Email has become the normal communication corridor for most business. As a result, it has been targeted more and more by fraudsters. We are not talking mail scammers here or junk mail. No – we are talking about full-blown mail fraud involving big sums of money. The problem is that we tend to trust email sub-consciously. The solution for business to business communication is surprisingly simple.
Read your email
Amazingly, many people do not read ALL of an email and our eyes naturally tend to skip certain content when our brain “assumes” it recognizes it. This is exactly what fraudsters play on. They will pretend to request information, quotes, etc from a seemingly well-known domain. Playing with domain names, you may get an email from “email@example.com” or “firstname.lastname@example.org”. These domains are misspelt just enough so that we may not pick up on it if we are busy or scanning through our daily dose of email. Be aware of these common mis-spellings and don’t be afraid to Google a domain or visit it by copying the domain (the part after the @ sign) and pasting it into your browser. Often, the websites are poorly designed or have incorrect detail. Some sites are brilliant copies of the correct sites. Another check is to phone the actual company and request confirmation that they sent you a request by email.
Man-In-The-Middle type misdirection
Sometimes, the fraudsters have an email “tap” which copies each email sent to your company to the fraudster’s mailbox as well. They then use the same wording, subject and contacts as valid mail that you have received, but once again, change a small detail. This makes you think that you are replying to a valid email as part of an ongoing conversation, but you are actually replying to a false address.
Business to business – building trust
The best way to build trust is to employ a shared encryption key. Start with your internal mail. Have all employees use technology such as PGP encryption to encrypt their internal mail and share their public keys internally. Once keys are distributed, any internal mail is extremely hard to fake. This is because it is all encrypted and impossible to read without a valid key. Any requests for a key after everyone already has it will raise an alarm.
Spread the encryption…
Once it has become standard usage internally, the next step is to get suppliers, etc to join in. Any email with a financial or legal impact should be encrypted and the key only needs to be sent to each recipient once. Also inform them that unsigned, unencrypted mail should be rejected. Get them to do the same with the mail back to you. In this way, it is very hard to defraud your company or suppliers with “fake” email.
Get to know your contacts
Try to always deal with the same person or department for the same task. Build up a database of known and trusted contacts. Even have your mail client flag known mail so that you can spot an unknown easily. Your email program will not be fooled by misspelt domains or “similar” email addresses as it is very literal when it checks.
Keep alert and double check – remember, email now constitutes a legal correspondence and any mistakes may cost you or your company a lot of money.