The Nigerian prince seems almost quaint.
Gone are the days when the Nigerian prince was the only nefarious figure menacing our inboxes. A simple yet elegant scheme – our supposed prince unexpectedly fell upon a large sum of money, left behind by a fallen war hero, bequeathed by a terminally-ill spouse, or, perhaps, borne from the fruits of new age oil exploration. The funds are (somehow) rightfully yours, but a bureaucratic quagmire has them tied up, and they cannot be released until you pay a *small* fee. Just send a few million dollars to a specified bank account, and the endless riches are yours.
Those who use email as part of their daily lives understand that email scams have evolved since the days of the Nigerian prince. But the sheer gumption and sophistication of today’s scam artists is too often underestimated, leading companies and individuals to falsely presume that email security can be taken for granted. Companies may deploy sophisticated antivirus and endpoint detection and response software, adopt air-tight firewall configurations, employ stringent access controls, and maintain comprehensive information security governance programs. These are smart steps that all businesses should take. But in striving toward these noble goals, the most critical vulnerability is often overlooked: the human element.
Humans make mistakes, and scammers know this more than anyone. To ensure email systems are fully protected, companies should supplement their technical controls with robust phishing awareness training programs and infuse the corporate culture with a shared sense of collective vigilance. This is especially important today, where email and cloud-connected applications such as OneDrive and SharePoint are frequently used to share sensitive company or personal information. It is not enough for employees to understand generally that phishing attacks are “out there.” Companies and employees must fully appreciate the complexity and sophistication of the threat landscape as it exists today and raise their vigilance to a level previously unseen.
The threat landscape is evolving. Fake emails are becoming more “real-looking”; threat actors are toning their language to fit company personality and decrease suspicion; legitimate third-party sites are being exploited as intermediaries; and scams are no longer limited to one-off money heists – they can be drawn out for weeks, months, or even longer. Here are some of the more salient examples that attorneys in Constangy’s Incident Response group have assisted clients with in just the past few months:
- Scammers created a malicious document disguised as a resume, uploaded it to a legitimate third-party job site and had it sent to the client (who was taking applications). As the email originated from the job site’s authentic domain and not a “spoofed” address, discerning its malicious nature would have been difficult if not impossible.
- A threat actor gained unauthorized access to a client’s Exchange server and deployed malware causing thousands of emails with fake DocuSign links to be “blasted” to everyone in the client’s contacts list. As the emails came from the client’s legitimate domain, again, these would have been difficult to detect by the recipients.
- A threat actor gained unauthorized access to an email account belonging to the client’s accounts payable employee and monitoring the account for several weeks. Then the actor sent the employee a “spoofed” email with a request to change a customer’s ACH instructions. The fraudulent email was carefully toned to mimic the customer’s communication style and was crafted as a “reply” to an existing thread that was copied and pasted into the fake email.
- In an-increasingly common “tech support scam,” a client received a fraudulent email disguised as a legitimate outreach from the “Geek Squad,” which instructed the client to call a toll-free number to collect a supposedly due refund. The client called and connected with what sounded like a legitimate customer service representative. The “representative” then initiated a remote access session to the employee’s computer and browsed for sensitive information.
The consequences of socially engineered email scams can range from minor to severe. Phishing-related wire schemes are often caught before funds are dispatched, but successful attacks can result in significant corporate losses, often with little to no chance of recovery. Other schemes are designed to compromise individual email accounts – or even entire tenants – and harvest company-sensitive or personal information. These attacks, when successful, can cause harm ranging from mere nuisance to costly notifications, regulatory inquires, and, in some cases, irreparable damage to the company’s reputation. In many cases, technical safeguards are insufficient to overcome the vulnerabilities inherent to the foibles of human nature.
The metaphor of the “human firewall” is often used to underscore the importance of employee training. Individuals are the front lines of any information security program, so companies are wise to ensure that appropriate training, and threat awareness and prevention, are prioritized. Companies should maintain comprehensive phishing awareness programs that require and enforce regular employee training, while emphasizing that data security is a shared responsibility. Phishing simulation programs offered by reputable third parties are worthy of consideration, as are company-wide discussions where these issues are reiterated and reintegrated into the collective corporate psyche. Email security training should include real-world examples that resemble employees’ day-to-day experiences so that the information is more effectively absorbed and tune-out and misunderstanding are avoided. Leadership should also stay current on the latest advisories from government authorities such as the Federal Bureau of Investigation and the Cybersecurity & Infrastructure Security Agency, as well as local regulators and law enforcement.
Full threat prevention starts and ends with humans. To defend themselves against the bold acts of today’s sophisticated email scam artists, companies should prioritize regular employee training and drill in the shared sense that “we’re all in this together.”