This week, a client (Company MM) called me because of fraudulent banking activity.
The client is a matchmaker between their clients (Company C) and their service providers (Company SP). In this case, there was a pressing time element – payment needed to happen within five days in order to make a certain deadline. Company SP sent the invoice for their services to Company MM who forwarded it immediately to Company C. Shortly thereafter came a second email correcting a mistake with the original invoice. Same letterhead, same writing style, same bank, etc. But a different bank account. This invoice was also immediately forwarded to Company C, who proceeded to make the payment.
Company MM clicked “reply to all” on the second invoice, sending proof of payment, so that things could keep moving, even if payment wouldn’t be received for another day or two. Emails came from all sides during the next few days, during which time it became clear that the second “correct” invoice had been a fraudulent one and the payment had been made to some criminal’s account. Five figures stolen. Yikes.
Still collecting all the details, but the criminal somehow got hold of the email conversation and created email addresses that were similar to the real ones. The real ones were, say, email@example.com, firstname.lastname@example.org and email@example.com. The fake addresses were firstname.lastname@example.org, email@example.com and firstname.lastname@example.org. Just one letter different. Barely noticeable. So, devious person sent the “corrected” invoice from the fake service provider email address, which was sent on to the client. It took a day or two before the three realized they’d been duped.
The Phone Call
As soon as MM realized that money had been stolen, they called me. They thought that their email had been hacked. I assured them that it hadn’t been hacked. I know this because last time I did some work for them, we turned on two-factor authentication after having changed their email passwords. Even if someone guessed / figured out their email password, any attempt to use it on the computer or smartphone would generate an SMS to my client’s phone with a code.
“How can we prevent this in the future?”
After getting the details over the phone, after assuring them that their email hadn’t been hacked – at least as far as being able to say, no one got into their account to read/send emails using their account, inevitably the question came: “How can we prevent this in the future?” It’s not something I’ve come across before, but there were two things that I thought of immediately.
Option 1 – Save the relevant email addresses to the Address Book
First, I suggested creating an Address Book entry for every business contact. Instead of just seeing email@example.com in the From: field of your emails, you’ll instead see something like: John Smith <firstname.lastname@example.org> or maybe just John Smith. In any case, if someone sends an email from anything that’s not exactly that address, it will (possibly) be different than John Smith.
This is not fool-proof, but is a first step.
Option 2 – certificates
This is really the way to go. By creating a free certificate with an issuing authority like Comodo, you encrypt your emails. When you send an email to some one, it’s encrypted and the certificate is saved on the recipients computer. And the email client shows that the email has been encrypted.
For this to work, both parties must have their own certificate.
I just created a certificate for both of my primary email addresses – business and personal. Took about 2 minutes to create it, receive it, install it, and test it with by sending an email and then getting a reply. It’s worth it.
Security is up to you
A few years ago, these levels of security were a bit technical and you could be excused for not having the confidence to delve into it, instead thinking the risk was not that great or indeed not even being aware of the risk. But, these days, it’s just too easy and ignorance is no longer a reasonable excuse.
If you’d like help with this or any other matter, please feel free to contact me directly. I’d be happy to help.