In this episode of the Fraud Fighters podcast series, host Debbi Fetter, Partner and Managing Director, and Jeff Johns, Partner, explore the rising threat of email compromise—a sophisticated cyber attack that continues to target individuals and businesses alike.
Discover how these attacks happen, the red flags to watch for, and the most effective strategies to prevent them. From strengthening email security to implementing proactive risk mitigation tactics, this episode provides expert insights to help safeguard your sensitive information.
Debbi S. Fetter: Hello everyone and welcome to another episode of the Herbein Conversation Podcast where we dive into some of the most pressing issues in the modern workplace. I'm Debbi Fetter, Partner and Managing Director of our firm's risk management practice and host of the Fraud Fighters podcast series - your go-to podcast for the latest in fraud and cybersecurity tips and trends. Today I'm joined by my fellow Partner and resident IT guru Jeff Johns. Welcome Jeff.
Jeff J. Johns: Thanks Debbi. It's great to be here.
Debbi S. Fetter: Awesome. So, before we dive into our exciting episode on e-mail compromise, I'd like to encourage our audience to listen to our fraud fighters kick off episode, “Welcome to Fraud Fighters: Combating Fraud One Battle at a Time” which is available on our website, Spotify or Apple Podcasts. Now, enough of the promotional business and back to the topic at hand.
Today we're going to discuss a growing fraud trend for both individuals and businesses known as e-mail compromise. We'll explore what it is, share some eye opening statistics and discuss tools and strategies to help you stay protected.
Are we excited? Let's dive in. Jeff, can you explain what e-mail compromise is?
Jeff J. Johns: Sure. So, e-mail compromise sometimes referred to as business e-mail compromise or e-mail account compromise, is a type of cybercrime where attackers are trying to trick you or gain access to your e-mail, divulge confidential information, and/or get you to send money using a variety of tricks.
All of them primarily stem through one form or another of e-mail and different techniques that can be used from the e-mail. So, whether it's getting you to click on something, getting you to open an attachment - there's a myriad of different tactics that can be used.
Debbi S. Fetter: So it's really people who are trying to impersonate trusted figures or people that you believe are the actual e-mail person or the person emailing you is what I'm hearing is a layman.
Jeff J. Johns: Absolutely. It’s like somebody sent you an e-mail to click on a link because you want a free iPhone, or somebody was captured and they need you to send money. And those are some of the older and I would say less sophisticated ones, but in today's world there's so many more that look so legitimate that even from the layman’s eye, it looks like it's coming from a legit person or the legitimate source. Technical capabilities are kind of tricked on the front end to make you click on those links.
Debbi S. Fetter: So it's a very pervasive issue. Can we talk about some statistics related to understanding the scale of this issue? How pervasive is it?
Jeff J. Johns: In 2023, on average in the United States there's about $3 billion worth of reported losses related to e-mail compromise. And based on some of the figures, it’s a pretty significant increase from the prior years. I don't have 2024 statistics just yet as those should be coming out soon, but overall, in the last decade, the number of the estimated loss is upwards of around a $55 billion. And just to remember that those numbers are just what's been reported, not those that may not have been reported. So, while those numbers are pretty staggering, I wholeheartedly believe those numbers are probably even a little bit larger just because there is a large number of items that do go unreported or don't make it into some of the statistics.
Debbi S. Fetter: That's huge, that's staggering. I heard 55 billion and my mind almost shut down. It's really a far-reaching impact to both individuals and businesses alike. Can you tell us a little bit of how these attacks typically work?
Jeff J. Johns: There's really two types of different types of attacks or venues. There’s some that are specific attacks where they're specifically targeting a high-profile individual and they're specifically going after that high profile individual. From a business side it's a CEO or CFO. Or there's some where they're just sending mass sprayed emails out to everybody and anybody seeing who they can get to click on a link, open an attachment, divulge some information. So, depending upon the type of attack, it can be very specific or can be just one that's we're out there trying to see what we can get from anybody and everybody to get some information. You have to remember your e-mail address is out there. It’s out there in known databases and those databases are readily available for anybody to pull down from even previous attacks.
Debbi S. Fetter: So it sounds like this is pervasive to both individuals and businesses alike. I don't have to be a sophisticated business to be targeted, nor that individual who's, you know, just looking to see if I my tax return was filed.
