Imagine it’s closing day on a sale you’ve been working on for half a year. You’re the buyer’s agent, and you’re still on duty. The instructions for money wiring arrive; your legal staff reads the email and executes the bank transfer per the instructions.
The sum is debited from the buyer’s account, but the proceeds never arrive at the seller’s account. A closer look at the email shows why: the instructions were fake. Someone — an attacker — knew the closing was today, knew the rough terms of the transfer, and knew which email to tamper with to replace the legit seller account wire transfer destination info with a criminal’s wire transfer info.
It was supposed to be a day for champagne and celebration. Instead, it’s a day for Advil and Rolaids.
Fact: Email Is Insecure
It is impossible to imagine the business world conducting itself without email. In only a single minute, users on the internet send 204 million emails. Yet, it is a fact that email is a deeply flawed business tool in one critical way: it was never designed for either security or privacy.
Email in its most basic form is plain text. When evaluating its security and privacy, consider email akin to a postcard: anybody handling a postcard has the ability to read what’s written upon it. Email traversing networks is sent overwhelmingly in plain text, very similar to a postcard: any machine (mail server) that collects or stores an email message is a repository of plain text.
An attacker who has access to a mail server’s messages will likely have the ability to perform searches, or filters, on hundreds of thousands of plain text messages, looking for interesting terms such as “account number” or “closing date” or “xxxx N. Main Street”. From there, tampering with critical, specific emails (such as ones that are sent during closing) is enabled.
More Subtle Than Viruses And Spear Fishing
We’ve all received weird email with bogus attachments (viruses) and links leading to places we’ve never seen before (spear phishing); most of us know to not trust such messages. But an attacker that is leveraging privileged information to tamper with email that contains wire transfer instructions is relying on familiarity instead of hoping you won’t notice an alien appearance to the email.
For these reasons and more, an electronic email message that contains wire transfer instructions, even when expected, is therefore best considered suspicious, and should be avoided.
What Are The Alternatives?
Because of these inherent security and privacy weaknesses in email, commercial real estate brokerages and law firms increasingly are reserving the communication of wire transfer instructions to non-email channels such as fax or telephone calls between familiars. While not perfectly secure, using voice or fax calls to communicate these details greatly heightens the required commitment and difficulty level on the part of an attacker. No longer are simple text searches enough – and that alone improves the bottom line on security and privacy.
Of course, never ever take anything you read here at The Source as legal advice — and always retain qualified legal and technical counsel.
The kind of counselors, for example, who don’t just assume internet email is secure and trustworthy.