Email Hacking – An Increasing Risk for Irish SMEs

Invoice redirect fraud was in the news again recently as RTE reported on a €15m money-laundering fraud network.  We have written on this topic before and have seen plenty of examples of SMEs, perhaps businesses like yours, falling victim to this type of crime.  Anecdotally we can see it’s on the rise and news reports like that confirm our observations.  Put simply, this happens when an email account is hacked.  The fraudster intercepts mails and mines contacts from the hacked account.  The purpose is to trick people into transferring “payments” to the criminal’s bank account.  Sometimes the business loses the money, sometimes the clients lose the money.  But in the end the business always loses, either reputationally or fiscally.

If you’re in business, then you are likely a supplier to clients.  Your client list is very valuable to you.  Your client list is also valuable to fraudsters.  They are not looking to persuade you to send them money necessarily.  They are looking to get access to your email and target your clients. Your email system, if hacked, can provide a vital link between the fraudster and your clients. And the really upsetting thing is that when your clients are being defrauded, they think they are talking to you!

How does such hacking happen?

The most common way for email to be hacked is by someone in your organisation unwittingly giving out log in information to an email account.  A genuine looking email like the one below comes into their inbox.

You click on the link believing you’ll be directed to the displayed URL.  But the actual URL you go to is a different one entirely.  You don’t notice the URL change, or perhaps believe the redirection is benign.  You’re requested to input your Office 365 username and password and, because the request seems reasonable, you do so – thereby allowing the fraudster access to the email system.  For you it’s transparent and you have no idea anything has changed.

Either way, you go back to work as normal and there is no evidence of a breach on your end.  The hacker now has visibility into the email account whenever they wish.  They are opportunistic and will engage when it makes sense, so they can be mining data and attacking your clients in other ways.  They can be lurking in the background of your email for months before taking action. You might never know. This is called a “man in the middle” attack.  At any time, the hacker can step into a conversation “pretending” to be one of the parties in the conversation, and hence in a position to redirect money to his/her own bank account.

With free visibility into a whole list of contacts, the opportunities for attacks become endless.

When these crimes become apparent – usually when one party or other begins the follow up on “unpaid” accounts, you and your organisation can be left very red-faced when it turns out the hack originated in your email.  Apart from reputational damage which can be difficult to recover from, the breach opens a whole new headache for the organisation because under new GDPR guidelines you would be required to inform the Office of the Data Protection Commission of such a data breach of your IT systems.

Added to that is the significant amount of time your organisation would need to spend re-securing your email system.  The cost of this would be further increased if you had to get the help of outside experts.

These efforts by fraudsters to gain control of email systems are increasingly common.  Here’s another example we recently encountered:

The risk is increasing.  An Garda, as well as the Data Protection Commission are strongly suggesting, as are we, that “Prevention is better than Cure”.  They go on to say that there is “no substitute for the proper design of systems to secure personal data from accidental or deliberate disclosure”.

So how do you protect yourself?  Firstly, knowing the most likely way they will get in is via an end-user unknowingly giving away the login information.

Ask yourself this question:  Can you be 100% certain that all members of your team/staff wouldn’t click on links such as those displayed above?

If your honest answer is “no”, there are preventative steps that you can take:

  1. Get your team trained. For example, there are ways to spot the fakes and equipping your team with the knowledge to deal with such fakes is the best approach.
  2. Enhance the security measures on your email setup.

BITS provide training and consultancy on cyber-crime. To get your staff up to speed and your systems made robust, see here for more information or call us on 056-7786882 to discuss next steps.