We are under attack.
There is an increasing volume of spam, mostly aimed at business e-mail addresses, carrying a malicious payload via an attached file. The attachment contain some executable element (usually a macro that runs when the file is opened). The worst of the malicious payloads are ransomware – hijacking the computer and locking the user out pending payment of a ransom.
We have four lines of defence. The first is e-mail filtering. It isn’t very good.
I just completed my tax return on Her Majesty’s Revenue and Customs web site. At the end of the process, HMRC sent me a confirmation e-mail, essentially just giving me a reference number, with a link to the HMRC web site. That confirmation e-mail was filtered out as junk, whereas the filtering was perfectly happy to let through an e-mail with this header:
Or a similar one, in which HMRC appear to have contracted their services overseas:
Automated filtering suffers from both false positives and undetected negatives. The second line of filtering is the user, who has to cope with messages like:
That e-mail address is more plausible than the HMRC spoofs but bears no relation to the person name or the supposed company. It is part of the bombardment of quasi-business e-mails, most of which have attachments disguised as financial instruments – invoices, statements of account and the like. The following is a better example; it spoofs a sender e-mail address consistently and the body of the e-mail takes the Ian Fleming approach, disguising the big lie in plausible levels of detail. (In this case, its biggest failing was that it was sent to a non-existent address and was therefore swept into our junk mail dungeon.)
In theory, there are two levels of security beyond the inbox that might still save us from the worst of the scams, but I never want to put those to the test – and there is something simple that business people can do to defeat the scammers.
The assumption made by the scammers is that the e-mail is coming into a busy financial office. The e-mail doesn’t contain enough information for the transaction to be recognisable and therefore the recipient will open the attachment to find out what it’s about. The e-mail is written as though there is a prior history, but that history is never specified.
All that is needed to defeat this – to prove that a business e-mail is genuine – is to have some common verifiable evidence of history in the body of the e-mail so that the provenance can be checked without opening the attachment.
So, if you send out e-mails with, for example, remittance advice notes attached, then make sure your subject line or e-mail body contain a verifiable reference to a purchase order or invoice number.