Contrary to the mass media’s reports of Text Message and Chat messaging taking the world by storm, email remains one of the most powerful tools to make – or break– any organization.

Essential to communicating with clients, vendors, and stakeholders, email is critical to any thriving enterprise. 

Despite its utility, digital communication has a dark side– it just takes a single errant email to destroy a company’s finances and reputation. Read on to learn about the sequence of events for a financial SMB who ignored their ‘technical debt’ in terms of cybersecurity and wound up paying a far more serious price.

Spectrum Pay Management was entering its most successful year to date: with over 100 employees, a rapidly growing customer base, and a rising profit margin, morale was at an all-time high. 

Little did they know, their email domain’s identity was a ticking time bomb.

Spectrum’s executive suite and tech team felt confident in their internal security protocols. Email/Spam filtering was set up on company email servers and each employee had diligently set up multifactor authentication. They had heard of additional security measures like DMARC, DKIM, and SPF, but frequently pushed out implementation to the next quarter– after all, it didn’t seem like a priority.

One morning, Spectrum’s CEO received a frantic call from a long-time, valuable client. The client had claimed they received an email that morning from the CEO, complete with the correct email, company logo, and signature, requesting an urgent wire transfer to a new bank account. 

The client had processed the payment that morning, only to discover too late that it had been a scam. An unknown attacker had convincingly spoofed Spectrum’s email domain and had been convincingly sending emails as the CEO requesting payment. 

Unfortunately, that first call was just the beginning. 

Identical emails had been sent to dozens of Spectrum’s valued customers, each containing urgent payment requests. Some ignored the emails, but other clients processed the payments in good faith. 

Within hours, tens of thousands of dollars had been scammed from Spectrum’s clients– all with the company’s logo and name. Their good fortune had come crashing down: clients were furious, their reputation was in tatters, and financial losses began to stack up. 

Spectrum’s banner year came to a screeching halt.

Several large clients canceled their contracts and satisfaction scores reached an all-time low. Their IT team worked around the clock to identify the breach cause, but without a proper email authentication system Spectrum was unable to guarantee it wouldn’t happen again. Management and Client Relations were desperately trying to ‘make things right’ with the clients at tremendous cost to Spectrum itself, but even that wasn’t enough for most: a financial company with poor security? Who would trust them again?

Business Email Compromise Attacks

Spectrum fell victim to a Business Email Compromise (BEC) attack, a common scam that affects 77% of organizations annually.

In fact, organizations of 50,000+ employees are virtually guaranteed to experience one BEC attack per week. 

It’s not a matter of if a business will be the target of a BEC attack, but when, and if the organization’s email security system is prepared to neutralize the attack. 

Real-World Example: Ubiquiti Networks Attack

In June of 2015, Ubiquiti, a wireless networking technology company, fell victim to a devastating BEC cyberheist. Attackers used impersonation methods to effectively impersonate both employees and executives at the company.  

This impersonation was so effective that employees working at Ubiquiti couldn’t spot the fraudsters. Attackers siphoned $46.7 million in funds from Ubiquiti’s own finance department, the majority of which the organization was never able to recover.

Preventing Attacks with DMARC

BEC, spoofing, and other common email attacks can be prevented through implementing a three-step security solution: SPF, DKIM, and DMARC. 

SPF (Sender Policy Framework): A process that uses DNS records to specify which IP addresses are authorized to send emails on behalf of a domain.

DKIM (DomainKeys Identified Mail): A certificate-exchange process that relies on digital signatures to verify the authenticity of email messages, ensuring they haven’t been tampered with.

DMARC (Domain-based Message Authentication, Reporting, and Conformance): Uses DKIM and SPF to provide a policy and reporting mechanism, then enforces with additional policies of its own. Also sends back reports for organizations to quickly neutralize suspicious emails and identify where bad actors may be using their domain.

With a cybersecurity vendor like Tangent, a full domain email security system can be set up in a matter of hours. Keep email domains safe from threats, monitor all email activity, and improve email deliverability through DMARC. 

Email security isn’t just “best practice”, it’s essential. Every organization will face a BEC threat at some point. Are you prepared for it?