As a self-proclaimed technologist (or maybe just an IT geek), I'm always intrigued to see how the IT security industry is evolving. Often when I’m visiting both existing and potential customers, questions come up about the future of email: Will it continue to dominate business processes? Or will it be replaced? Are the security concerns around email really as big as many industry analysts claim?
Without question, any email user is aware of, and has probably experienced, issues caused by spam and malware. No matter how good your protection is, these inbound emails will still get through the net. It is a real and present problem, if not a massive inconvenience for those targeted.
However, what about the security of outbound emails? I think it’s fair to say that the majority of people aren’t really aware of threats to the emails they send.
I’ve understood the risks posed to unsecure outbound email for a long time, with analogies like ‘plain text email is as secure as a postcard’ often banded about. Until now, however, I hadn’t heard a first-hand account about real-world threats.
A close encounter
A good friend of mine, a partner in a prestigious City law firm, called last week to ask for advice. Working in the firm’s property division, he deals with many high net worth clients on regular property purchases and sales. On this occasion, he was finalising the purchase of an apartment for a particularly important client, and using mainly email correspondence, they were on the verge of completing the transaction.
My friend then went on holiday for a couple of weeks, and on returning to the office, received a rather irate and mystifying phone call from his client, demanding to know what the urgency was for the deposit for the flat to be made. Needless to say, my friend had no idea what his client was talking about – but in getting to the bottom of the situation, he unravelled an alarming tale of attempted deception.
Shortly after my friend had gone on vacation, the email trail between him and the client had been hacked. Understanding that a large purchase transaction was imminent, the hacker was then able to impersonate my friend, jumping into the existing email chain and replying without drawing attention to himself.
The target was the large sum of money that the client would be transferring as a deposit for the property. So the hacker constructed an intricate plan to convince him that there was some urgency to have the deposit transferred to the firm’s bank account. However, the hacker supplied new details, insisting that the usual account was currently unusable as it was under investigation following suspicious activity.
The hacker continued to pressure the client to transfer the funds ASAP. Although the client thought this strange, to all purposes the correspondence appeared genuine, with the hacker understanding the intricate details of the transaction in question, as well as the emails being written in a similar style. Thus the client set the wheels in motion to transfer the money; however when informed that the process would take a couple of days, the hacker replied to again stress that it be made immediately.
It was at this point that the client smelt a rat and called my friend to enquire why the funds needed to be transferred so urgently, which is when the whole story started to unfold. Luckily in this instance, disaster was narrowly avoided and the client’s email address was immediately taken offline.
An ongoing threat
So, why do I find this story so fascinating? Well, this is the first time that I have personally witnessed a clever and targeted attack for large financial gain through email hacking.
We’ve all seen phishing emails where individuals claim to be related to ‘your Great Uncle Percy’ that advise you to immediately transfer a few thousand pounds to release your rightful inheritance; however until now, I had never seen an example of anyone intercepting and joining an existing email correspondence. Having read the emails, there are a few suspicious signs, but on the whole, they were very cleverly crafted – and the plan only fell apart due to the hacker’s impatience.
This is obviously quite worrying for anyone using plain text emails to share confidential information – and hackers like these are surely only going to improve on where they went wrong last time.
I guess the real question is: Are you confident that your email correspondence is protected from prying eyes? If not, could you be next?