Email-Borne Cyber-Attacks in the Financial Sector

By Patrick Peterson, CEO, Agari

2014 was a banner year for cybercriminals, who targeted consumers with major malware, advanced persistent threats (APTs), and phishing email attacks across a variety of business sectors. Sadly, given today’s hackers have the time, energy and resources needed to design imposter or falsified emails to extract financial information from unsuspecting employees or customers – whether itsaccount numbers, passwords or other personally identifiable data – there can be little doubt that phishing campaigns will continue with fervor to be a primary attack vector in the year ahead.

Industrial-scale espionage cyber-attacks are typified in public memory by huge cases like those that compromised Sony in recent weeks – but, the important thing to note is that each of these campaigns, like many others before and since, began with an email. The unfortunate truth is that email was created with a fundamental flaw – anyone can send an email using someone else’s identity – and perpetrators of cybercrime are exploiting this weakness.

Patrick Peterson CEO Agari

The design flaws in the basic architecture of the internet can be twisted to a hacker’s advantage, manipulated to send email from what looks to be a legitimate domain – usually a “.com” return address that appears to be identical to those used by reputable businesses. To date, there have been considerable technological developments that stop people from impersonating ISPs or domain spoofing, but it still remains relatively easy to do.

The growth of digital marketing is also facilitating the use of email as an attack vector. Indeed, companies are spending record amounts of their marketing budget on reaching their customers via digital channels. However, while this can be hugely successful from a business perspective, customers can struggle to spot phishing emails when, for all intents and purposes, the message that has landed in their inbox looks like the real deal.Basic security intelligence has long been championed as a crucial way of protecting business infrastructure – whether it’s looking for unusual changes in URL hyperlinks or the anomalous use of certain names in email ‘from’ fields – as this can indicate if malicious activity is at work inside a business, or attempting to penetrate it. This is no longer enough.

Built upon the sort of data hackers can only dream of, financial institutions must become proactive protectors of their own reputation and move to the frontline in the fight against cybercrime. As a first step, deploying solutions that enable them to manage and gain visibility into how their domains are used, and by whom, is vital.A big positivecurrently taking place in the security industry, and one that might level out the playing field between hackers and business, is the rise of data analytics. With the ability to collect, store and mine mammoth quantities of data, big data has given the data protection community an unprecedented advantage in the fight against organised cyber-gangs. Now, by continuously analysing email data in real-time and having the capacity to detect malicious IP addresses and URLs, these cyber-attacks can not only be spotted well in advance and taken down, but their point of origin in the world can also be established. Interestingly, Gartner forecasted at the close of 2014 that ‘Context-based systems’ would be a key trend this year too.[1]

The technology to authenticate emails has been around for some time, but some companies have been slow to use it as specialist service providers sought sustainable business models. In our own piece of quarterly research, we discovered that only a select few financial organisations are starting to adopt all three-email security standards available to them – these are SPF, DKIM, and DMARC. SPF allows email senders to specify which IP addresses are allowed to send email from a given domain. DKIM complements SPF by giving email senders a way to digitally sign all the outgoing email, letting email receivers confirm that no changes have been made to the email since it was sent. Lastly, DMARC allows email senders to tell receivers when they should rely on DKIM and SPF for a given domain, and what to do when messages fail those tests. Only companies who implement all three standards can rest assured their brands aren’t been abused by hackers via the email channel. In the Q3 edition of the report, released in December 2014, we found that many European financial organisations are still not taking the necessary steps outlined above to protect their customers from email-borne phishing attacks. Indeed, a number of them are only implementing one or two of the email authentication standards readily available to them. It might come as some surprise to learn that the likes of SKY, Ladbrokes and Deutsche Bank are not progressing with any of the three.

Sustained cyberattacks on banks, retailers and governments will undoubtedly continue to drive investment growth in technologies designed to combat cybercrime, but if email remains one of the most exposed access points in the business network then efforts will ultimately be in vain. And, since email is likely to continue to be one of the most simple and immediate ways of reaching and staying in touch with customers in the future, ownership for defending customers from cyber attacks in this guise must fall to the business. Research time and time again shows that malicious emails damage a brand, erode customer trust, and impact a company’s bottom line. Things have to change. Forrester Research sum it up perfectly in its predictions for 2015: “If your customers don’t trust you to rigorously protect and genuinely respect their sensitive data, they’ll take their business elsewhere.”[2]

[1]http://www.gartner.com/newsroom/id/2867917

[2]https://www.forrester.com/60+Of+Brands+Will+Discover+A+Breach+Of+Sensitive+Data+In+2015/-/E-PRE7425