At DEMO 2004, Pavni Diwanji, CEO and co-founder of MailFrontier, warned corporate executives and IT directors of a growing threat to enterprise messaging: corporate email fraud. While phisher scams -- a largely consumer-facing problem where fraudsters spoof well-known brands in an attempt to steal personal information -- garner most of the media attention, the untold story is that IT departments are being spoofed as well, compromising the security of entire corporate networks. Highly-sensitive information about the company, employees and customers, is easily attainable when a fraudster gains access to legitimate employee passwords and network login information.
"E-mail is arguably the centerpiece of corporate business transactions and it has become the most vulnerable of enterprise applications," said Chris Shipley, executive producer of DEMO 2004.
During 2003, the Federal Trade Commission (FTC) received more than a half-million complaints regarding fraud and identity theft, according to a January 2004 FTC report. Internet-related fraud accounted for 55% of all fraud reports, up from 45% in 2002.
"Only the most alert and knowledgeable users can spot the difference between legitimate and fraudulent email," noted Rich Mogull, research director at Gartner. "Addressing the email fraud problem will require a combination of education and technology. Until the structure of the Internet includes needed anti-fraud capabilities, email, messaging security and Web browsing vendors should include anti-fraud functionality in their enterprise and desktop products."
Build a Protection Strategy:
Most enterprises need an integrated plan to defend themselves from email fraud, one that combines the time-proven success of consistent and accurate communication with the technology methodologies of cutting edge email
security, such as domain authentication. Such an approach consists of three essential components:
- Detect Email Fraud: Identifying email fraud is very different from identifying spam, and it requires filtering methods specifically tuned to identify techniques utilized in fraudulent emails, such as hex-coded URLs.
- Protect Against Email Fraud: Install a comprehensive email security solution that protects against enterprise email threats, be they fraud, spam or viruses. A solution that integrates fraud, spam, and virus detection in one product provides IT directors with an efficient, easy-to-administer solution.
- Educate Users: Develop a corporate security policy that includes user awareness as an integral component. The more users know about fraud in the enterprise, the more likely that they will take appropriate action and not compromise the organization.
Most people would never think to question an email from their IT department asking them to reset and confirm their network password. Email fraudsters count on this and do not hesitate to exploit that trust in email and the vulnerabilities of this critical business communications tool. Due to the nature of their business, some businesses such as financial services companies or health insurance providers, may be higher profile targets for email fraud attacks. However, one thing is clear -- every company is vulnerable to email fraud attacks directly aimed at their secure enterprise environment and the vital information it protects.