Layer 8 security: hacked by email.

Last week I received a letter in the mail claiming to be from the city of Suffolk.  They want me to pay a tax on my cars.  The tax is less than $100, but you know what; I already paid a fee to register my cars.  Perhaps the request is legit, but it seems just a little bit suspicious.  What if that letter came through email with a link to click for me to make a PayPal payment?  Is email any more secure than the US Postal service?  How do you know the letter, or the email, that claims to have come from a certain person actually came from that person.  The postal system, like the internet is kind of the wild, wild west.

There are plenty of technologies that can help solve this issue – if someone expresses interest, I would be happy to dig into those technologies in the near future.  However, as a quick way to raise your awareness of the dangers of trusting email (or snail mail) without a discerning eye, pop over to the New York Times and read the post about the Magazine Publisher that just lost 1.5 Million dollars due to an email scam.

The short story:

Someone hacked into the email of the CEO and sent an email to the Accounts Payable department to wire 1.5 million dollars to an offshore Chinese bank account.

The dutiful employee complied.

The problem here is not that someone hacked the CEOs email, this type of stuff happens every single day in the real world.  The problem is that the receiver on the other end didn’t apply any type of analysis or intelligence to the request (e.g. is this risky, is this unusual?).  It is interesting to note that the “CEO” sent a second email to Accounts Payable.  This second employee thought “Hey, this seems odd, maybe I should double check with the CEO”.

Result: 1.5 Million dollars saved.

Who knows, perhaps a 1.5 million dollar transfer request through email was a normal day in the Accounts Payable office of Bonnier Publications.  If so, shame on them (see the opening paragraph).

Summary:  Enterprise organizations need to eliminate email from their business processes, both from an efficiency and a security perspective.  As an individual, you need to approach email with a certain amount of discernment, even if they appear to come from a trusted individual (see the opening paragraph).

I promise not to send you email from your boss asking you to buy lunch for the office: but I can’t speak for everyone.

Asking a few additional questions might just save your company 1.5 million dollars.

Remember: Security is everyone’s responsibility.