E-mail attack costs company R100 million

Email security is becoming an increasingly important aspect of business in South Africa, and in one instance, spoofing resulted in a company losing R100 million to a malicious actor.

In an interview with CliffCentral, e-mail security firm Sendmarc co-founder Sam Hutchinson revealed that a malicious actor’s spoofed email resulted in the funds being paid into the wrong bank account. They have not been recovered. “The largest loss I have dealt with personally is R100 million. That’s like enough money to never have to work again, and it’s just done with email fraud,” Hutchinson said.

“R100 million paid into the wrong bank account, and the money was lost. Gone.” He added that the two companies involved in the transaction were now in a legal battle with one another to recover the funds. Hutchinson said that smaller companies aren’t any less likely to be attacked.

“Now, if we talk about the size of an organisation, I deal with conveyancing companies who are three lawyers, and they are losing home transfers, which can be millions of rands,” he said. “These are small companies using large amounts of money.”

Hutchinson mentioned that the smallest company he had worked with — a two-person travel agent — had their domain impersonated by an attacker, resulting in a school paying funds for a hockey tour into the wrong account. “The whole under 16A hockey team didn’t go on tour,” he added.

Malicious actors undertake email spoofing to gain sensitive information or hijack transactions by impersonating organisations using forged email addresses.

Hutchinson explained that one of the best ways to prevent being caught out by email spoofing attacks is to implement Domain-based Message Authentication Reporting and Conformance (DMARC).

“If you look at the Gartner Security Report of two or three years ago, they said that email is one of the top five attack vectors for an organisation,” he said. “If you look at organisations like the Hague … they say that DMARC is one of the top three things that an organisation must implement of any size.”

DMARC is an email validation system used to protect the domains of organisations from being used for email spoofing, phishing, and other cybercrimes.

Hutchinson explained that DMARC is particularly useful as you can look up an organisation globally, and 50% of JSE-listed companies in South Africa have not implemented DMARC.

“DMARC is the global technical standard that stops attackers from sending mail from you,” he said.

However, even though half of JSE-listed companies haven’t implemented DMARC, South Africa is making better progress than the EU and the US. “If we look at the EU: 70%, if we look at the US: 72%. So, South Africa’s actually doing pretty well,” Hutchinson said.

Hutchinson said that he had noticed that specific sectors, such as mining and manufacturing, traditionally fall behind regarding their security measures, resulting in them being attacked a lot.

“[Regarding] certain sectors, it’s just traditional that their security is not necessarily up to scratch. We see it in some of the industrials and the manufacturing, the security has almost been an afterthought, and they actually get attacked a lot,” he said.

“I see the mining sector getting attacked a lot because they have such huge transaction amounts,” he added.

Article courtesy of MYBROADBAND