It’s 4:20 p.m. on Friday. You’re looking forward to meeting your friends soon for happy hour at the local bar. Your boss is on vacation, and you’re caught up for the week. All is well. As you take one last look at your email, you see a message has just arrived from one of your suppliers – marked URGENT. The supplier is ranting about why you didn’t send payment for last month’s invoice to the right bank account. They’ve contacted your boss, who they say was irate at being disturbed while in Madrid on vacation, and who told them to contact you personally for immediate resolution. They helpfully provide the correct bank routing information and demand the payment be made today. Your authority for wire transfers ($1M) will easily cover the request for $250,000, with change. The invoice amount sounds about right, you know the supplier, your boss is already upset, it’s Friday, and so you wire the funds.
Of course, you—the reader—already know the ending of this story. The email was fraudulent, the company is now out a quarter of a million dollars, and you may be out of a job. Yet this and similar scenarios play out every day, representing a 2,370% increase in the last 18 months in identified exposed losses resulting from business e-mail compromise targeting small, medium, and large businesses.
Just one example
Wire fraud is just one of the many ways in which business email compromise can damage your company. Spoofed email addresses from executives, suppliers, attorneys, and partners have led to the release of PII, tax fraud, and theft of both money and intellectual property.
Why to annoy your boss
The employee in this scenario should have risked annoying his boss by contacting her directly. Even though the email sender appeared to know all about the vacation in Spain—easily discovered through Internet research, the “out of office” email auto-reply, and the boss’s postings on Instagram—red flags should have been raised at the urgency of the request and the attempt to preempt the employee from contacting his boss. Unfortunately, human nature being what it is, the employee may not have contacted the boss in any case, simply to avoid having the “mistake” discovered.
In the big picture, however, there are even more important reasons to annoy your boss: Who holds the most critical and valuable information about your company? Whose direction is most likely to go un-challenged? Who, by their position, is routinely allowed exemption from company policy regarding e-mail management and document retention? Who is most likely to have an easily-guessed password because they are too busy to remember a complex one? In essence, corporate executives represent the most vulnerable and uncontrolled endpoint for most organizations.
How to annoy your boss: speak truth to power
Technology to prevent email compromise can only accomplish so much. Yes, software tools can sometimes screen for or block nefarious messages coming from spoofed accounts or filter messages containing malware. They cannot, however, solve all social engineering challenges nor impose behavioral controls where they are unwanted.
- Have a frank discussion with your boss about why everyone, especially executives, must be subject to security controls. This includes password management, use of email (both personal and business), and focused training on the sometimes unique risks executives face.
- Acknowledge that important business information must be available to executives, but find ways, through process and technology, to protect that information, and to dispose of what’s obsolete.
- Help your boss understand that not only are they a high-value target, the example they set by their willingness to follow good security practices sets the tone for the company. If they care, their employees will care.
Raising these topics may well be the most valuable contribution you make to your company this year.