How banks can cut security risks posed by email hoaxes
The recent news that two high-ranking banking executives were tricked into having inappropriate email conversations with a prankster who then posted them on Twitter was amusing — and surely embarrassing for the executives. It was also a lesson for anyone who is casual about using email and for any IT or security department that is not doing its utmost to ward off mischief and worse.
For those who may have missed it, Jes Staley, CEO of Barclays, fell for an email that looked like it came from Chairman John McFarlane. (The email address was John.email@example.com.) The note spoke of McFarlane’s efforts to defend Staley against an activist shareholder who had called for Staley to resign at the bank’s annual meeting that day. Staley replied with fawning gratitude.
“You have a sense of what is right, and you have a sense of theatre,” he wrote. “You mix humour with grit. Thank you, John. Never underestimate my recognition of your support. And my respect for your guile. … Someday I want to see an ad lib guitar run. You have all the fearlessness of Clapton.”
The true author of the email turned out to be an anonymous 38-year-old web designer from Manchester, England, according to the Financial Times. He uses the Twitter handle @Sinon_Reborn, a nod to the Greek character in the Aeneid who, as a Trojan captive, convinced the Trojans that the giant wooden horse the Greeks had left behind was intended as a gift.
On Twitter, he has criticized Staley many times, mainly for his attempts to uncover the identity of a whistleblower. In one of his emails to Staley, he included a poem in which each line starts with a letter from the word “whistleblower.”
This week, Mark Carney, governor of the Bank of England, received an email that appeared to be from another bank official, Anthony Hapgood. (The email address was Anthony.firstname.lastname@example.org). The two had an exchange in which Carney joked about the drinking habits of one of his predecessors, Eddie George.
The emailer turned out to be the same prankster from Manchester. On Twitter, he said his motive was to test the central bank’s security.
“A few people have asked why Mark Carney,” he wrote. “No real reason, I just wanted to see if the BoE was security savy [sic] despite its traditional roots.”
In these cases, no laws were broken, and nothing was stolen. But the incidents made the executives and their organizations look foolish and raised questions about the quality of their security and controls.
Why this happens
It could happen to anyone, anywhere. It's not hard to create an email address with another person’s name. And the way many email programs work, the user sees only a display name, not the sender’s email address.
Chris Novak, global director of the risk team at Verizon Enterprise Solutions, said his company has seen a lot of these kinds of fake emails lately.
“It's really an offshoot of the business email compromise scams that we've also seen a lot of,” he said. “They’re targeting the nontechies to social engineer a broader event, like fraud.”
Banks are more typically targeted for financial gain, rather than public humiliation, noted Anthony Scarola, vice president of security and information risk governance manager at Fifth Third Bank.
“Email social engineering and phishing has been and still is one of the top tactics used by fraudsters to break into an organization to gather information or steal money because it works,” he said. “Generally, humans are good and optimistic about the world around them. We are fairly trusting and think the best of others. … This is our major vulnerability, our weak spot. Attackers know and prey on this.”
Such human vulnerabilities combined with technological shortcomings — such as failure to patch systems and applications in a timely manner — and the potential for reward is a recipe for disaster and a significant risk to banks and their customers, he said.
What to do about it
Most organizations have few controls in place to stop employees from answering prank emails and offer poor education about the problem, Novak said.
There are several steps that can be taken:
“External source” alerts. Shortly after its recent incident, Barclays introduced a tool that tells employees when an email comes from an external source.
Experts say this is not enough.
“It shows that Barclays has woken up to what the problem is,” said Markus Jakobsson, chief scientist at Agari, an email security software provider. “They’re aware of what caused this, and they’ve identified the nature of the problem. This is not the final solution, for them or anybody else.”
Strict email policies. Some companies try to maintain tough email policies, such as preventing employees, especially executives, from using personal emails, like Gmail or Hotmail accounts, for work.
Jakobsson says this is difficult to enforce.
“It’s not about the end-user awareness,” he said. “That’s a losing battle. And we don’t want to say this is the fault of the end user. That’s a drastic statement to make, and it puts the blame where it shouldn’t be.”
Employee education. Companies should conduct email social engineering and phishing assessments on employees and then follow up somehow, perhaps with stiffer training for those who fail phishing tests and for high-risk individuals, Scarola said.
Jakobsson, however, said he’s pessimistic about training.
“If you train people to spend 10 minutes looking at each email until they start getting a headache, that’s lost productivity,” he said.
He does see a benefit in making people more aware that email impersonation happens.
“Unfortunately many organizations and individuals think this is what happens to others,” Jakobsson said. “That’s why there’s car insurance mandated in most countries. You probably think you’re a good driver, but bad things happen to good drivers, too. Most organizations think they’re good drivers and nothing is going to happen to them until it already has happened to them. So they need to recognize they could be in harm’s way and that spam filters don’t address identity deception.”
Use of DMARC. Some help in this area can come from using the Domain-based Message Authentication, Reporting and Conformance protocol, an email-validation system designed to detect and prevent email spoofing.
“DMARC is excellent,” Jakobsson said. “Almost half of all business email compromise attacks start with spoofing, which is what DMARC blocks. And Barclays has a reject policy, which is the best sort of DMARC policy you could have. That’s not something other [financial institutions] have. That’s commendable and important, but it’s also important to realize that that only takes care of one important chunk of the problem and not all of the problem.”
About half of business email compromise attacks and other deceptive email are from a legitimate email address, he said.
“The only problem is it’s deceptive, the domain name and sometimes the user name is selected to convey something it isn’t,” Jakobsson noted. “These cases also reflect how commonly people interact with personal accounts of executives. That is something organizations need to realize could hurt them.”
Software tools. Agari’s Enterprise Protect software determines whether an email that appears to come from somebody, truly comes from that person. It can change the display name to alert the recipient to the email address. “We can’t say who it really comes from. We can only say this is not who you think it is, so watch out,” Jakobsson said.
Other providers of email protection software include Cisco, Clearswift, Fortinet, McAfee, Mimecast, Proofpoint, Sophos, Symantec, Trend Micro and Websense.
And as always with security, a sense of vigilance is needed.
“Enhance your security and training and never give up,” Scarola said. “Evil and evildoers are not going away anytime soon, and social engineering and phishing attacks will only continue and likely increase.”
Editor at Large Penny Crosman welcomes feedback at email@example.com.