auris - Fotolia

Manage Learn to apply best practices and optimize your operations.

How can enterprises prevent man-in-the-email attacks?

A new global email scam has cost enterprises millions. Expert Nick Lewis explains how to defend against man-in-the-email attacks with proper training and little technology.

The Internet Crime Complain Center recently issued a warning about the business email compromise scam. What is...

this scam, and how is this different from phishing? Are there other security measures that should be put in place to protect an enterprise?

The Internet Crime Complaint Center issued a warning about a man-in-the-email attack targeting businesses. Dubbed the "Business Email Compromise," the scam reportedly cost enterprises across the globe nearly $215 million in just over a year, targeting companies that work with foreign suppliers or perform wire transfer payments regularly.

The attack operates by the malicious actor either compromising an email account or creating an account similar to that of a legitimate business person who has the authority to either make financial transactions or instruct others to make financial transactions. Attackers are likely to target the specific person by searching an organization's website for the CFO, CEO or other executive that would have such authority.

A Business Email Compromise attack is essentially an extension of a general phishing attack except it requires convincing another person to make the financial transaction requested by the compromised account.

Enterprises can implement a couple of measures to protect the enterprise from such man-in-the-email phishing attacks.

One of the key security policies to put in place is dual control for approval of financial transactions. This would require an attacker to convince more than just the initial person to make the transaction; hopefully the second person would verify the order was legitimate or a scam.

In addition, using strong financial controls will help limit the risk of an individual mistakenly trusting a compromised account or from an individual directly committing fraud.

Unfortunately there are few technical controls to stop this type of attack other than verifying the email used was legitimate and not compromised. two-factor authentication and exercising caution when opening email links and attachments are crucial. Additionally, security awareness training for executives or financial staff must include something about verifying orders for financial transactions. The standard advice for detecting phishing -- like looking for poor spelling or grammar -- still apply, but are probably less effective in this scenario since a skilled attacker would look in the sent folder of compromised accounts in order to use the same language the account holder used in prior email transactions. More subtle clues might be available since the attacker is pretending to be someone the recipient actually knows, so be sure to ask yourself, "Would this person email me at this time or for a transaction to an unknown company?" If it seems suspicious, verification over a medium other than email should be used.

Ask the Expert:
SearchSecurity expert Nick Lewis is ready to answer your enterprise threat questions -- submit them now. (All questions are anonymous.)

Next Steps

Learn the difference between man-in-the-middle and man-in-the-email attacks

This was last published in July 2015

Dig Deeper on Email and Messaging Threats-Information Security Threats