With 40,000 employees in 140 countries and 1200 staff in Australia alone, “You don’t have to look too far to find examples” of the methods email fraudsters are using today, Grant Thornton information security manager Gavin Townsend said while joining me onstage to share his firm’s experiences with email threats.
As a business advisory firm charged with protecting massive amounts of confidential information, Grant Thornton has worked hard to protect its email channels and has implemented Mimecast security tools as part of an integrated defense against email attacks that have more complex and convincing over time, says Townsend.
One very well-crafted attack, he showed, recently came in purporting to be a bill from Telstra. It might have passed inspection by any of the firm’s employees – but when 10,000 of the messages were received and quarantined overnight, it quickly became clear that something was wrong.
The Mimecast platform protects Grant Thornton from the content of malicious emails no matter how convincing they seem. Its URL Protect capabilities had provided a filter that rewrites embedded URLs to go through a proxy where their real destination is carefully checked first. Messages with attachments are carefully examined, and unknown attachments can be executed in a virtual ‘sandbox’ to monitor their behavior and add the attachment to the list of known malware.
Yet not all attacks involve clicking: the firm has also been receiving carefully-crafted business email compromise (BEC) messages that spoof executives’ identities in an attempt to convince other executives to urgently forward money to a supposed supplier.
“I would have thought we would see these so blatantly obvious,” Townsend said while noting that many messages create a “sense of urgency” that often overrides employees’ better judgment.
“Email really is reaching a level of risk criticality,” he said. “Protection is around, but it really comes down to that user training and human firewall. We really emphasize context when training our users: does it make sense that this email is coming to you?”
Grant Thornton has even had to deal with one scammer who registered a domain name that was almost exactly the same as their own. By posing as an employment site within the firm, the imitation site had been set up to harvest the personally identifiable information (PII) of prospective job applicants. Closing it down took Grant Thornton all the way through the World Intellectual Property Organization’s (WIPO’s) domain dispute resolution process.
Ultimately, Townsend said, the firm’s approach to cybersecurity has grown in three key areas:
1. Cyber Protection - A combination of risk management, perimeter solutions, processes, training, and technical hygiene.
2. Moving from defense to offense - Increasing network visibility, using forensic processes, and using cyber intelligence to build up a picture of what suspicious and anomalous behavior comprises.
3. Cyber resilience - Security processes work in tandem with backup/restore, business continuity, and business response planning to ensure business downtime is minimised in the event of an attack.
“In each of these domains there are a number of various components,” Townsend explained. “It’s important to keep defining and redefining the problem to make sure you keep asking the right questions. And when you’re done, flip it around and ask the same questions from the perspective of the hacker. It all comes down to finding your weakest link.”
Love to Learn AboutCyber Resilience for Email?
Get all the latest news, tips and articles delivered right to your inbox
You will receive an email shortly