Daren Oliver, cyber security expert and managing director of Fitzrovia IT, explores whether fraudulent emails are getting more difficult to identify and if email communication should be limited for those working
in security-sensitive sectors…
Once upon a time, sending and receiving emails was a new-fangled process used to substitute the written letter. Mostly reserved for academic circles, or verifying important information following a spoken conversation, few predicted email communication would flourish as it has over the last two decades. Email has changed the face of human interaction, overtaking the telephone as the number one method of personal and professional information exchange.
By the end of 2017, it is estimated there will be 4.9 billion email accounts worldwide with business emails accounting for 929 million mailboxes – a veritable hunting ground for cyber criminals.
With the advent of email and the introduction of its successors, such as text and instant messaging services, it has become easier than ever before to contact those who were previously considered ‘unreachable’. Conversations and canvassing over the telephone, which has traditionally been the mainstay for many business operations, has become less frequent and the average email inbox is now littered with loquacious literature.
Of course, firing off an email into cyberspace is no guarantee you will penetrate the person you intend on getting a response from. If anything, it’s the perfect excuse for him or her to ignore your carefully crafted correspondence. As inboxes become more flooded, individuals will naturally screen each email, picking and choosing upon sight who to reply to, based on recognition and associated content. But what has this meant for fraudulent activity?
The job of a cyber criminal has intensified over the past few years, requiring them to be increasingly sophisticated and clever in their approach. In the past, criminals have traditionally relied on ‘flood them fast’ email distribution by targeting numerous inboxes with spam notifications purporting to be from businesses such as banks. Awareness campaigns from the businesses themselves have helped to tackle the issue, meaning many quick-thinking consumers have started to grow more savvy, refusing to click on unsolicited links.
As a result, cyber criminals have turned to social engineering and the support of realistic looking spoof emails to dupe their targets. These mimic everything from ‘links’ to incredible deals on offer from well-known retailers to emails from trusted contacts, where the sender’s address has been so subtlety adjusted it appears to be legitimate. In fact, so accurate are these emails in their appearance it is calling into question whether correspondence from organisations dealing with sensitive data, such as governments, should be using email accounts at all, and whether a more secure method of communication should be adopted.
For example, the recent cyber attack on UK Parliament, which resulted in the breach of dozens of inboxes, could have been an incredibly valuable hack for the cyber criminals involved. Highly sensitive content can be sold on for a huge financial gain to those hungry for damaging and destructive data they can use to their advantage. Information in the wrong hands could cause worldwide catastrophe.
There is no outright answer to dealing with illegitimate emails and spoof spam. Cutting email out of the equation entirely is not realistic. Of course, fraudulent activity can be kept at a minimum and mitigated by adopting up-to-date software and implementing well-planned, comprehensive backup strategies.
However, it is human beings themselves that hold the key to unlocking the answers to the current cyber crime conundrum. Research by the Information Commissioner’s Office reported that 93% of incidents investigated at the end of 2015 were caused by human error. Clearly, as fraudsters become more adept at creating cunning ways to cut through the cyber psyche of their targets, spotting a spoof email will become nearly impossible. Nobody is immune.
Re-educating the workforce and raising awareness of the issues surrounding cyber crime are essential. Regular testing and ‘digital fire drills’ for staff should be as much a part of a company’s strategy as their sales and marketing plans. ‘Friendly phishing expeditions’ – where staff are sent ‘spoof’ emails at random to test their reactions are one way of ensuring there are no chinks in your employees’ armour. Only then, once cyber crime awareness officially becomes part of company policy, will we gain some control over addressing the current vulnerabilities.