There have been a number of news reports in recent days about people erroneously transferring large sums of money to fraudsters who have intercepted their email traffic. In one example, a woman received an email, supposedly from the agent handling the purchase of a house on her behalf, informing her that the previous email had given incorrect bank account details and asking her to send to an alternative bank account. Everything looked normal and only one letter of the email address of the fraudster differed from the correct one. By the time the crime had been discovered, the money had been divided up into offshore accounts.
But crimes like this are not limited to large sums of money. Even at the level of charities or small community organisations, fraudsters are cutting in on email traffic and misleading unsuspecting individuals into sending funds to alternative bank accounts. Tom Fairfax recently warned the public through his local newspapers in Northumberland but the advice remains true wherever you live.
A recent spate of attacks on email group lists in Northumberland has shown that even ‘low risk’ membership organisations are being exposed to potential fraud and only good cyber hygiene can defend an organisation.
Fairfax says: “There have been recent instances of local mailing lists belonging to ‘low risk’ membership organisations being compromised, exposing their members to attack by cyber criminals. In one Northumberland example, a request for annual subscriptions sent via an open email list was intercepted and false bank details passed to the group members, some of whom paid their (not insubstantial) annual subscription into the attacker’s bank account.
“People assume that once we know their bank details, we can track down the criminal. Sadly it may not be as easy as that; many attackers will use stolen account details belonging to a bank account which has been previously compromised (a ‘mule account’). Funds will then often be swiftly transferred out and through a network of different stolen bank accounts to cover the trail.
“The cyber-crime industry is huge (estimated at nearly twice the size of the global narcotics economy) and it’s not just big organisations who are vulnerable – vast databases of personal and small business’s personal and financial information are traded on the “dark web” and used to enable very real frauds. We all have a shared responsibility in making it harder for criminals to steal our information – we might be enabling them it to steal from others in our communities.”
If you are part of, or running, a mailing list – even a small one – there are a few simple steps you can take to make it harder to attack:
• Place your address list in the bcc box of the email address not the cc field. This means that recipients will not see it. It also means that any intercepted emails are harder to automatically turn into attack tools. If your list is very big, you may increase the likelihood of your email being swept up by spam filters, in this case…..
• Consider using a credible email distribution tool like mail chimp or google groups. These will also make it easier for owners and members to manage the list and reduce the likelihood of attack.
• Don’t send sensitive information over a list – once an email is sent – it is in the wild – you have no control. If one of your members has been compromised (statistically probable for any list with more than half a dozen members), your information is out there. As a rule of thumb, if you wouldn’t put it on a public noticeboard, then think carefully about how you send it by email.
• Ensure that any machine used to manage the list is properly protected by the appropriate, up to date, security software. This makes it a tougher (though not impossible) nut to crack for the criminals.
• Encourage all list members to ensure that their systems are properly protected with up to date firewalls and anti-virus software and that all system updates are applied.
• If you must send important information, then put it in a PDF attachment with a recognisable letterhead. This makes it harder (not impossible) to subvert.
• Be aware of your responsibilities under the data protection act (we will deal with this in detail under another BLOG article).
• Ensure all members are aware that an email list in clear view will always be at risk – and apply common sense when acting on email contents… a combination of common sense and sensible cyber hygiene are our best defence.
Fairfax says: “We must always be aware that however useful the cyber environment is, that we are not alone in it – and if we fail to take basic measures to protect ourselves, we will become a resource that is farmed as a commodity by the criminal community.”