Scammers use various tricks to get people to drop their guards, and that calls for multiple layers of protection, says an email security expert.
Nicholas Lennon, country manager at email security provider Mimecast, warns of "a rising phenomenon" of highly targeted attacks often hijacking well-known brands such as Telstra and Australia Post, along with a resurgence of malware using the macro capabilities of Microsoft Office, and the recent outbreak of 'CEO fraud' – also known as 'business email compromise' (BEC).
A combination of technology and user awareness can help ward off these threats, he suggested.
BEC scammers are in some cases using almost real-time information harvested from social media to make their approaches more convincing. For example, a business owner may tweet about a delayed flight back to Australia, which gives the bad guys an opportunity to craft an email along the lines of "I'm not going to be in the office as soon as expected, so I need you to send $50,000 to X otherwise the deal I just negotiated will fall through."
Certain characteristics indicate that an email is probably a BEC attempt. As previously reported, the subject line usually includes one of a small number of words such as transfer. Other indications include the use of a similar but slightly different domain name (such as .com rather than .com.au, or slight changes such as replacing the letter m with rn. Another signal is that the domain used by the sender has only just been registered – that's not something the recipient can see, but it can be checked by a mail filtering service.
The problem, Lennon said, that there is a distinct risk of false positives – that is, a genuine message may be flagged as being malicious. So unless an email is clearly bad, Mimecast's approach is to deliver it with a warning that it is suspicious, and that the recipient should be especially careful to follow the established processes.
More generally, that last point concerns training users about threats at the time they are most vulnerable. So instead of just including email security as part of the induction training (and perhaps with an annual refresher), it's better to deliver brief refreshers exactly when they are relevant – for example, warning: "This email may have originated from outside the organisation even though it purports to be internal."
A layered approach that applies multiple technologies to detect different types of threat as well as addressing user behaviour mitigates the overall threat to an organisation, Lennon concluded.