Email is not secure
91% of all cyber attacks begin with email.
Despite all the advances in cyber defence, good old-fashioned email still provides an open door for attackers to knock on. Email is your biggest security risk by a long way.
Finance staff frequently use email and they deal with money on a daily basis. Finance staff in charities also have to deal with a mixed quality of IT systems, often on stretched budgets (especially for their own systems, which mostly aren’t frontline facing), and sometimes with a very limited team around them, meaning higher workloads.
It’s a heady mix, so perhaps unsurprising that targeting the finance team with phishing emails is very common. The goal for attackers is often to impersonate the Chief Executive or Head of Finance, to trick a finance team member to make a false payment. This can happen in the middle of a genuine email conversation that the attacker is passively watching, ready to intervene at the key moment when bank details get shared, or approval to make the payment is sent.
Everyone working in Finance should be aware of the types of attacks they may be receiving, and the red flags to look out for. Organisations should appreciate that this tool (email) is likely to be their highest Cyber Security risk, and this team (Finance) one of the most highly targeted.
The good news is that there are a mix of protection measures that aren’t expensive, which greatly reduces the risk of fake emails getting through. The bad news is that many organisations do not have these in place. So we hope this guide helps you to ask your IT team to check, then check again, that you are doing what you can to protect yourself, and keeping awareness front and centre when using email.
What is a Phishing Attack?
Phishing emails are when someone tries to get you to do something or provide them with some information by engineering a very convincing email.
Most often this is used to try to gather usernames and passwords, for example the email could say your password has expired and ask you to put in your ‘old’ password and a new one to sign in. If you do so they have collected your password.
With Finance staff it’s often a payment request that looks legitimate, but payment is made to an attacker rather than a legitimate supplier (e.g. the sort code and account number is changed, or the link to make the payment is false).
Attackers may be silently monitoring a mailbox for months, looking at the patterns of email messages, approvals and so forth, before seizing an opportunity to launch their attack.
Types of Attack
A common attack is an email that appears to come from someone important in your organisation, potentially a Finance Director or CEO, sending you an invoice asking you to make payment for a service or product. The email has actually come from an external email address that looks like the colleague and if someone falls victim to this attack then a payment would be made to an account used by the attacker.
Another attack – more difficult to identify – is when the attack actually comes from a legitimate email account, that has been compromised silently. Attackers gain access to an email account and they lie in wait, looking through emails and gathering information, looking for something like an invoice in a thread that they can put themselves in the middle of. Once they find what they are looking for they might send through an invoice for a legitimate service that you have received but where they have asked you to change the payment details to their ‘new’ account. Making this payment would result in the money being paid to the attacker rather than a supplier.
Top 5 Protection Measures
Reducing your organisation’s risk and exposure to these attacks requires a blend of ongoing defences. As a minimum we recommend:
- Finance Teams should have a process to verbally verify requests for new or changed payment details, every time.
- User Awareness Training is absolutely essential. Anyone can send anyone an email, so knowing what to look for it is vital. There are lots of free Cyber Security training resources on the NCSC pages, and Smartdesc provides charity-specific cyber security and data protection training ourselves, more info here.
- Testing knowledge: Phishing Simulations are training exercises that deliberately sends a spurious email to staff (one that is safe!) and if clicked, directs them to training, and can be reported centrally to see how aware staff are. We recommend quarterly.
- DMARC: this is a techie one, but DMARC and SPF exist to help stop outsiders impersonating your domain name, yet few use it fully. Ask your IT, or us, to ensure you have full DMARC and SPF protection in place.
- Microsoft 365 Controls: most charities use Microsoft 365 for email, and this comes with a huge array of security controls which are often not configured fully. The CIS Benchmark sets out a framework that your organisation can adhere to if they use 365, which includes more advanced phishing controls, use of two factor authentication and so on. Microsoft provide a handy tool to measure your security posture and recommend improvements to achieve best practice, free of charge, called Microsoft Secure Score.
Conclusion
Our working environments are fast paced – can you be sure that whilst you’re juggling priorities, a genuine looking email couldn’t slip through the net?
It’s important to remember that email is, inherently, not secure. Email security should be continually reviewed and re-assessed as part of your cyber security strategy, to ensure that the right things are in place.
By blending technical controls with policies and user training, you stand the best chance of staying protected, but vigilance is always required – within the finance team more than anywhere. And if you aren’t confident of your organisations cyber security, speak to someone independent like Smartdesc to get a 2nd opinion.
About the Author
Andrew Coyle is Head of Information Security at Smartdesc, an IT Service Provider, Microsoft Gold Partner and NCVO Trusted Supplier who support charities and non-profits in the UK. We provide a range of services such as IT Strategy, Cloud & 365, IT Support, Migrations and Cyber Security & GDPR/Data Protection, for household names such as Mind, Terrence Higgins, WaterAid and the YMCA. Our mission is to share best practice and innovation in the Third Sector. To find out more and to book a complimentary consultation click here.