Jeff J. Johns: Individuals are very much the target because they don't have some of the more sophisticated e-mail tools that they're using in the corporate world. But then also from a small business standpoint, they're as much of a pervasive attack as well because again, just as an individual, they don't have some of the levels of sophistication and tools and the robustness to detect some of those threats such as some of those large corporations.
Debbi S. Fetter: So, given the pervasiveness and the sophistication of these attacks, it's crucial to adopt effective tools and strategies to mitigate the risk of e-mail compromise. What I'm hearing is we'll never totally negate it, but what tools can our listeners place in their fraud toolbox to help lessen the risk?
Jeff J. Johns: Sure. So anytime we talk about tools, what I'd like to talk about from a technological standpoint or from an IT World, whether it's again individually or corporately, it's looking at bunch of different layers and layers of different tools. Because for one, there's not a one stop fits all or one tool fits all that's going to stop everything other than maybe shutting down your e-mail and not using e-mail. And I don't think anybody wants that or that's really going to be effective in today's world.
So a couple of the things from the individual side is to always look your systems, your e-mail provider. Whether you're using a Gmail which is a very popular one or Outlook - all those modern e-mail providers support multi factor authentication which multi factor authentication is one of those tools where you'll get a text message code sent to you, or you may get a phone call with the code, or sometimes it'll send you a force notification to your phone. That is a great way to prevent somebody from actually getting into your e-mail and getting into your e-mail box.
The other is to look at the spam filters that you have in place. Some providers allow you to adjust the severity of where you're going to block. If an e-mail is in your spam filter, there's probably a very good reason it's in there and doesn't mean that you should just click it. More likely than not, you probably didn't win that free iPhone. Or you weren't the winner of a lottery for $1,000,000. There's probably a reason why it's in there. So always be cautious.
Look at the email and ask if it makes sense. Hover over any of the links. Do the links go where they say it's going to go to? If you're not quite sure and say if you got an e-mail that says it's from Bank of America and you bank with Bank of America, but you're just not quite sure, go to the actual web page. Don't click on the link, go to the web page and go log into your online banking platform that way. That way it won't take you to a phishing site where you are going to divulge your information, or potentially could divulge your information.
At the end of the day, we all get a ton of emails. You just have to continually to stay vigilant, to stay on top of it, and if you do happen to click on an e-mail that you probably shouldn't have reported right away, get in contact with somebody. Change your passwords right away and stay vigilant and monitor what site you went to if it was one of your banking sites, or a place where maybe you store some other information. Make sure that you do change those passwords and even contact your bank to put a hold on your account temporarily if you do have some concerns.
Debbi S. Fetter: So what I'm hearing is when in question don't click. Ask some questions. Reach out. Maybe use the old telephone or your cell phone and maybe call that person who you believe the e-mail is coming from just to verify the authenticity. Because once somebody clicks, certainly if you enter information, you can be giving a lot of information away for somebody to compromise. Not just your e-mail, but your banking relationships and quite honestly, your identity. One question that came to mind is as you were talking Jeff about those solutions in those toolbox items is what about passwords? You know strong, we hear the term strong and unique passwords are supposed to be used. What does that mean?
Is it me using password 1234 with a capital P, using my dog's name and uppercase and lowercase and alternating it. What are some suggestions and tips there?
Jeff J. Johns: Sure. A strong password is not necessarily just an upper and lowercase with a special character and a number. Those can be easily cracked, especially those that are less than 14-15 characters. We see it all the time in some of the password cracking exercises that we do where those shorter passwords, even those that you think are going to be some of the more sophisticated ones because they have the upper and lower and special characters, are easily crackable. Even an 8-character password that has all four of those and random letters, in a 48-hour period we still typically crack about 70% of those passwords.
So, my recommendation is anytime we're talking about password is to use a strong one. When I say a strong it has to be like a sentence, you know something like your favorite music lyric. Probably not your dog's name, the year you were born, and your house number. But utilizing a sentence or a phrase will make it that much harder for somebody to actually crack that information. It also makes it a lot easier for you to remember. So for example “Fraud fighters is the best podcast exclamation point” is going to be a great long password. You're going to have uppercases and lowers. You're going to have spaces. Spaces are considered a special character and can be used on most systems. There are a few that don't allow that, but it makes it a lot easier for you to remember those passwords and you can force some of the stronger ones.
