The human element makes it easy to fall for fake email hoaxes
Business email compromises can dupe executives, employees with little effort
By Bob Sullivan, ThirdCertainty
Assorted members of the Trump White House were mortified this week when it was revealed that an email prankster, using basic impersonation strategies, duped them into private conversations. The start-studded list of “victims” included the just-deposed White House spokesman Anthony Scaramucci—who was tricked into a faked conversation with rival Reince Priebus.
It was easy to impersonate White House officials like Priebus, Scaramucci or even Jared Kushner and Eric Trump. The prankster fooled plenty of people who should have known better, like former Utah governor and presidential candidate Jon Huntsman, Homeland Security Adviser Tom Bossert—and Trump, too.
This email prankster hoax is embarrassing for the White House, but it’s not funny.
Now you know why financial institutions and critical infrastructure systems are at such great risk. Millions of dollars in security investments still can’t solve the riddle of the human element.
Related podcast: A primer on ‘business email compromise’ hoaxes
The technique was easy. The prankster is a UK-based designer who started pulling stunts like this earlier this spring—at the time, he successfully targeted big-name banking executives, like Barclays CEO Jes Staley. He uses the Twitter handle @Sinon_Reborn, a tip of the cap to Greek mythology.
Exploitation is easy
The prankster simply registers email accounts like Reince.Priebus@mail.com and starts sending messages. In the case of Scaramucci, he fell for the hoax hook, line and sinker.
In one part of the dialogue, the fake Priebus said, in part, “The way in which that transition has come about has been diabolical. And hurtful. I don’t expect a reply.”
Scaramucci, believing the message was authentic, responded: “You know what you did. We all do. Even today. But rest assured we were prepared. A Man would apologize.”
CNN first reported on the exchanges, which the hoaxster already had made public on his Twitter feed.
The hoax exploits an age-old problem with the way the internet was built: It’s pretty easy for people (and computers) to lie about who they are and where they are.
Prank becomes costly
And while this attack is funny, it’s just a form of something that’s rampaging through the business world right now—executive ID theft. Workers around the globe are falling for fake emails like this and taking real steps that cost millions.
The FBI has called the crime—which goes by the pedantic name “business email compromise”—one of the fastest-growing digital cons. One technology company reported in an SEC filing in 2015 that it had been hit by a con that led to “transfers of funds aggregating $46.7 million.” In one version of the crime, the fake executive sends an urgent message asking that money be wired to close an international business deal. Given the power relationships involved, assistants often comply.
This week’s hoax just shows how easy it can be. The White House prankster didn’t need to spoof his address or use any mildly technical tricks. He just opened an email address using someone else’s name.
In technology we trust
Despite constant reminders to the contrary, most people implicitly trust their technology and impulsively open emails that seem to be from friends and associates. The hotter the potential exchange, the more victims let their guard down. That’s why people rush to open emails with subject lines like “Someone has your password.” In case you’ve forgotten, that’s how John Podesta’s email was hacked.
The White House prankster didn’t immediately respond to my requests for comment, but he has said previously he’s merely committing an act of protest.
“(Twenty) years ago I would have chained myself to Jes Staley’s gates. What I did was just a modern reinvention of the dogmatic protester.#barclays,” he wrote on Twitter recently.
His beef with banks began over a loan dispute, followed by frustrations with slow customer service, and finally criticism of Barclays efforts to unmask a whistle-blower.
He said on Tuesday morning that he would stop targeting Washington, D.C., officials now.
“White House—FYI I won’t be pranking you any longer, point made. I’m just a dude with a iPhone, you need to tighten up IT policy. love x x,” he wrote.
Expect more tricksters
Anyone reading this story should realize two things: First, criminals and pranksters alike are constantly trying to trick you into reading emails and clicking on things you shouldn’t. We should all know better, but we don’t. We all have moments of weakness.
Second: Given the high-profile success of the prankster, you should expect a lot of copycats now.
There are technology solutions that can help with the problem. Some email clients now come with a warning when an email does not come from someone in your address book, or the sender might be inauthentic. Those solutions are clunky, however, and users often blow past the warnings. It’s not a bad idea to look at headers of email senders, particularly if something seems unusual about the message.
But the only real firewall for tricks like this is the one between your ears. Emails are very, very insecure, and will remain that way for a long time. Slow down. Suspect everything, even if it seems to come from a friend. Never click on links in email, period.
In short, don’t trust.
More stories related to business security and email compromises:
Cyber criminals go spear phishing, harpoon executives
Major security threats lurk in your inbox
Most businesses unprepared for email-based attacks