Email: the Cyberattack Gateway to Hell, and Other Fun Facts…

Email. Some folks love it, some don’t. Whether you’re a fan or not, you cannot deny the impact email has had on the workplace, and the value it adds in facilitating communication. In fact, a poll conducted late last year found that, for adult Internet users who have full or part time jobs, email was their most important tool (61% said email was ‘very important’ for them to do their job). (Source: Pew Research Center, Technology’s Impact on Workers, December 30, 2014).

Recently, however, the folks at Ubiquiti provided us with a stark reminder of the significant dangers email can pose to organizations, even at a place that you might think would be better positioned to guard against cyberattacks that rely on email as their “way in.”

ubiquiti hack
A hacker posed as one of Ubiquiti’s employees online and stole $46.7 million from the company’s accounts.

According to a CNN Money article published earlier his month, the networking firm based in San Jose, California, said that “an ‘outside entity’ targeted its finance department by sending what appeared to be a company email. The fake emails duped employees into turning over their usernames, passwords and account numbers. Then the hacker was able to transfer funds out of a Ubiquiti subsidiary in Hong Kong to other overseas accounts that the hacker held.” By the time the company figured out what had happened, the cyberthieves had stolen $46.7 million from their accounts. (Source: CNNMoney, “Hackers siphon $47 million out of tech company’s accounts,” August 10, 2015).

Apparently, these types of attacks are surprisingly easy to cary out. Using social media platforms such as LinkedIn to determine who works in a certain company’s finance department, a hacker “could have easily created a dummy email address that fooled the finance department (example@ubiq1ti.com or example@ubiquiti.co), for instance. After emailing employees, a person hitting “reply” quickly without paying attention could have responded to the hacker’s dummy email address,” providing the requested information. (Source: CNNMoney citing KrebsOnSecurity, “Tech Firm Ubiquiti Suffers $46M Cyberheist,” August 15, 2015). In fact, according to the FBI, businesses lost $215 million to similar email scams (known as “business email compromise” or “BEC”) just last year. (Source: CNNMoney citing KrebsOnSecurity, “FBI: Businesses Lost $215M to Email Scams,” January 15, 2015).

krebsonsecurity
“Federal investigators say the so-called “business email compromise” (BEC) swindle is a sophisticated and increasingly common scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments.”

According to Krebs’ FBI blog post, the agency has urged businesses to “adopt two-step or two-factor authentication for email, where available, and/or to establish other communication channels — such as telephone calls — to verify significant transactions. Businesses are also advised to exercise restraint when publishing information about employee activities on their Web sites or through social media.”

Companies should also explore the extent to which they can empower, train and arm their own employees to help in the fight against cybercriminals using email to promulgate attacks. Cisco, for example, suggests ongoing training for employees that could include sending out a daily security tip (or subscribing to the SANS “Security Awareness Tip of The Day.”)

Email is a valuable workplace tool, and it certainly isn’t going anywhere any time soon. Companies should identify and understand email-related cyber-risks, however, and work diligently in concert with their employees to protect against these risks and help to secure the organization from bad actors.