The first and favourite means of attack from cyber criminals is via email. Yearly they generate $26 billion from spoofing and phishing attacks, a large portion of the cybercrime industry. This is due to 80% of organisations still being vulnerable to these sorts of attacks and many fall for the innocent-looking attacks. Business email compromise (BEC) is an everyday reality and South Africa now has the third-highest number of cybercrime victims in the world, costing about R2.2-billion annually.
Two industry leaders in cybersecurity announced a partnership in July to tackle e-mail crime and are starting out with an essential education list of terms and tactics to watch out for. Sacha Matulovich, co-founder and Chief Strategy Officer at Sendmarc, explains “Criminals get away with email crime due to the trusting nature of victims, savvy social engineering that creates the assumption that the emails they are receiving are authentic. This is because of a lack of awareness regarding phishing and spoofing scams. We intend to change that through education and protecting company domains.”
The company outlines four email impersonation attacks:
- Typosquatting: More often than not when an email is received, users do a short scan to see who it is from. If the name of the sender and/or the company domain name are recognised often it is assumed they are legitimate and taken for face value, but sometimes just one letter may be different and can be easily missed. This is a form of phishing.
- Display Name Spoofing: Forging an email is relatively quick and doesn’t require any coding skills. However, fake emails that hijack the names of employees and also mimic the formatting and unique language characteristics of the sender or company require more skill. Unfortunately, there are many websites that advertise how to forge a sender display name, and it takes just a few steps for anyone to create and send a fake email and take on the identity of the real person.
- Whaling: This type of attack is when DNS targets specifically people of high interest in an organisation like a CEO or CFO to impersonate. This makes the trick more likely to work and has been seen to work in the case of the University of Mpumalanga.
- Phishing: A type of social engineering attack where an attacker poses as someone else to steal sensitive information by posing as a legitimate source of questions/requests.
Sendmarc employs DMARC protection, a technology protocol that verifies the source of an email & makes sure that only real emails ever reach an inbox, meaning that organisations are able to verify whether the emails they receive are legitimate and unaltered.
Initially, businesses were slow to adopt DMARC protection. Some were not aware of the problem, while others thought they were already adequately covered by their existing cybersecurity measures. Sadly as businesses continue to be spoofed, companies have realised they need deep expertise and protection. DMARC policies went up 84% last year.
South African businesses, big and small, have experienced huge losses of up to R100 000 000, and some have come dangerously close. The University of Mpumalanga nearly lost R100,000,000 to fraudsters, had it not been for FNB suspecting a suspicious payment by the time the fraud was noticed it would have otherwise been too late. A small travel agency had their domain impersonated by someone else which resulted in a school paying sporting tour funds to the wrong account. Consequently, their U16A hockey team never went on tour.
Partnering with Sendmarc “allows us to offer a comprehensive cybersecurity package with a greater emphasis on keeping organisations safe all the time” says Steve Porter, Managing Director of IronTree. “We are constantly striving to make sure we offer the best cyber security package on the market.”
“It seems only logical to protect against this sort of human error,” says Porter, “adding DMARC protection through Sendmarc will protect your company from these kinds of attacks,” he concludes.
For more information, contact [email protected] or call 0214193144.
Brandstories Disclaimer:
Brandstories is not liable for the contents of the information published on this platform. The information which subscribers publish on this website is for general information purposes only and Brandstories facilitates the ability for viewers and subscribers to access this platform. Subscribers who publish their content on Brandstories are held responsible for their own content. This includes ensuring that it is factually accurate, grammatically correct, free of spelling errors, and does not contain unsavoury content that could result in legal action. In the case of linguistic translations, the onus is on the client to ensure that the translation is accurate. In no event does Brandstories make representations or warranties of any kind, expressed or implied about the completeness, accuracy, reliability, suitability or availability with respect to the information supplied and published. This website includes links to other websites, including third party websites. Brandstories does not recommend, endorse or support any views that are held by subscribers publishing information, and within these links provided. Furthermore, Brandstories does not have control over the nature, contents and availability of information contained on these sites. Any form of reliance readers and consumers may place on information published on Brandstories is strictly at their own risk. Brandstories makes every effort to ensure that the website is up and running smoothly at all times, however Brandstories does not take responsibility for, and will not be held liable for times when the website is temporarily unavailable due to technical glitches that are beyond our control.