92% of FTSE 100 are vulnerable to email spoofing
- "It wouldn't happen to us; no-one will actually use this against our company"
- "It wouldn't happen to us; we have an IT team to handle those sorts of things"
- "It wouldn't happen to us; we just invested in expensive email protection software"
"It wouldn't happen to us; no-one will actually use this against our company"It’s tempting to assume that cyber attacks are rare, complex, and of limited impact. And especially when it’s something that seems as “solved” as email. When we see obvious phishing emails, we get a nice sense of comfort that even if the worst did happen, nothing would come of it. Rather, business email compromise (BEC) is one of the most common & damaging cyber issues for companies, costing over $1.2bn last year in the US alone! Spoofed emails can be sent to & from clients, suppliers, customers, and even between fellow employees. Just think of the damage that someone could do if they could impersonate someone important to your business – your major supplier whose invoice is due to be paid this week, the CEO who needs supplies purchased, your colleague who needs that customer contact list for a support message… The most obvious risk to businesses from email compromise is Funds Transfer Fraud (FTF). This involves a key contact being spoofed and requesting for funds to be directed or diverted to a different bank account. This could mean:
- Your company’s Accounts Receivable emailing clients to use an updated set of bank details for future payments
- Your supplier emailing procurement to update their invoice payment details, as they’ve changed banks and the old account is now closed
- Your subsidiary updating the details of the monthly settlement so that funds can be in the right account for upcoming purchases
"It wouldn't happen to us; we have an IT team to handle those sorts of things"So maybe you didn't fall into the trap of ignoring the issue, and you’re aware that you're vulnerable. You might think that being a big, professional corporation would mean that someone would have covered this when setting all the systems up. But as the Toyota case shows, there is no such thing as too big to fail. The reason is that (as with most things cyber risk) if this were purely an IT issue, it would have been solved by now. In fact, your IT team will probably already know about SPF & DMARC. But, departments across your business use email. And each of those departments uses a range of tools to send emails. So it’s easier for IT to minimise disruption by letting all of these through – let anyone send emails on behalf of the business – than potentially interrupt emails being sent by legitimate tools. In short, cyber risk isn’t really a business priority. And Toyota isn’t alone. Shockingly, 92% of FTSE 100 companies are vulnerable to email spoofing; despite the fact that 72% of boards consider the threat of cyber risk to be high! This means that suppliers, clients & customers of key companies cannot trust that the communications they receive from legitimate, real email addresses are not spoofs. If stopping spoofs were a business priority, IT would be empowered to engage with business departments to understand their needs & the tools they use. By doing this, IT can ensure that trusted tools are trusted, and slowly policies can be ramped-up to ensure untrusted email senders are blocked. To see what can happen when cyber risk is a business priority, look no further than our own National Cyber Security Centre. By prioritising the email security of the public sector, and iterating to slowly improve the policies, the NCSC has been able to stop 300 million scam emails from HMRC alone!
"It wouldn't happen to us; we just invested in expensive email protection software"Finally, there are no quick & easy fixes. A number of companies invest in all-promising software solutions that “secure your mail”. But these will only filter suspicious inbound emails, doing nothing to protect you from being spoofed to your partners, or from receiving spoof emails. While we mentioned earlier that 92% of FTSE 100 are vulnerable to email spoofing; those which had clearly-implemented email protection software didn’t fare much better, with 88% of those companies still being vulnerable to email spoofing, due to ineffective or missing SPF & DMARC records. If you’re worried about the risk of insecure email might pose to your business, KYND ON will quickly show you the areas where your business can improve its email security (and importantly, give you the necessary guidance to fix it!). We’re dedicated to making these and loads of other cyber risks simple to understand, quick to monitor and easy to prevent. So get in touch to see how KYND can help you.
InsureTech business KYND secures £3.25 million investment from BGF