The human element makes it easy to fall for fake email hoaxes

Business email compromises can dupe executives, employees with little effort

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Assort­ed mem­bers of the Trump White House were mor­ti­fied this week when it was revealed that an email prankster, using basic imper­son­ation strate­gies, duped them into pri­vate con­ver­sa­tions. The start-stud­ded list of “vic­tims” includ­ed the just-deposed White House spokesman Antho­ny Scaramucci—who was tricked into a faked con­ver­sa­tion with rival Reince Priebus.

Bob Sul­li­van, jour­nal­ist and one of the found­ing mem­bers of msnbc.com

It was easy to imper­son­ate White House offi­cials like Priebus, Scara­muc­ci or even Jared Kush­n­er and Eric Trump. The prankster fooled plen­ty of peo­ple who should have known bet­ter, like for­mer Utah gov­er­nor and pres­i­den­tial can­di­date Jon Hunts­man, Home­land Secu­ri­ty Advis­er Tom Bossert—and Trump, too.

This email prankster hoax is embar­rass­ing for the White House, but it’s not funny.

Now you know why finan­cial insti­tu­tions and crit­i­cal infra­struc­ture sys­tems are at such great risk. Mil­lions of dol­lars in secu­ri­ty invest­ments still can’t solve the rid­dle of the human element.

Relat­ed pod­cast: A primer on ‘busi­ness email com­pro­mise’ hoaxes

The tech­nique was easy. The prankster is a UK-based design­er who start­ed pulling stunts like this ear­li­er this spring—at the time, he suc­cess­ful­ly tar­get­ed big-name bank­ing exec­u­tives, like Bar­clays CEO Jes Sta­ley. He uses the Twit­ter han­dle @Sinon_Reborn, a tip of the cap to Greek mythology.

Exploita­tion is easy

The prankster sim­ply reg­is­ters email accounts like Reince.Priebus@mail.com and starts send­ing mes­sages. In the case of Scara­muc­ci, he fell for the hoax hook, line and sinker.

In one part of the dia­logue, the fake Priebus said, in part, “The way in which that tran­si­tion has come about has been dia­bol­i­cal. And hurt­ful. I don’t expect a reply.”

Scara­muc­ci, believ­ing the mes­sage was authen­tic, respond­ed: “You know what you did. We all do. Even today. But rest assured we were pre­pared. A Man would apologize.”

CNN first report­ed on the exchanges, which the hoaxster already had made pub­lic on his Twit­ter feed.

The hoax exploits an age-old prob­lem with the way the inter­net was built: It’s pret­ty easy for peo­ple (and com­put­ers) to lie about who they are and where they are.

Prank becomes costly

And while this attack is fun­ny, it’s just a form of some­thing that’s ram­pag­ing through the busi­ness world right now—executive ID theft. Work­ers around the globe are falling for fake emails like this and tak­ing real steps that cost millions.

The FBI has called the crime—which goes by the pedan­tic name “busi­ness email compromise”—one of the fastest-grow­ing dig­i­tal cons. One tech­nol­o­gy com­pa­ny report­ed in an SEC fil­ing in 2015 that it had been hit by a con that led to “trans­fers of funds aggre­gat­ing $46.7 mil­lion.” In one ver­sion of the crime, the fake exec­u­tive sends an urgent mes­sage ask­ing that mon­ey be wired to close an inter­na­tion­al busi­ness deal. Giv­en the pow­er rela­tion­ships involved, assis­tants often comply.

This week’s hoax just shows how easy it can be. The White House prankster didn’t need to spoof his address or use any mild­ly tech­ni­cal tricks. He just opened an email address using some­one else’s name.

In tech­nol­o­gy we trust

Despite con­stant reminders to the con­trary, most peo­ple implic­it­ly trust their tech­nol­o­gy and impul­sive­ly open emails that seem to be from friends and asso­ciates. The hot­ter the poten­tial exchange, the more vic­tims let their guard down. That’s why peo­ple rush to open emails with sub­ject lines like “Some­one has your pass­word.” In case you’ve for­got­ten, that’s how John Podesta’s email was hacked.

The White House prankster didn’t imme­di­ate­ly respond to my requests for com­ment, but he has said pre­vi­ous­ly he’s mere­ly com­mit­ting an act of protest.

(Twen­ty) years ago I would have chained myself to Jes Staley’s gates. What I did was just a mod­ern rein­ven­tion of the dog­mat­ic protester.#barclays,” he wrote on Twit­ter recently.

His beef with banks began over a loan dis­pute, fol­lowed by frus­tra­tions with slow cus­tomer ser­vice, and final­ly crit­i­cism of Bar­clays efforts to unmask a whistle-blower.

He said on Tues­day morn­ing that he would stop tar­get­ing Wash­ing­ton, D.C., offi­cials now.

White House—FYI I won’t be prank­ing you any longer, point made. I’m just a dude with a iPhone, you need to tight­en up IT pol­i­cy. love x x,” he wrote.

Expect more tricksters

Any­one read­ing this sto­ry should real­ize two things: First, crim­i­nals and pranksters alike are con­stant­ly try­ing to trick you into read­ing emails and click­ing on things you shouldn’t. We should all know bet­ter, but we don’t. We all have moments of weakness.

Sec­ond: Giv­en the high-pro­file suc­cess of the prankster, you should expect a lot of copy­cats now.

There are tech­nol­o­gy solu­tions that can help with the prob­lem. Some email clients now come with a warn­ing when an email does not come from some­one in your address book, or the sender might be inau­then­tic. Those solu­tions are clunky, how­ev­er, and users often blow past the warn­ings. It’s not a bad idea to look at head­ers of email senders, par­tic­u­lar­ly if some­thing seems unusu­al about the message.

But the only real fire­wall for tricks like this is the one between your ears. Emails are very, very inse­cure, and will remain that way for a long time. Slow down. Sus­pect every­thing, even if it seems to come from a friend. Nev­er click on links in email, period.

In short, don’t trust.

More sto­ries relat­ed to busi­ness secu­ri­ty and email compromises:
Cyber crim­i­nals go spear phish­ing, har­poon executives
Major secu­ri­ty threats lurk in your inbox
Most busi­ness­es unpre­pared for email-based attacks

 


Posted in Featured Story