Sign in
  • Home
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Support
Request phishing analysis
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Get started for free
  • Support
  • Sign in
Check to see if you’re protected
☰
Check to see if you’re protected
Share this article
Related posts
  • Blog
    Research: Only 22 of the top 100 retailers are protected by DMARC
  • Blog
    DMARC authentication gets you the deliverability you deserve
  • Blog
    How vulnerable are U.S. election operations to email spoofing?
Valimail blog

Five top finance execs fooled by phishing emails

Author: Valimail
person speaking at fortune conference

Five top bank executives have fallen victim to an email prankster in the past month.

The CEOs of Goldman Sachs, Citigroup, Barclays PLC, Morgan Stanley, and the Governor of the Bank of England were all ensnared by a prankster who pretended to be someone they trusted, engaged them in email conversations, then published the exchanges on a Twitter account.

In each case, it appears the prankster created accounts using free email services such as Hotmail or Gmail, giving them names that matched associates or likely contacts for the targets–the chairman of the company, for instance, or a prominent politician. He then sent spearphishing emails to the executives that attempted to match the tone and style of the purported sender. For example, the email sent to the Barclays CEO Jes Staley appeared to come from Barclays chairman John McFarlane, with the email address John.mcfarlane.barclays@gmail.com. There was no attempt to spoof the From address in the emails–this was purely a case of putting a fake name in the “friendly name” field.

In each case, the email exchanges were somewhat embarrassing to the executives (especially once published), but they didn’t disclose any confidential information and it seems the prankster had no agenda apart from fooling them. For instance, there was no attempt to make the execs download infected files, or to direct them to a password-hijacking website — which is what most phishing attacks like this would be aiming at.

It’s unclear why the prankster is doing this, except to embarrass the banks and perhaps spur them to increase their email security practices. In that, he seems to have been at least somewhat successful. According to American Banker, “Shortly after its recent incident, Barclays introduced a tool that tells employees when an email comes from an external source.” Such “external source” alerts are a start, but they’re not close to being a complete solution.

American Banker suggests several other solutions that financial institutions can implement. However, their effectiveness varies:

Stricter email policies — In other words, don’t let employees or executives use Gmail or Hotmail accounts at work. This is unlikely to work, however. Everyone has their own smartphone and Gmail is always just a web browser away.

Employee education — Banks, like all companies, should teach employees how to recognize phishing emails, then regularly test them with “white hat” phishing campaigns. This is also an imperfect solution, but it could help executives to be alert to the email addresses, not just friendly names, in inbound email. (John.mcfarlane.barclays@gmail.com — seriously? Anyone looking at that address should be instantly suspicious of it.)

Implementing DMARC — Email authentication through DMARC prevents same-domain spoofing, which prevents phishers from using a company’s domain name in bogus email addresses. Barclays, for instance, has a DMARC policy set to p=reject, which means no one except authorized senders can put a barclays.com email address in the From field of their messages — virtually every mail server receiving a message from a barclays.com address that didn’t come from an authorized sender would reject it as unauthorized. However, the Barclays DMARC policystill allows messages sent from email addresses using subdomains, such as home.barclays.com, which leaves an opening for phishers to use addresses like john.mcfarlane@home.barclays.com.

Secure email gateways — SEGs can scan inbound messages for suspicious content or malicious file attachments, and can alert recipients to likely imposters (senders who probably aren’t who they appear to be).

Ultimately, big banks need to be prepared for phishing attacks. This month’s prankster is a relatively harmless actor, but there are many more nefarious individuals out there who would love to gain the trust of a top executive and convince him or her to download a file, or enter a password on a site controlled by the phisher. In fact, 91% of hack attacks start with a phish like this. Given the massive amounts of money and trust that banks hold, they owe it to their customers and shareholders to lock down email security more tightly.

Properly configured, DMARC email authentication can provide customers as well as employees of a bank with complete assurance that their domain names are being used only by authorized email senders. That’s the first step to establishing a more secure email infrastructure, as well as providing brand protection to these banks. And furthermore, DMARC provides the banks with regular, daily logs of all authorized and unauthorized attempts to use their domains in email messages, which can help provide awareness and continuous monitoring of how their domains are being used.

It’s true that DMARC wouldn’t have prevented this particular prank, but it does close off a major avenue for phishers and can be part of creating an overall culture of good email security practices. (For instance, if all bank execs are using bank email addresses, and those are easily identifiable as authorized addresses, than any non-bank email address would stand out like a sore thumb, making identification easier.)

Combined with education and other security best practices, authentication is the foundation of a more trustworthy and secure email platform.

Top photo: Goldman Sachs CEO Lloyd Blankfein. Photo credit: Fortune Live Media

Back to blog
Published June 23, 2017
  • Phishing
Author: Valimail
Valimail is the global leader in zero-trust email security. The company’s full line of cloud-native solutions authenticate sender identity to stop phishing, protect brands, and ensure compliance; they are used by organizations ranging from neighborhood shops to some of the world's largest organizations, including Uber, Splunk, Yelp, Fannie Mae, Mercedes Benz USA, and the U.S. Federal Aviation Administration. Valimail is the fastest growing DMARC solution, with the most domains at DMARC enforcement, and is the premier DMARC partner for Microsoft 365 environments. For more information visit www.valimail.com.
Resources
Top retailers remain vulnerable to email brand spoofing
Learn more
Email security with Microsoft and Valimail
Learn more
Election email security
Learn more
Email fraud landscape, Summer 2020
Learn more
Preparing for BIMI: A Marketer’s Guide
Learn more
Latest news
Trump’s refusal to concede the election is creating an opening for cy...
Learn more
2020 General Election Results to Directly Impact Tech Industry
Learn more
Why Email Is Still an Election Day Disinformation Risk
Learn more
US elections are still vulnerable to email spoofing
Learn more
Security Gaps Persist, Report Warns, After U.S. Blames Iran In Election Sch...
Learn more
Press releases
Valimail Triples Customer Base, Becomes Top Global DMARC Provider in 2020
Learn more
Valimail: 2020 election infrastructure still vulnerable to email hackers
Learn more
Valimail Announces Selection by ASG for Anti-Phishing and BEC Protection
Learn more
Valimail DMARC Monitor and Valimail Enforce Now Available in the Microsoft ...
Learn more
Valimail Research Finds More Than 1 Million Domains Using Crucial Email Aut...
Learn more
Follow us
Contact us

P: 888.354.6179
E: info@valimail.com

Headquarters

180 Montgomery Street
20th Floor
San Francisco, CA 94104

Valimail Mountain Office

1550 Larimer Street
Suite 271
Denver, CO 80202

Request a full phishing analysis
© Valimail
  • Terms of use
  • Privacy Policy
  • Do not sell my personal information
  • Website terms of use
  • Phishing Analysis
  • Domain Checker
  • Products
  • Enforce
  • DMARC Monitor
  • Instant SPF
  • Amplify
  • Solutions
  • Anti-phishing
  • Brand protection
  • Compliance
  • Government
  • Marketing
  • Microsoft
  • Shadow IT
  • About
  • News + awards
  • Partners
  • Team
  • Careers
  • Industry leadership
  • Customer support
  • Learn
  • Resources
  • Blog
  • Customers