92% of FTSE 100 are vulnerable to email spoofing

If you work anywhere near corporate strategy, it’s more than likely that you’re aware of the threat of cyber risk. You may be in the majority of businesses that consider cyber risk to be a top threat. Even outside of those circles, you probably know about the increase in cyber attacks to which businesses and individuals are exposed these days. You may even have read our recent blog about email spoofing and how to protect yourself against it.

But you’re probably also likely to think the likelihood of actually falling victim to email spoofing is pretty low:

• "It wouldn't happen to us; no-one will actually use this against our company"
• "It wouldn't happen to us; we have an IT team to handle those sorts of things"
• "It wouldn't happen to us; we just invested in expensive email protection software"

Unfortunately email spoofing is increasingly common, it's affecting companies big & small, and even those with sophisticated software are vulnerable.

To recap – by default, emails we receive have no real assurance that they’re from who they say they're from. Just as the letters we receive in the post have no real assurance that they're from whoever wrote their name at the bottom of the page.

In our previous post, we described how this happens, and how you can prove that your emails really are from you. We also mentioned how you can use KYND to find out if your own organisation's emails are safe from spoofing (and how to fix them if not!)

But again, that phrase pops up: "Sure that sounds dangerous; but it couldn't possibly happen to us!"

"It wouldn't happen to us; no-one will actually use this against our company"

It’s tempting to assume that cyber attacks are rare, complex, and of limited impact. And especially when it’s something that seems as “solved” as email. When we see obvious phishing emails, we get a nice sense of comfort that even if the worst did happen, nothing would come of it.

Rather, business email compromise (BEC) is one of the most common & damaging cyber issues for companies, costingover $1.2bn last year in the US alone! Spoofed emails can be sent to & from clients, suppliers, customers, and even between fellow employees. Just think of the damage that someone could do if they could impersonate someone important to your business – your major supplier whose invoice is due to be paid this week, the CEO who needs supplies purchased, your colleague who needs that customer contact list for a support message…

The most obvious risk to businesses from email compromise is Funds Transfer Fraud (FTF). This involves a key contact being spoofed and requesting for funds to be directed or diverted to a different bank account. This could mean:

• Your company’s Accounts Receivable emailing clients to use an updated set of bank details for future payments
• Your supplier emailing procurement to update their invoice payment details, as they’ve changed banks and the old account is now closed
• Your subsidiary updating the details of the monthly settlement so that funds can be in the right account for upcoming purchases

Similarly, email spoofing doesn’t even need to involve distant contacts requesting changing bank details. Sometimes the email can come from someone with whom you work closely, and you wouldn’t check twice if they asked you to do something important. Imagine receiving an email from your boss asking you buy a subscription to a new bit of software – she’s just getting on a plane so won’t be contactable, but she needs this done ASAP so she can close a big deal for the business. Who would dare refuse such a request?

All of these are examples of the real attacks that happen daily to businesses. Attackers can readily send spoof emails “from” an organisation, and can easily find out the key people & processes in those organisations to ensure their spoofed emails have the maximum impact. Remember, they only need one to get through for a big payday…

That’s how a Toyota subsidiary managed to lose£30m (yes, million!) earlier this year. By spoofing their emails and understanding the key contacts & processes, criminals were able to redirect payment to their bank account. Toyota are left investigating how this happened, and counting the cost because it did.

"It wouldn't happen to us; we have an IT team to handle those sorts of things"

So maybe you didn't fall into the trap of ignoring the issue, and you’re aware that you're vulnerable. You might think that being a big, professional corporation would mean that someone would have covered this when setting all the systems up. But as the Toyota case shows, there is no such thing as too big to fail.

The reason is that (as with most things cyber risk) if this were purely an IT issue, it would have been solved by now. In fact, your IT team will probably already know about SPF & DMARC. But, departments across your business use email. And each of those departments uses a range of tools to send emails. So it’s easier for IT to minimise disruption by letting all of these through – let anyone send emails on behalf of the business – than potentially interrupt emails being sent by legitimate tools. In short, cyber risk isn’t really a business priority.

And Toyota isn’t alone. Shockingly, 92% of FTSE 100 companies are vulnerable to email spoofing; despite the fact that72% of boards consider the threat of cyber risk to be high! This means that suppliers, clients & customers of key companies cannot trust that the communications they receive from legitimate, real email addresses are not spoofs.

If stopping spoofs were a business priority, IT would be empowered to engage with business departments to understand their needs & the tools they use. By doing this, IT can ensure that trusted tools are trusted, and slowly policies can be ramped-up to ensure untrusted email senders are blocked.

To see what can happen when cyber risk is a business priority, look no further than our ownNational Cyber Security Centre. By prioritising the email security of the public sector, and iterating to slowly improve the policies, the NCSC has been able tostop 300 million scam emails from HMRC alone!

"It wouldn't happen to us; we just invested in expensive email protection software"

Finally, there are no quick & easy fixes. A number of companies invest in all-promising software solutions that “secure your mail”. But these will only filter suspicious inbound emails, doing nothing to protect you from being spoofed to your partners, or from receiving spoof emails. While we mentioned earlier that 92% of FTSE 100 are vulnerable to email spoofing; those which had clearly-implemented email protection software didn’t fare much better, with 88% of those companies still being vulnerable to email spoofing, due to ineffective or missing SPF & DMARC records.

If you’re worried about the risk of insecure email might pose to your business, KYND ON will quickly show you the areas where your business can improve its email security (and importantly, give you the necessary guidance to fix it!). We’re dedicated to making these and loads of other cyber risks simple to understand, quick to monitor and easy to prevent. So get in touch to see how KYND can help you.