Amid the headlines and legitimate concern about massive data breaches, we too often overlook the danger of targeted fraudulent emails, and imitative domain names and websites.
Every day, companies are incurring significant damages from email spoofing, executive impersonation, and misuse of company trademarks and website content. As a report of the American Institute of Certified Public Accountants warns, the use of these techniques is on the rise and claiming victims even in sophisticated companies.
The FBI has reported that global business losses from email wire transfer schemes amounted to $2.3 billion in losses between October 2013 and February 2016. It is a serious risk, especially for large international companies.
How email spoofing works
These days, corporate-directed email frauds are far more sophisticated than the crude Nigerian emails that once duped ordinary people with promises of unexpected inheritances or rewards. Imitative fraudulent corporate emails look routine, ordinary, and dull, and are noteworthy only in that an urgent need for a payment or wire transfer is usually involved.
As an example, let’s think of a company named EYECO. Its logo is a stylistic eye, and its website is located at eyeco.com. EYECO does business internationally and is so big that its employees and customers don’t all know each other personally. A lot of company business is conducted by email.
Cyber fraudsters have researched EYECO and know they’re a ripe target. They’ll send out spoofed emails that look like they come from firstname.lastname@example.org and use EYECO’s familiar eye logo. They may register similar or misspelled domain names, like eyeeco.com, or eyecoservices.com, and use them in their emails. Often they have seen some of the company’s real emails, and use that knowledge to imitate familiar styles and formats — even dropping in some legitimate executive names.
The fraudsters may even go to the trouble of creating their own fake website on one of their imitative domains (e.g., eyecoservices.com), and reproduce the content of the real EYECO website there. (The open source language of the web, HTML, allows such easy copying of websites.) Then, when recipients of the fraudulent emails click on a provided link, they’ll see a familiar site, including the familiar company name and logo, and feel reassured that they can respond to the email.
Sometimes the fraudsters will imitate partners, affiliates, or subcontractors to EYECO, prominently using EYECO’s name, trademarks and familiar language on fake emails and websites, to entice loyal EYECO customers, or employees, into dealing with them.
The EYECO hypothetical may seem unbelievable, but we’ve seen every one of these elements employed in real cases. And the AICPA report, which focuses on what it calls “business email compromise,” provides a number of real case examples as well.
Combatting email attacks
Some preventative steps are obvious. Regular technology training and safeguards should be specifically tailored to these imitative threats. Employees should be instructed to refuse to bypass typical controls associated with payments, especially wire transfers. Technological controls can guard against malware (which can let the fraudsters into your system), and misleading email header data (which can help them fool your people). Suspicious domains can be blocked. And local encryption can be required for emails designed to initiate wire transfers.
When fraud attempts are discovered, cybersquatting remedies can be used to shut down use of misleading domain names. Copyright remedies, including takedown demands to intermediaries, can takedown imitative websites. And while most fraudsters operate abroad, in some cases civil or criminal actions may be advisable.
Mark Sableman is a partner in Thompson Coburn’s Intellectual Property and Privacy/Data Use and Security groups.