Can Emails destroy your business?
What can happen?
- Somebody who has access to your corporate email account can receive a copy of your
emails by adding forwarders (an alternate email address). So that they will be able to get
an idea about the negotiations which you do with your customers, businesses transactions
which are going to happen etc.
- Later they can create fake email accounts which looks very similar to your email
account (Eg: genuine: firstname.lastname@example.org , fake:email@example.com) and may deal with
your customers pretending to be you.
- Unsuspecting customer may trust whatever the fraudster says and will act upon the
instructions provided by fraudster. For example the fraudster can say that your company
has changed your bank account and will give a new bank account details for the customer
to deposit money for your goods. As a result you will loose the money as well as the trust
of the customer.
- It can happen viceversa if you are the customer, who is negotiating businesses
transactions over the emails with a business partner. i.e. You will receive a fake email
pretending to be from your business partner, saying that they have changed their bank
account, so that you have to deposit money in the new account given in the email.
- You may receive a fake mail pretending to be from your email service provider
mentioning that they have done some changes/upgrades in their mail serves and hence
you need to verify your email credentials (username and password) for them to update
their information. Most of the time this kind of a mail (which is called a phishing mail) is
used to grab your email account password, by the fraudsters.
How can you avoid this?
- Organization email account used for business discussions should be protected by strong
password. A strong password should contain, capital letters, simple letters, numbers and
symbols. It should be at least 8 characters long. For example you can create a password
from word 'Sri Lanka' as '5r! LaNk@'. This is easy to remember but very difficult to guess.
- Passwords should never be shared. In an organization sometimes it must be shared as
few sales or accounting staff is working on a shift basis. But need to make sure they are
accountable for any emails send or received or any modifications to email account
- Always check whether there are unknown 'email forwarders' in your account.
- Always check whether 'replyto' address is correct.
- For office email accounts access should be closely monitored. May be office mails can be
accessed only from office,only during the office hours etc. should have a proper access
controls for the email account.
- Email address should be properly checked before you take any action upon any mails
received. Also check whether you are sending/replying to the correct email address or
not. (Check the email address letter by letter. NOT the display name but the email
address. Following looks the same but totally different email addresses;
firstname.lastname@example.org and email@example.com)
- If you are importing or exporting goods, if you or your client receive any email stating
bank accounts are changed due to audit process, to keep a track or foreign customers or
any other the reason, before acting on you should verify that information by other means
such as a phone call to known number which you know exactly correct or may be use fax
etc. DON'T call on the numbers on the email which state the change of bank accounts.
- Even if you receive a call from your business partner stating that bank accounts have
being changed, call them again and verify the information. Because fraudsters may call
pretending to be your business partner and make sure money will be deposited to his
account rather than the correct bank account.
- If any confidential documents, invoices are sent via email, protect the document with a
password and password should be send via SMS or via a different email account or via
skype etc. (out of band communication)
- You can use email encryption software like (PGP or GPG) so that all your email
communications are secured.
- Do not respond to emails which request you to verify your email credentials with a
given link/form which is pretending to be from your email service provider. If you receive
such a mail immediately contact your email service provider.
- Maintain the at least 'access logs' of your email accounts. Access logs record the IP
address of which each email account is accessed from, time stamp, additionally computer
operating system used to access emails, browser details etc might recorded. Logs will be
very helpful if you are investigating any suspicious activities on your email accounts.
- Maintain 'activity logs' of your email accounts. Activity logs may contain the each and
every actions carried out by each and every user. For example, email sent, email
forwarded, email deleted, etc. Logs will be very helpful if you are investigating any
suspicious activities on your email accounts.
Mr. Perera is a small scale businessman who imports goods from foreign countries and
distributes them within Sri Lanka. He uses the Internet to search for possible International
sellers to import items. He uses email as the main communication method to chat with his
counterparts from foreign countries. English being the common mode of communication on
the internet, it is easy for him to overcome any language barriers. For the past 5 years he has
been carrying out all of his business communications through the emails since he had
He recently ordered some items from a company (say company ABC in XYZ country) with
whom he has already dealt with couple of times. He received the invoice via email. While he
was preparing the bank transfer to pay for the goods, as is the usual mode of payment, he
received another email from Company ABC stating that they have changed their bank account
and requested Mr. Perera to make the payment to a new bank account. Reason for the
changed stated that because ABC company original account is under audit process hence will
not be possible to receive money to usual account.
Without thinking too much, the unsuspecting Mr. Perera acted on that email since he was in a
hurry to get the items quickly. He made the payment to the newly given bank account; the
amount was substantial by his standards couple of million rupees. Mr. Perera waited for two
weeks to receive his goods but they did not arrive. Then he sent another email to them asking
for reasons for the delay. There were no replies. Then he decided to call the company and
check what is happening with his shipment. He was shocked to hear that his payment was not
received. He told them, that he deposited money to the new bank account and has already sent
the relevant documents to them as well. But Company ABC said that they have not changed
their bank account and didn’t receive his emails with the relevant documents.
Then he checked the above emails again and realized that they have come from an email
address which looks very similar as the email address of Company ABC. The original email
address which he normally dealt with ABC was firstname.lastname@example.org and the suspect
email address was email@example.com. The difference was just an 'i' in the middle
which is very hard to differentiate. Then he realizes that the new bank account details came in
the suspected mail account and he had deposited money to the suspects' account.
All his money was lost and he could not get his shipment. This was a nightmare for a small
scale businessman like Mr. Perera. What went wrong and how can you be protected from this
type of incident and inevitable financial loss?
Today, most of businesses primarily use the Internet to look for business opportunities and for
activities such as advertising, marketing, and customer support. Most of the small scale
businessmen use free email services like gmail, yahoo and hotmail to save operating costs. This
is an era where most business deals, transactions between businesses happen through email
communications and not with signed documents in letterheads. This easy and quick way of
carrying out businesses brings new risks and threats.
Where did Mr. Perera go wrong and how could he have avoided this mishap in order to run a
safe business? The most common problem encountered when using the Internet for businesses
is that most users have very little knowledge of how to protect themselves on the Internet.
First, you should know that you will essentially be joining thousands of other internet users
from around the world in this new industry of Internet business. Remember you are in a public
domain and you are always vulnerable to attacks by intruders.
When Mr. Perera received the email asking him to deposit money to a different bank account,
he could have contacted Company ABC offline (using a different communication mode –
Skype, regular phone or any other free VOIP service) to check and verify whether they have
changed their bank account details. Also Mr. Perera should have got suspicious about the
sudden change of bank account number and should have taken the trouble to critically analyze
the email that he received.
If you perform any business with international partners and communicate via emails it is very
important to check and verify everything carefully by several means before you take any
About Sri Lanka CERT|CC
Formed in 2006, the Sri Lanka Computer Emergency Readiness Team | Coordinating Centre
(Sri Lanka CERT|CC), a fully owned subsidiary of the ICT Agency of Sri Lanka, is a
government agency mandated with the protection of Information and Information Systems
within the state sector, while extending its services to the private sector and general public.
Its services range from responding to and investigating information security breaches, to
preventing security breaches by way of awareness creation, security assessments and security
capability building. It is a full member and the national point of contact, for both the Asia
Pacific Computer Emergency Response Team (APCERT) and the Forum of Incident Response
Security Teams (FIRST), which are regional and global associations, respectively, formed to
coordinate Internet security efforts between nations. Learn more at www.cert.gov.lk