Email fraud could cost your company millions – here’s how to avoid it

The world is full of criminals seeking to gain funds by illicit means; whether that comes at the expense of someone innocent is inconsequential. We all know of someone who has fallen prey to scams. Most often it’s a Nigerian prince promising to share his fortune if the cost of the sketchy transaction fee is simply covered. The supposed prince is never heard from again once the money has been deposited via Western Union. Then there are phishing scams in which hackers pretend to be a service provider or bank, requesting important information because your account is currently at high risk of fraud or there are problems with your logins. The hackers then swindle you and commit that very crime you thought was being prevented. Recently,  companies are being advised to keep an eye out. Crafty criminals are creating counterfeit credit scams to siphon money from businesses that believe they are performing legitimate transactions. The money is not sent to the intended recipient but rather into the back pockets of a malefactor. This leaves the debtor short on cash and with an outstanding bill or worse, insolvent. Generally, these latest forms of scams work using email fraud where a malicious individual pretends to be with the company that is owed money, often with large sums outstanding. Businesses are a greater target than individuals owing to their higher costs and greater cash flow. This article, written by Myles Illidge, was originally published on MyBroadband with insight on how to recognise and avoid email fraud as a business owner. – Ross Sinclair

E-mail attack costs company R100 million

By Myles Illidge

Email security is becoming an increasingly important aspect of business in South Africa, and in one instance, spoofing resulted in a company losing R100 million to a malicious actor.

In an interview with CliffCentral, e-mail security firm Sendmarc co-founder Sam Hutchinson revealed that a malicious actor’s spoofed email resulted in the funds being paid into the wrong bank account. They have not been recovered.

“The largest loss I have dealt with personally is R100 million. That’s like enough money to never have to work again, and it’s just done with email fraud,” Hutchinson said.

“R100 million paid into the wrong bank account, and the money was lost. Gone.”

He added that the two companies involved in the transaction were now in a legal battle with one another to recover the funds.

Hutchinson said that smaller companies aren’t any less likely to be attacked.

“Now, if we talk about the size of an organisation, I deal with conveyancing companies who are three lawyers, and they are losing home transfers, which can be millions of rands,” he said.

“These are small companies using large amounts of money.”

Hutchinson mentioned that the smallest company he had worked with — a two-person travel agent — had their domain impersonated by an attacker, resulting in a school paying funds for a hockey tour into the wrong account.

“The whole under 16A hockey team didn’t go on tour,” he added.

Malicious actors undertake email spoofing to gain sensitive information or hijack transactions by impersonating organisations using forged email addresses.

Hutchinson explained that one of the best ways to prevent being caught out by email spoofing attacks is to implement Domain-based Message Authentication Reporting and Conformance (DMARC).

“If you look at the Gartner Security Report of two or three years ago, they said that email is one of the top five attack vectors for an organisation,” he said.

“If you look at organisations like the Hague … they say that DMARC is one of the top three things that an organisation must implement of any size.”

DMARC is an email validation system used to protect the domains of organisations from being used for email spoofing, phishing, and other cybercrimes.

Hutchinson explained that DMARC is particularly useful as you can look up an organisation globally, and 50% of JSE-listed companies in South Africa have not implemented DMARC.

“DMARC is the global technical standard that stops attackers sending mail from you,” he said.

However, even though half of JSE-listed companies haven’t implemented DMARC, South Africa is making better progress than the EU and the US.

“If we look at the EU: 70%, if we look at the US: 72%. So, South Africa’s actually doing pretty well,” Hutchinson said.

Hutchinson said that he had noticed that specific sectors, such as mining and manufacturing, traditionally fall behind regarding their security measures, resulting in them being attacked a lot.

“[Regarding] certain sectors, it’s just traditional that their security is not necessarily up to scratch. We see it in some of the industrials and the manufacturing, the security has almost been an afterthought, and they actually get attacked a lot,” he said.

“I see the mining sector getting attacked a lot because they have such huge transaction amounts,” he added.

Read also:

(Visited 669 times, 3 visits today)