There have been many incidents reported by members where email is getting compromised, with the end result being financial correspondence is being intercepted and ultimately money is being inadvertently transferred to fraudulent accounts.
The chance of getting the cash back is slim at best. The targets are no longer the home user and a few hundred dollars. Rather, it's large operations that deal with transactions in the areas of real estate, stock and other high value areas.
The process starts with a user accidently divulging their email account details, usually through an email received from a known source that provides a download link for a document. The link requests your email address and password not unlike the following image:
If the correct login details are entered and no other security protections are in place, you have just allowed hidden access to your emails.
If you're on an Exchange Based System, that means all email data including contacts, appointments and tasks are also visible. Therefore they can quickly build up an accurate profile of you, including how and who you communicate to.
This could go on for weeks and when the emails indicate a large transaction is pending that’s when they strike.
However, you will not be aware of this because you were directed to a random page (such as an online shopping site) that distracts you from what just happened!
So, how to reduce the risk?
2LA / 2FA
2nd Level/Factor Authentication is the primary way to prevent third party access, for example if email details are entered, a confirmation is required to allow that login to proceed.
This confirmation is received usually via mobile in the form of:
- A 6 digit text message
- A Phone call which reads out the message
- An authenticator App that provides either an authorise button or the 6 digit code.
(If you use online accounting packages such as Xero you will already have used this process to login.)
(Implementing 2LA/2FA in Exchange is a reasonable size job especially if multiple devices of varying ages and software versions are involved. It can 45 minutes and longer per email address to get this done.)
These security measures do a great job. However, if the person receiving the message is not aware of the process, they could still inadvertently authorise illegal access
Therefore, education is your most important defence to help prevent becoming a victim of these Scams.
There is more than ever, a lot of pressure falling back on those paying the accounts so below are some suggestions about what can be done to help protect those transactions -
- It is imperative that any account changes are verified over the phone on a phone number that you source and not from information provided on an email!
(Just in case that info has also been compromised.) For small business, we do in majority of cases know the person on the end of the phone and probably their voice as well.
In many cases it’s back to the old days of communication!
- NEVER rely solely on an email or letter received that is advising of a change to account payment details!
Again, call the supplier and confirm the details and make a record of that process. It is easy to send an email that looks like it’s from someone else! It’s even easier if they’re using your account to do it!
The protection of your business now comes down to education, for example
Letting staff know the above information and what to be aware of
- Reviewing payment processes, especially for the larger accounts requiring payment
- Implementing 2LA where possible. Not just on email but anything to do with business information including accounting packages, data management systems, CRM etc.
2LA can be like having a security code on your phone – at the very least inconvenient and at worst a pain in the backside. But it’s something that should be considered and implemented.
Information provided by Dan Hayes from In2It Information Technology
O: 08 8762 4587
Naracoorte, South Australia