In a previous blog post, we told the story of a car dealership that had nearly lost thousands because a fraudster had gained access to the owner’s email via his Office 365 account. The problem had stemmed from the owner using his email password as the password for another site, and that site had subsequently been hacked.
In this article – another true story – we show how a company nearly lost a much bigger sum though another imposter attack. Again, the name of the business concerned has been changed.
The story begins with an exchange between Ian, the owner of an investment business, and his solicitor. Ian has been preparing to buy a small manufacturing firm in Yorkshire, which comes with a price tag of around half a million pounds. Ian has been discussing this for several weeks with his legal advisors.
Negotiations and the paperwork side of the acquisition have been progressing well and, by close of play on the Friday afternoon, pretty much everything has been agreed except the actual transfer of funds.  Ian leaves for home that evening happy that everything is on track.
The next morning, however, Ian receives another email. It is from his solicitor, writing with some last minute questions about the details of the contract.
Now, with all due respect to solicitors, the fact that Ian’s adviser seems to be working at 9:15 on a Saturday morning triggers a warning in his mind, and he contacts AMP to ask if we’d mind taking a look at the recent exchanges. Naturally, we oblige.
At first glance, the exchanges all look legitimate. They refer to recent conversations that Ian recalls having with the adviser in question, so he has no doubt that they’re authentic.
Except that they aren’t.

Spotting the Imposter

When we examined the email exchanges, we soon spotted an important inconsistency. Let’s imagine that the accountant in question is called OpenGateLaw, (the name is fictional)  and their domain is therefore something like OpenGateLaw.co.uk.
Ian had been working with the company for years and had previously received countless legitimate emails from Commercial@OpenGateLaw.co.uk. The latest emails looked no different.

Here’s what he saw in the ‘from’ field of his emails:

But here’s what he should actually have seen;

So what was going on?

When the two addresses are displayed close to one another like this, and when we know that the subject of this blog is ‘imposter emails’ the difference might be reasonably obvious to someone who carefully compares them. However, to someone who routinely received legitimate emails from the second address, the first address did not look at all suspicious, particularly since the content of the emails referred to conversations that Ian and the supposed sender had very recently had.

The attack was ingenious. The fraudster had discovered the investor’s email password and had managed to gain administrator-level access to his email software. This allowed him/her to read previous correspondence, to learn what business Ian was doing, and to learn the identities of all those with whom he had been exchanging emails.
This access also allowed the scammer to set rules in the email software, and this formed the basis of the attack.
  • Firstly, the scammer registered a fake domain name, substituting a zero for the capital O in the name of the law firm. He/she could now set up a new email identity and send emails from Commercial@0penGateLaw.co.uk.
  • Next, he/she set up a rule in Ian’s email software, which automatically redirected any legitimate email from the solicitor to the email account controlled by the scammer.
  • From here, the scammer was able to read, edit and send on any emails to Ian. Most would be left unchanged, so Ian and his solicitor would still be able to refer to email correspondence on the phone without becoming suspicious.
  • At the crucial time – i.e. when the final payment was ready for payment – the scammer planned to intercept the solicitor’s email and insert new bank account details.
The plan came worryingly close to succeeding. It was only the peculiar arrival of an email on Saturday morning that set the alarm bells ringing. Had the scammer been a little more patient, the ruse might have worked, and Ian could have lost half a million pounds.

Lessons for Businesses

The whole attack stemmed from the fact that the scammer had been able to gain access to Ian’s email account, which came with top-level permissions and, thus, the ability to set rules on his email software. Ian’s error had been to use his email password on a number of other systems and websites, and one of those platforms had been hacked.
Sharing passwords between different systems is never a good idea. We all have lots of passwords to remember but it’s important that email passwords in particular are unique, well protected and regularly changed.
Neither should email passwords be shared with other people; you know what safeguards you have put in place but you can never be sure how securely someone else is keeping your details.
We will address the question of password-setting in a future post.

Lessons for Solicitors

All businesses have a responsibility to take sensible precautions to defend themselves against cyber threats, but in this case, it would be reasonable to ask what the solicitor had done at their end to protect their clients against this sort of attack. Like accountants, solicitors often conduct work that involves large transactions and the communication of bank details. For scammers, they are an obvious target.
Happily, there are simple, low-cost measures that can help to prove that a message genuinely comes from the sender. A digital signature is one such measure. This is an email attachment, verified by a trusted third party, that proves that the contents  of a message genuinely come from the sender and have not been edited at any stage.  Various companies provide a digital signature service – some are even free for personal use – but they all add an extra layer of security. On the subject, Microsoft notes: ” Your digital signature, which includes your certificate and public key, originates from your digital ID. And that digital ID serves as your unique digital mark and signals to the recipient that the content hasn’t been altered in transit.”
As additional security measures, solicitors should:

  • use email encryption as a matter of course
  • have an effective firewall and anti-virus software in place
  • keep all software patched and up to date
  • ensure that staff undertake periodic safety awareness training

Two-Step Verification

More generally, it’s easy to give advice and say “always check the sender’s address carefully” but business people get lots of emails every day and we all know how quickly we sometimes need to act. The letter O can look like a zero, and a lower case L can often look like the number 1, depending on the typeface, so it’s easy to be misled. Rather than relying on human vigilance (which is always fallible), it’s better to use more effective security mechanisms, and one of these is two-step verification. The following is a note from another blog post on the subject of imposter emails, but it is worth repeating.
Two-step verification should be standard practice for all systems that a company wishes to keep secure.
This is simply a two-stage process that requires the user to use two separate authentication methods to prove their identity.
For example, he/she might have to enter a user name and password via their internet browser, which then prompts an SMS message to be sent to their phone. They have to reply to this as well before the process is complete.
Two-step, or two-factor verification is often abbreviated to 2FA
It’s an easy safeguard to set up, and in the example above, it would have prevented the attack altogether. As soon as the attacker had tried to access the investor’s email account, he/she would have come up against a second obstacle that would have prevented entry. What’s more, Ian would have received an alert on his phone and known that someone (not him) was trying to enter the system.
Companies often choose not to adopt two-step verification because it takes a little extra time to log into the protected system. However, the ‘nuisance’ value is very small and the added protection can be invaluable. Set against the risks of imposter attacks, it’s a measure that we at AMP would always recommend. It’s for precisely that reason that all our own systems are protected with multiple-stage verification.
If you would like further information about email protection and cyber security, please call us on 0800 368 7730.

%d bloggers like this: