Without question, any email user is aware of, and has probably experienced, issues caused by spam and malware. No matter how good your protection is, these inbound emails will still get through the net. It is a real and present problem, if not a massive inconvenience for those targeted.
However, what about the security of outbound emails? I think it’s fair to say that the majority of people aren’t really aware of threats to the emails they send.
A close encounter
My friend then went on holiday for a couple of weeks, and on returning to the office, received a rather irate and mystifying phone call from his client, demanding to know what the urgency was for the deposit for the flat to be made. Needless to say, my friend had no idea what his client was talking about – but in getting to the bottom of the situation, he unravelled an alarming tale of attempted deception.
Shortly after my friend had gone on vacation, the email trail between him and the client had been hacked. Understanding that a large purchase transaction was imminent, the hacker was then able to impersonate my friend, jumping into the existing email chain and replying without drawing attention to himself.
The target was the large sum of money that the client would be transferring as a deposit for the property. So the hacker constructed an intricate plan to convince him that there was some urgency to have the deposit transferred to the firm’s bank account. However, the hacker supplied new details, insisting that the usual account was currently unusable as it was under investigation following suspicious activity.
The hacker continued to pressure the client to transfer the funds ASAP. Although the client thought this strange, to all purposes the correspondence appeared genuine, with the hacker understanding the intricate details of the transaction in question, as well as the emails being written in a similar style. Thus the client set the wheels in motion to transfer the money; however when informed that the process would take a couple of days, the hacker replied to again stress that it be made immediately.
It was at this point that the client smelt a rat and called my friend to enquire why the funds needed to be transferred so urgently, which is when the whole story started to unfold. Luckily in this instance, disaster was narrowly avoided and the client’s email address was immediately taken offline.
An ongoing threat
We’ve all seen phishing emails where individuals claim to be related to ‘your Great Uncle Percy’ that advise you to immediately transfer a few thousand pounds to release your rightful inheritance; however until now, I had never seen an example of anyone intercepting and joining an existing email correspondence. Having read the emails, there are a few suspicious signs, but on the whole, they were very cleverly crafted – and the plan only fell apart due to the hacker’s impatience.
This is obviously quite worrying for anyone using plain text emails to share confidential information – and hackers like these are surely only going to improve on where they went wrong last time.
I guess the real question is: Are you confident that your email correspondence is protected from prying eyes? If not, could you be next?