Our first S / MIME contribution offered a comprehensive overview of the challenges that companies face with email security, as well as an introduction to the S/MIME technology that can be used to address many of these vulnerabilities. In this post we will go into more detail about how S / MIME can be used to combat spear phishing attacks.
The term business email compromise (BEC) is known in the cybersecurity industry, but only refers to a certain type of spear phishing attack. For fraudulent emails that pretend to be from a known or trusted sender, the intended goal of a spear phishing attack is to ask the victim to take action on their behalf.
This action can be as simple as uncovering confidential information or as complex as completing a financial transaction. What distinguishes spear phishing attacks from standard phishing attacks is that spear phishing emails are tailored to the recipient, which gives them an additional degree of apparent authenticity and makes identification difficult.
How do attackers make these emails appear legitimate? A variety of tactics are available to you.
- Most of the time, the emails contain a forged header so that it looks like the message originates from the company. As we discussed in the previous blog, these attacks are usually triggered by spoofing the “From” field in an email. This makes it incredibly difficult for even the most conscientious employee to identify themselves as fraudulent.
- In general, they are trying to embody the CEO, company president, or any other C-level executive whose authority an entry-level or mid-level employee would likely not question.
- Detail-oriented attackers can even generate an entire fake email chain below the message to make it appear even more legitimate. And although employees should be trained to watch out for warning signs, people are fallible.
Attackers want to exploit the fallibility. When the CEO of a company asks a financial officer to make a transfer, does that employee feel comfortable raising flags? If the same email is sent to a dozen different finance professionals, will everyone be able to identify the email as fraudulent?
Only one mistake is required – an employee approving a transfer to a fraudulent account – and this money is almost certainly never going to be reclaimed. Fraudsters are smart, and any money they receive is quickly stowed away where law enforcement officials find it virtually impossible to reach.
S/MIME solves this problem in the simplest way: by revealing the true identity of the e- Mail Sender does not incorrectly display. Without S / MIME, there is nothing – really nothing – that the average email user can look at to distinguish a real sender identity from a fake sender identity. With S / MIME, employees only need to look for the correct email signature for an incoming message to know that the sender has been verified. That doesn’t mean employees don’t have to worry anymore – it’s still important to be vigilant. Remember, a slip can be all you need to cause a serious violation. However, it provides a way to check the integrity of messages (and any attachments they contain) that cannot be tampered with.
S/MIME solves this problem in the simplest way: by revealing the true identity of the e- Mail Sender does not incorrectly display. Without S/MIME, there is nothing – really nothing – that the average email user can look at to distinguish a real sender identity from a fake sender identity. With S/MIME, employees only need to look for the correct email signature for an incoming message to know that the sender has been verified. That doesn’t mean employees don’t have to worry anymore – it’s still important to be vigilant. Remember, a slip can be all you need to cause a serious violation. However, it provides a way to check the integrity of messages (and any attachments they contain) that cannot be tampered with.