A screenshot of a virus-infected computer has been floating around the internet in stories about the recent worldwide ransomware attack that spread across more than 150 countries and affected hundreds of thousands of computers.
“To date, I have yet to see what that email looked like that was the initial entry point where people got infected,” said Alex Garcia-Tobar, CEO and co-founder of the cybersecurity firm ValiMail.
A phishing email is what triggered the recent ransomware attacks. About 91 percent of all cyberattacks are the result of phishing, in which scammers send emails pretending to be someone you know to gain access to your device and to your life.
“The reason email is so effective is because for the most part, people have not done what’s called email authentication, which stops people pretending to be somebody else that you trust,” Garcia-Tobar said.
Email authentication is an obscure security strategy that protects email domains. If an email domain is authenticated, scammers can’t hack into it and make fake email addresses to scam people.
Garcia-Tobar’s company is one of a handful that provide email authentication services to businesses. He said company executives are increasingly becoming the target of scams rather than individuals.
“Coupa, a local Bay area company, recently had a W-2 attack,” he said. A few months ago, the human resources department at Coupa received an email from someone posing as the CEO, asking to be sent employee federal W-2s forms. The email came from a Coupa.com email address.
“So those W-2s left the company,” Garcia-Tobar said. “Anyone that’s experienced a W-2 attack will tell you, W-2s enable a criminal to buy a house with your name on it, to take a car loan, to open bank accounts.”
If the Coupa.com email domain had been authenticated, the scammer wouldn’t have been able to make an account and impersonate the CEO.
“If more companies authenticated their email domains, the phishing and ransomware exploits would drop a lot,” said Cameron Camp, a security researcher with the the security company ESET.
Email authentication is still a relatively new security strategy. The majority of companies have not adopted it.
“There needs to be more one- or two-button solutions,” Camp said. “The tools are difficult to set up.”
Camp said while authenticating an email domain isn’t as easy as installing anti-virus software, businesses need to prioritize it.
“If scammers can get into a corporate email, they can send an invoice request to a customer and then change the bank number on it,” Camp said. “The impersonation attacks are getting very sophisticated.”
For personal email, major providers like Gmail and Yahoo take care of authenticating their users.
The real risk is with company email. It might be worth emailing your work IT department about authentication.
On second thought, go talk to them in person.