Directives by email? Think twice …
Recently, I watched one of my favorite mini-series, Band of Brothers, which describes the (mostly) real exploits of the 101st Airborne Division during WWII. There’s a funny scene (and funny scenes were in short supply) in the film where during a training mission, one of the character’s pretended to be a general, yelling a command from behind a bush to to the officer in charge of the platoon. This particular officer, Captain Sobol, was distrusted by the men and his acting on the prank command helped undermine Sobol’s reputation with Command.
I thought about this episode, when I read the Krebs on Security post entitled Spoofing the Boss Turns Thieves a Tidy Profit. In this post, Brian Krebs describes an administrator by the name of Judy, who received an email from her boss to wire $315,000 to a supplier ASAP. Though she started the process, she was bothered by the “tone” of the email, went back and examined the message and determined that it wasn’t from her boss. It turns out that someone had created a domain name that was one character different from the company’s domain name. It looked OK, until examined more thoroughly. Fortunately, she was able to pull back the wire transfer, no harm, no foul.
In this case, the goal was a wire transfer. The more common reason is a phishing attempt. Periodically, I’m sure you’ve seen an email from a friend that says something like: “Check this out!” and gives a URL. You click on the URL contained within the bogus message and end up with malware on your computer. This is the way many of the major corporate security lapses begin, by someone acting on a bogus email message.
Vigilance and good policies can help reduce the impact of these false emails. Judy’s life would have been much easier if she’d called the sender to get verbal confirmation of the wire request. Many companies are adding verification steps to the process of issuing payment.
For the individual, always take a second look at every email that asks you to do something, particularly clicking a URL. Is the tone consistent with the sender? Is the sender’s email address correct? For an email from a “corporation” (e.g. American Express), is the URL correct? Frequently, it will look OK, but the underlying address itself is wrong … hover over the URL for the real address.
Finally, always enter URL addresses by hand. Do not activate them from the email.