific domain. This means that an organisation will be notified if an email has been received that is not from a recognised server, a key indicator of a scam.
DKIM (DomainKeys Identified Email) on the other hand authenticates an email’s content to ensure it has not been changed in transit. This is essential for making sure that key information such as account details are not altered by threat actors looking to divert payments for instance.
Building on both of these is the DMARC (Domain-based Message Authentication, Reporting and Conformance) authentication, policy and reporting protocol. This enables organisations to know exactly how their domain is being used for emails, so that they can see if threat actors are abusing it as well as authenticate legitimate uses such as emails sent out from contracted third parties. An alert is triggered in the event of someone trying to impersonate the organisation’s domain, and the message will be blocked from entering the victim’s inbox.
Protecting your organisation
Financial institutions can become victims of email fraud in a number of ways, but the most clandestine are Business Email Compromise (BEC) and Vendor Email Compromise (VEC) when the intended target is some other organisation in your supply chain. This is because they contain no obvious security triggers that are usually associated with malware or phishing emails to prevent them from being quarantined from end users. Instead, both BEC and VEC convince a targeted victim that they are a trusted contact and that they need them to carry out an action.
In the case of BEC, this could be masquerading as an email from the CEO of the victim’s organisation demanding that they urgently transfer a large sum of money into what turns out to be the threat actor’s account. With VEC, the attackers will first compromise and take over an email account from the organisation’s supply chain and insert themselves into the conversation when it is time for invoices to be paid. As far as the end user is concerned these messages look and feel like the real deal.
This threat can be combatted by instigating a protection model that focuses on employees, relationships and behaviours, rather than content and reputation. In our introduction, had the fictitious mortgage lender used email security modelled around relationships and behavioural patterns between employees, brands, businesses and domains to define trusted communications, they would have spotted and stopped that they were a potential VEC victim.
By employing a two-pronged approach to email security to mitigate both brand impersonation and advanced BEC and VEC attacks, firms within the financial sector can better protect themselves, their assets, their reputations and their customers.