Debbi S. Fetter: So it sounds like I'm changing my password to Mary had a little lamb with uppers and lowers and spaces in between tomorrow. My question though is, is there something like password vault that we should be using or any of those types of tools?
Jeff J. Johns: So password vaults are great. You probably heard some in the news that have been compromised and had their own issues, but I use password vaults. But one thing to remember, anytime you're going to use a password vault - and they're great because they will come up with a complex character strain that you don't even have to remember and you can have it up to 32 characters or however long you want - but that password vault is only as good as what you have set for your master password.
So, if you have all of your passwords in this password vault and your password is still password 123 exclamation point, you now have an entry point in for somebody and a weak entry point into your environment. So, if you're going to use a password vault, make sure that you have that strong master password associated with it. It requires multifactor authentication as well as other timeout and security controls in place to protect that information because that ultimately then is the keys to the kingdom for somebody else.
But it does allow you to have as strong of a password as possible across all of your different websites, applications and other storage information.
Debbi S. Fetter: That's great insight.
It seems as I'm listening to you, no matter how vigilant we are, e-mail compromise is going to happen or can happen. In the event that someone does fall victim to e-mail compromise, acting quickly seems to be the mantra.
Do you have any tips on how to leverage, for instance, your banking relationships to stop or at least identify e-mail compromise timely before it hits you in the pocketbook?
Jeff J. Johns: If you know you've clicked on something or think you clicked on something, go through and change all your passwords. Start with the highest severity items first and your bank accounts or your other credentials that may be publicly facing. Start with that and work your way down to your least severity ones.
Proactively, what you can do and set up is you can also set up alerts through your banking provider. So if you're getting a sign in from a location that is not from a typical place you know, there's systems in place to allow alerting and text message alerting or what’s called out of band altering. That way it's not going right to your e-mail and right to that e-mail where you know that bad actor may already has access into.
So setting up those alerts on your banking application or other systems where it can support multi factor authentication so that way it's not just your password that you have, but they need something else like that code that's on your phone, a text message that comes to your phone, or a phone call or one of the authentication apps that come through to push through.
Having those proactive controls in place will help stop most of it because at the end of the day, if somebody does get your password and you have multi factor authentication set up, they can't get past that multi factor authentication unless they've also stolen your phone or have tricked you into giving them that information through another route. But that's highly unlikely.
Debbi S. Fetter: So it seems like, at least from a financial impact standpoint, really using my financial institutions - whether it's my investment banker, my credit card or just my normal day-to-day banking relationship. Using their online banking or mobile banking applications allows me as a user to set up a lot of the alerts that you talked about and truly just regular account monitoring to just get a sense if there are any irregular transactions that that I need to be aware of is probably one of the first and easiest steps.
Jeff J. Johns: Yeah, absolutely. Those tools are readily available by default, but most of them are turned off so if you haven't gone into your banking or some of your other providers, go in there and poke around. Typically, a lot of them have it underneath their security setting.
In your profile, there's a security setting that you can go through and turn on the text banking and turn on those notifications. And if you can't find it, I would ask you to reach out to your banking relationship provider and ask them where it is that you can turn on some of those tools.
Debbi S. Fetter: Awesome, Jeff. This is all great information, and we could probably talk about e-mail compromise for days, maybe even years, because it continuously keeps changing.
It's certainly a very serious threat, but by staying informed and adopting the right security measures, our listeners can significantly reduce their risk. Again, thank you for your valuable insights, Mr. IT guru.
That's all for today's episode of Fraud Fighters. We hope we've given you some beneficial tools for your fraud mail toolboxes. Should you need assistance identifying gaps or fine tuning your own or your business's fraud processes, need help adjusting your banking tools for optimal protection, or just want to talk through some of your fraud concerns, please reach out to our risk management team.
And if you enjoyed this episode, I'd like to encourage our audience to listen to our fraud Fighter series, which is available on our website, Spotify, and Apple podcasts. Stay tuned for future topics where we dive deeper into check fraud, business e-mail compromise and ACH fraud.
Thank you for tuning in, and remember, keep up the fight and see you next time fraud fighters!