Mrugesh Chandarana, Senior Product Manager, Identity and Access Management Solutions at HID Global discusses the rising trend of Business Email Compromise (BEC) and shares his views to combat this growing menace.
Business Email Compromise (BEC) is a type of phishing attack in which an attacker impersonates a high-level executive and attempts to trick an employee or customer into transferring money or sensitive data. According to the Federal Bureau of Investigation (FBI), as of 2018 this scheme has already caused $12.5 Billion in losses to companies. The FBI warned that there was a 60% increase in 2018 in fake email schemes that aim at stealing money or tax data. These figures support the fact that BEC attacks are technically simple but extremely effective in nature.
How to Prevent BEC Attacks
The simplicity of spoofing an email address, the advanced technology cybercriminals can easily access, along with the social engineering techniques to stage attacks—can leave an organization wondering if they are helpless to prevent this threat. However, digital certificates can easily and cost-effectively be used to protect email communications from compromises. Depending upon the type of certificate used to secure your email, organizations can realize a variety of benefits including:
- Ensuring the integrity of communications at rest and in transit
- Confirming to a recipient that the email is from a known sender or email address
- Locking the contents of a message to prevent tampering during transit
Selecting the Right Digital Certificate to Secure Your Email
Selecting a digital certificate to secure email communication depends on the usage and level of security necessary. There are three main considerations when choosing a digital certificate to secure your email.
Digital Signing – Emails can be digitally signed so that the recipient can confirm the identity of the sender. Email signing requires a certificate that contains a signing attribute. There are two types of certificates:
- IDENTITY BASED CERTIFICATES: Identity-based certificates validate the person who is named in the certificate. The identity of the individual sending the email will be confirmed to the individual receiving the email.
- S/MIME CERTIFICATES: S/MIME certificates validate the email address that is named in the certificate. The recipient of the email will know that the email came from a validated email account.
Non-Repudiation – Email signing, when non-repudiation is needed, requires an identity-based certificate that contains a non-repudiation attribute. Non-repudiation means that when something is signed using an identity-based credential, that signature is legally-binding and cannot be repudiated or refuted.
Encryption – Email encryption requires a certificate that contains an encryption attribute. If you have the public key for a recipient, you can also encrypt the contents of the email sent to that individual. Likewise, if you would like others to send you encrypted emails, you will need to share your public key with them before they can send you an encrypted email.
How to Digitally Sign and Encrypt Email
There are two primary components of a digital certificate:
- A public key, used by others, to send encrypted email communications to you
- A private key, used by you, to sign emails and unlock encrypted email communications sent to you
A public key is published and/or exchanged to facilitate email encryption and can be:
- Exchanged via a signed email communication
- Attached to your contact card in your associate’s address book
- Published to a Global Address List (GAL)
Digital signatures are compatible with most enterprise email clients, and most clients can be configured to sign all outgoing mail automatically. It’s relatively easy to standardize company-wide.
When recipients open a digitally signed email, a red ribbon indicates that it’s been signed with the name of the signer. Since the signature was applied using the sender’s certificate and only issued after an identity verification process, the recipient can be confident that the email came from the sender and is not part of a phishing attack.