The latest email scam is a spoof email requesting wire transfers. The scam involves phishing the company websites and email in an attempt to identify the CEO and accounting personnel. In some cases, the email account of the CEO is actually hacked. In other cases, an email is sent from a legitimate account, we have seen Gmail used, but spoofing the email to appear as if it was sent from the CEO. It can start as a simple email asking if they have time to do a quick wire transfer, to an outright order to transfer funds. The account information is given for the transfer.
This email scam is very successful because it is a coordinated attack and not a mass email, enabling it to bypass most spam systems. It also contains no malicious content, simply a request for an urgent wire transfer.
This leads to clients asking, how can we protect ourselves from this fraudulent activity? With email now a business necessity, needing to be available anytime and anywhere, this is a daunting challenge. Email is available via a website with portals available to anyone on the Internet, and on cell phones and other mobile devices. Simply cutting off external access is not an option.
As with most security threats, a multi-layer approach is necessary. Viyu recommends reviewing the following practices and policies in your company.
First and foremost, this is not entirely an IT problem. Viyu does business with many CPA firms in the area, and this is a big concern for their business as well. In speaking with a CPA client they emphasized that business processes involving the transfer of funds need to be mandated by the company. A wire transfer should never be requested in the form of an email. Would you email your Social Security Number, Banking information or Credit Card information? If so, stop reading, I can’t help you. Your first step should be reviewing your accounting practice and ensuring you have proper safeguards against identity theft and data transfer. Even with proper protection, we have seen users targeted by email addresses just a little off (company.com as conpany.com). There is no computing protection against this type of email, you must have proper accounting policies.
Review your spam filter protection. A good spam filter will have the ability to blacklist your own email domain from externally receive email. If you enforce this, ensure to check for external systems that send email to uses as your email domain. For example, if you have a hosted website that sends email as email@example.com to your users from the outside and your email is firstname.lastname@example.org, you will need to ensure you add the IP address of that server to the exclusion list of the blacklist.
>Use a hosted spam filtering system. An external spam filtering system will accept your email and scan externally to your system. This service enables you to set your firewall to only accept email connections from their servers, which keeps hackers from accessing your mail server externally. A good service will also include an outbound filter service. This will enable you to configure your email server to send email out their systems and scan for content such as credit card and social security numbers. Shameless plug alert! Viyu’s hosted spam filter offers all of these services as well as email archiving and encryption offerings.
Review the password policies and group policies on your network. Microsoft Active Directory provides Group Policies to enforce password protection. Review the minimum numbers of characters required for passwords, the maximum age, and complexity requirements. You must keep users in mind when creating policies. A complex password requiring 16 characters and expiring weekly may seem like a super secure idea, but will lead to administrative nightmares and post it notes on monitors. A policy that meets the following requirements is a good starting point:
- Minimum password length of 8-12 characters. People will argue this point, but you must keep your users in mind (And it helps to keep them on your side).
Require complexity, which means three of the four available character types. (Capital letter, lowercase letter, number, special character).
Enforce password history to keep users from using the same password every other month.
Enforce a lockup policy. If a password is mistyped 3-5 times lock it out for 30 minutes to an hour at a minimum.
Enable the Microsoft Audit Policy. By default the Microsoft audit policy only audits successful logins. Change this to include failed attempts to have an event log record of failed logins and monitor this log as part of your server maintenance plan.
Last and most difficult, educate users. Passwords are a necessary evil and only slow users down, so this can be an uphill battle. You can force password changes, but Microsoft policies do not enable you to prevent users to using Password1, then Password2, and so on. It also does not prevent you from using your username or company name as part of the password. A quick email with the following recommendations can go a long way with users:
- Never give your password to anyone.
- Do not use passwords you use for personal accounts on the corporate network.
- Avoid the use of your username, company name, birthday, kid’s names, etc.
- Never store your password on your monitor (laugh but if I had a dollar). And as sneaky as it seems, under your keyboard is not a good place either.
- Encourage the use of sentences. A space is an accepted character in a password and something as simple as “W1nners never quit!” is actually pretty secure.
- Direct them to report suspicious emails.
- Send out security notices. If you hear of a specific phishing attack, let them know to be on the lookout. (Hint -You might want to email your accounting department about this one now.)
- These are just some simple recommendations on your network security. I have included some links at the bottom of this post for your review. Viyu would be happy to assist or answer any questions on the settings discussed in this blog.
Viyu Network Solutions monitors and maintains email systems for hundreds of clients. These email systems range from On Premises Microsoft Exchange to cloud based systems such as Intermedia and Office 365. We offer hosting and spam protection for many of these clients. We also support clients who maintain their own systems and contract us for upgrade, patch and disaster mediation. Protection against malicious content and spam is an ongoing effort for Viyu.
Dax Wiseman – VP Engineering – Viyu Network Solutions