Safe & Secure Emails

February 7, 2019 | Published by Admin

It’s 4.55pm on a Friday night and you’re just about to jump on long haul flight for a business meeting on Monday morning.

Just as your Finance Director is packing up for the weekend, he receives an internal email from you:

“Hi Dave

I’m just about to dive on the plane, but something’s come up and I urgently need you to transfer £100k to this account XXXXXXX XX-XX-XX.

I’ll give you a call as soon as I land to explain everything.

P”

Your Finance Director tries to call you, but you’re already on the plane.  He wants to help though, and it’s Friday night.  Besides, the message arrived from your internal email address, so he transfers the money, despite the nagging feeling he’s getting.

When you finally do speak to each other you realise you’ve been a victim of fraud.  Long conversations occur in the following weeks and months with the authorities and it becomes increasingly clear that your chances of recovering the funds are less and less likely.

It might sound like a far-fetched scenario, but more and more businesses are falling foul of spear-phishing, exploiting employees’ trust in their colleagues, partners, and customers.  In fact, The FBI estimates that Business Email Compromise due to spear phishing has cost businesses more than $12 billion between December 2016 and May 2018.

Organisations are also regularly impersonated – at this time of year the usual spate of HMRC phishing emails do the rounds, either suggesting to people they log on to fake sites or offering rebates on overpayments. 

The problem originates with how email was originally designed.  The world (or certainly at least University IT Departments) were a lot more trusting in 1982.  Because of this a receiving email server will assume that when it receives an email, the sender is precisely who they claim to be. 

The core technology has remained the same for the last 36 years with a few additions to the standard that have helped to enhance the security of the protocol – but need to be implemented to work, and in some cases can be complex to set up.  Especially when you must factor in third parties who you might want to send email on your behalf, such as your website provider or third-party mailing houses like MailChimp, Infusionsoft or Wishpond, to name a few.

Email security is key to protecting your business and your brand. So, how can you ensure the integrity of your reputation, and be certain that the emails your team receive from each other are from who they say they are?

1 – Sender Policy Framework

Every organisation should be implementing SPF. It is by far the simplest way to flag emails that claim to have come from your server’s IP address, but in fact, have not. It allows the receiver to check that the email has come from a server that you have published in your DNS records.

It’s equally important to ensure that you are also checking the SPF records of mail coming in.

2 – DKIM/DMARC

This builds on the idea of SPF but makes sure that the server that is claiming to have sent the mail has actually sent it, by digitally signing the mail as it leaves your organisation.  That signature can then be used to verify the origin of the email by the receiving email server.

DMARC then builds on this concept further by allowing a sender to show that their messages are protected by SPF and DKIM and allowing a Domain owner to find out when their domain is being impersonated.  A non-technical summary of how this works and the benefits are listed on the dmarc.org website, here.

3 – Adding Notifications for Your Users

In a perfect world, all organisations would be using SPF, DKIM and DMARC, but alas, the world is not a perfect place.  User training and vigilance are as important as ever and training your team to spot suspicious emails and question why they are receiving an attachment before opening it is as important now as it was in the late 90’s.  However, there are ways of adding a notification for end users on most email servers. 

Below is a demonstration of how to alert a user that an email has originated from outside your organisation in Microsoft Exchange and Office 365 – the most prevalent email servers used by our clients.

Within Powershell for your Exchange environment (or remote Powershell to Exchange Online) create a transport rule:

Email security - setting up a transport rule

This takes effect immediately, and the user will receive a banner in Outlook or in OWA that states at the head of the email:

“This email originated from outside of the organization.  Do not click links or open attachments unless you recognize the sender and know the content is safe”

If you’d like assistance setting up any of these technologies, you can contact our experts at info@verussolutions.co.uk or call us on 01756 707896 – we’d be happy to help.

Return to blog