Daren Oliver, cyber security expert and Managing Director of Fitzrovia IT, explores whether fraudulent emails are getting more difficult to identify and if email communication should be limited for those working in security-sensitive sectors.
Email has changed the face of human interaction, overtaking the telephone as the number one method of personal and professional information exchange. By the end of 2017, it is estimated there will be 4.9 billion email accounts worldwide with business emails accounting for 929 million mailboxes, a veritable hunting ground for cyber criminals.
As inboxes become more flooded, individuals will naturally screen each email, picking and choosing upon sight who to reply to, based on recognition and associated content. But what has this meant for fraudulent activity?
The job of a cyber criminal has intensified over the past few years, requiring them to be increasingly sophisticated and clever in their approach. In the past, criminals have traditionally relied on ‘flood them fast’ email distribution by targeting numerous inboxes with spam notifications purporting to be from businesses such as banks. Awareness campaigns from the businesses themselves have helped to tackle the issue, meaning many quick-thinking consumers have started to grow more savvy, refusing to click on unsolicited links.
As a result, cyber criminals have turned to social engineering and the support of realistic looking spoof emails to dupe their targets. These mimic everything from ‘links’ to incredible deals on offer from well-known retailers to emails from trusted contacts, where the sender’s address has been so subtlety adjusted it appears to be legitimate. In fact, so accurate are these emails in their appearance it is calling into question whether correspondence from organisations dealing with sensitive data, such as governments, should be using email accounts at all, and whether a more secure method of communication should be adopted.
There is no outright answer to dealing with illegitimate emails and spoof spam. Cutting email out of the equation entirely is not realistic. Of course, fraudulent activity can be kept at a minimum and mitigated by adopting up-to-date software and implementing well-planned, comprehensive backup strategies.
However, it is human beings themselves that hold the key to unlocking the answers to the current cyber crime conundrum. Research by the Information Commissioner’s Office reported that 93% of incidents investigated at the end of 2015 were caused by human error. Clearly, as fraudsters become more adept at creating cunning ways to cut through the cyber psyche of their targets, spotting a spoof email will become nearly impossible. Nobody is immune.
Re-educating the workforce and raising awareness of the issues surrounding cyber crime are essential. Regular testing and ‘digital fire drills’ for staff should be as much a part of a company’s strategy as their sales and marketing plans. ‘Friendly phishing expeditions’ – where staff are sent ‘spoof’ emails at random to test their reactions are one way of ensuring there are no chinks in your employees’ armour. Only then, once cyber crime awareness officially becomes part of company policy, will we gain some control over addressing the current vulnerabilities.