A "Radical" Option for Preventing Email Phishing Scams

As noted in Barclay Damon's April 2018 "Be Proactive to Avoid Potentially Dire Consequences of Phishing Scams" alert, phishing scams come in many different formats and continue to be a frequently used and prevalent form of cyber intrusion. Avoiding these scams requires diligence, training, appropriate technology, and, frankly, a bit of luck.

One form of phishing that remains particularly troublesome is the scam in which a cybercriminal uses email to pose as a high-level company official, business partner, or vendor and requests payment to an account the criminal controls. These emails are often very convincing, conveying the appropriate-sounding authority and usually including a demand for quick action based on dire circumstances. Some of the more complex schemes even include follow-up communications such as emails, text messages, and telephone calls that provide further apparent legitimacy to and confirmation of the supposed business deal, vendor payment, etc.

For example, in one case, a criminal sent an email to a company's accounting department that appeared to be coming from the company's CEO. The email appeared to be a legitimate company email, but was sent from an email address that was slightly different than the CEO's actual company email address. The email indicated the CEO was working on a deal that required an immediate payment and provided details on the amount and account to which the payment was to be made. Through publicly available information—internet news articles and social media—the criminal was aware that the company had recently done other deals, lending further legitimacy to the idea that another deal was in the works.

The email further stated an attorney would be calling to follow up, and the accounting employee should immediately respond to the email indicating that she received it and was processing the requested payment. Of course, the email also claimed the CEO was tied up in a meeting about the deal and would not be able to respond by phone. The employee responded to the email and, almost immediately after she sent the response, received a phone call from an individual claiming to be an attorney. The "attorney" confirmed details relating to the payment, which was then made via wire transfer. The scam ended up costing the company $500,000, and there is now an ongoing court battle as to whether the loss is covered by insurance.

As confirmation of the ongoing and substantial nature of these sorts of scams, the US Securities and Exchange Commission published a report on October 16, 2018, summarizing the findings of its investigation into nine separate phishing scams that caused losses in excess of $100 million. The report noted the pervasive nature of these scams, which have only increased in both volume and complexity in recent years. Importantly, the report also noted that none of the nine victim companies involved in the scams were particularly lax in their approach to cybersecurity. In fact, the report specifically stated that each company "had procedures that required certain levels of authorization for payment requests, management approval for outgoing wires, and verification of any changes to vendor data."

Given the complexity of some of these scams, and if reasonable processes and procedures are not preventing significant losses from them, what is a company to do? Some cybersecurity professionals are suggesting a rather extreme-sounding solution: disable certain employees' ability to respond directly to emails. With relatively little difficulty, information technology professionals can structure email systems to restrict certain actions, including the ability to reply to emails. These restrictions can be placed on certain employees—for example, accounting department employees—or some systems can be structured to apply the restrictions only to certain types of emails, such as emails that contain certain key words like "payment" or "invoice."

The idea is that, instead of responding directly to the criminal's email, the employee would have to create a new email and manually input the email address of the person from whom they purportedly received an email. Hence, in the example discussed above, the accounting employee would not have responded to the criminal's email that appeared to be coming from her company's CEO. Instead, she would have created a new email and input the real address of the CEO, who presumably would have advised her that the request was not real. Moreover, by not directly responding to the fraudulent email, the criminal would not have known he "had a bite" in his phishing scam, and there would've been no follow-up call from the phony attorney.

The process is not bulletproof. If a criminal has gained access to the company's email system versus using an outside account that looks similar, then the "failsafe" of having the employee create a new email would not prevent the scam from proceeding. Or the employee could simply copy and paste the fraudulent email address into a new email rather than addressing the email to the appropriate legitimate email address.

Notwithstanding, while this may seem like a lot of trouble and an additional step that could lead to potential inefficiencies and employee irritation, it is another option that companies could consider in the ever-ongoing battle against cybercrime.