Team Armorblox, on Aug 07 2019
Manufacturing Distrust: The Downside of Email Transactions
We are living in the age of deep fakes, social media bots, and fake news allegations. As our trust in online channels is slowly eroding, businesses are increasingly relying on email to communicate with customers, vendors, and partners. Email is easy, it’s readily accessible on our smartphones from anywhere, and it allows us to communicate with almost anybody. If you bought a house recently, chances are you completed most of the paperwork over email. It beats faxing or physically mailing reams of paper, and allows you to get much of the work done ahead of time. The productivity gains are immense. So what could possibly go wrong?
As business transactions move to email, we need to be aware that these channels are vulnerable to the same integrity challenges we see with consumer media. Email is designed as an open communication medium; anyone with knowledge of your email address anywhere in the world can send you a message. This characteristic makes email a wonderful enabler of discourse, sharing, and commerce. At the same time, it creates a vast, open attack surface into your organization.
Email is a Ripe Target
Every year, hundreds of billions of dollars of commerce is conducted over email. Vendor invoices, purchase orders, and expense reports – all have migrated from traditional paper and fax-based systems to emails. Some organizations have embraced purpose-built applications for these workflows, but these applications don’t always work well in all environments and industries. For example, what if you work on a remote construction site with poor reception, or an oil field in the middle of the ocean? Email’s simplicity and ubiquity make it the most practical way to communicate.
As a result, email has become an attractive target for scammers. By injecting themselves into business process workflows, scammers can steal vast sums of money from organizations using deception techniques, such as identity impersonation and social engineering. According to a recent analysis from the Financial Crimes Enforcement Network (FinCEN), a division of the US Treasury, Business Email Compromise (BEC) attacks bleed over $300 million from organizations every month.
Figure 1: BEC SAR filings by months – FinCEN report
The statistics above reflect the monthly number and dollar amount of Suspicious Activity Reports (SARs) filed by financial institutions concerning BEC attempts. According to FinCEN, the top targeted industries in 2018 were Manufacturing and Construction, followed by Commercial Service, and Real Estate.
Figure 2: BEC trends by industry – FinCEN report
Unfortunately the hardest hit industries are the ones just starting to embrace digital transformation. This is no accident. Attackers are always looking for weak links, and nascent email-based workflows are a productive target. It’s relatively easy for attackers to send fake invoices, payment instructions, or requests for confidential documents using spoofed email addresses, or compromised accounts. The receiving party has very few objective tools available to proactively detect this type of fraud.
Insecure by Design
Email-based workflows, while often simple and lucrative, are inherently insecure. Let’s take a look at why. Email standards were developed in the early years of the Internet as a means of open communication among the very limited set of universities and research institutions that were connected at the time. As a result, email was designed to be a very open, permissive medium. The Internet has since expanded significantly, and has attracted its share of bad actors. However, email still remains an open medium. Any attempts to restrict incoming emails to specific senders run counter to productivity, and hence are quickly quashed.
One of the biggest issues with email is sender identity. The sender can put any name and email address in the “From:” field, and can pretend to be somebody else. Standards like Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) have emerged, along with Domain-based Message Authentication, Reporting and Conformance (DMARC), to tackle the problem of sender identity. However, until all email domains in the world comply with these standards, email servers have to allow exceptions, or risk losing legitimate emails. We are nowhere near full compliance, so the doors are still wide open.
Seeds of Distrust
The unfortunate side-effect of growing BEC fraud is that it weakens people’s confidence in digital workflows, and creates distrust between business entities. For example, if you have to call your vendor and verify each invoice received over email, not only does this reduce productivity, but it also creates friction. The vendor doesn’t appreciate being challenged on their invoice each time, and this gradually erodes the trust that may have taken years to build up.
Figure 3: Business Email Compromise (BEC) example
In extreme cases, a business that has been burnt badly by BEC fraud may be inclined to return to paper and fax-based workflows, thus turning the clock back on years of digital transformation progress and erasing all the productivity gains. This is certainly not an outcome anyone wants. But much like people turned their backs on Facebook after the recent data privacy scandals, this is a very real risk.
And unfortunately, the FinCEN data shows that this risk is borne unfairly by the industries that stand to benefit the most from digital transformation.
Email is a truck-sized hole in any organization’s cyber defenses. It’s a mission-critical communication channel that must be kept open in order to facilitate business in our modern globalized, matrixed economy. However, policing this channel is no easy task as threats continue to evolve.
Attacks have evolved beyond sending malware and phishing links, which are relatively straightforward to detect and block using a secure email gateway (SEG). Preventing BEC attacks requires understanding of the textual context inside the emails, as well as the identities of the senders, the recipients, their writing styles, and their normal communications patterns. Machine intelligence can combine these factors, create a baseline for what normal looks like, and alert users (and security analysts) when an email looks suspicious. For example, the payment details might have suddenly changed from previous invoices, or the email’s writing style has deviated from the norm. All of this can happen seamlessly without impairing user experience.
Natural Language Understanding (NLU)
The latest advances in Natural Language Understanding (NLU) allow us to do exactly that. Machines are able to comprehend human language with an exceeding degree of accuracy. NLU is already making your life simpler at home, with voice assistants like Alexa and Google Home. This same technology can inject integrity and confidence into your organization’s email-based workflows, and restore trust in digital channels.