Email Impersonation Knows No Borders
Hello…Elvis? Photo credit: Gunnshots
Email impersonation scams, also known as business email compromise (BEC) or phishing attacks, have risen 20 percent in the first nine months of this year, according to the Singapore police.
According to the report, those scams have cost Singaporeans S$19 million (U.S. $13.4 million), of which the police have only been able to recover U.S. $100,000 — a recovery rate of just 0.75 percent.
That one case of recovered money provides some insight into how a BEC attack works. On May 27, the news report writes, a Singaporean company received an email from an overseas business partner that included a request for payment. The company transferred the money to a foreign bank account. It was only when they spoke with the overseas partner that the company realized it had fallen victim to a scam, because the partner’s email had been compromised.
Fortunately, the money was still in the bank account, so police were able to recover the funds.
It’s worth noting that the vast majority of email impersonation scams like this don’t require hackers to gain access to the mail servers or mail clients of the target company.
Because most companies don’t utilize email authentication, it’s trivially easy for phishers to send emails to a target (the Singaporean business, in this example) with a fake From: address, making the email look as if it had legitimately originated from another company. Doing so requires no access to the impersonated company’s email systems at all.
That kind of attack can be easily stopped by using DMARC authentication. More than 2.5 billion email inboxes work with standards-based authentication now, including all the major commercial providers of email such as Microsoft, Google, and AOL. If phishers try to impersonate the email address of a company that has implemented DMARC, mailboxes such as these will reject the incoming mail or deliver it to a spam folder — while sending a log of that attempted impersonation to the domain owner.