Phishing costs company $46 million

Brian Krebs posted about a tech firm that lost $46M dollars due to fraud. The company reported in its SEC filings that the money was lost when someone impersonated an employee and directed the finance department to transfer money to outside accounts.
This is becoming more common. In some cases, DMARC authentication may stop this kind of fraud. But DMARC has a lot of deployment challenges and can cause real mail to fail delivery. In other cases, criminals are using lookalike domains and they can be authenticated and pass DMARC.
This isn’t really a bulk mail issue. And it’s certainly not a deliverability issue. But it is a security issue and I think it’s important that folks are aware of this kind of online crime. Coincidentally, as I’m writing this, I’m chatting online with a compliance person at a cloud hosting company who is brainstorming policies to block phishing URLs on their site. Email is a major vector for abuse and those of us who manage sending need to be a part of the solution.

Related Posts

Filtering is not just about spam

A lot of filters started out just as filters against spam. But over the years they’ve morphed into more general blocks against dangerous or problematic email. There’s a lot of crime and bad behavior on the internet, much of it using email as a conduit or vector. Filtering is so much more than stopping spam now. It’s as much, or more, about stopping crime.
Email filters are essential to protect us from scammers. Sometimes I forget this, and then I read about a grandmother getting swindled by a Nigerian scammer and ending up dead.
There are real consequences to poor filtering and there is real crime facilitated by email. It’s easy to forget this as we deal with the email that gets caught in filters when they shouldn’t.
Filters are one of the first lines of defense against online crime.
Not only does filtering stop crime, but they also keep email working. An unfiltered mail stream is an ugly, unreadable, unworkable mess.

Read More

Email marketing firm smacked by the SEC

Yes, the SEC. Really.
Apparently the email marketing firm mUrgent, which provides services to the restaurant and hospitality industry also had a side business. According to the complaint filed by the SEC last month, they had an entire boiler room set up to sell shares for their non-existent IPO.
I’d never heard of this firm before, so I did a little digging. First step, check out their website.

Read More

Gmail reports spear phishing attack

No one, it seems, is immune from account compromise attempts. Today Google reported they had identified a systemic campaign to compromise Gmail accounts belonging to “senior U.S. government officials, Chinese political activists, officials in several Asian countries (predominantly South Korea), military personnel and journalists.”
Google offers a number of solutions for users, including the ability to add 2 factor authentication to your Gmail account. I strongly recommend anyone who uses Gmail to do this.
This isn’t a security blog, but email is one of the major vectors used to infect machines. We’ve seen numerous break ins targeting email senders and ESPs, resulting in customer and recipient data being stolen and then used for spam. Everyone who uses email needs to be aware of the risks and maintain their email account integrity. Be careful clicking links in emails. Be careful opening webpages. Keep your antivirus software up to date.
Everyone is a target.
 

Read More