Fraudulent email, spam, phishing – call it what you will – has been a scourge for far too long, acting as a mechanism to steal personal information or deliver malware onto unsuspecting users’ machines.
The premise is always the same: to gather information sufficient to then commit fraud. Estimates so far of the impact of cyber crime on the UK purse stands at greater than £20bn per annum, and nearer to £300bn worldwide.
Of course, fraudulent email is not the only mechanism for cyber crime, but it is recognised as a huge enabler. For too long this threat has gone on unabated, with organisations applying a modicum of controls which barely scrape the surface and are usually targeted only at thwarting fraudulent email entering their own organisation, but doing little to prevent misuse of a trusted brand or name to conduct attacks against customers and those outside the organisation.
Moreover, as organisations embrace the digital age and the transformation of business processing that it brings, fraudulent email can have another significant impact. As long as organisations continue to allow criminals to abuse their brand through such means, they lose the ability to use the same medium for their own purposes.
If the majority of email purporting to come from an organisation is fraudulent, internet service providers (ISPs) and customers will start to treat all email quoting that organisation’s name as such.
Frankly, we have lost the battle over the use of email as an effective communication method. However, all is not lost…
Tips for combating fraudulent email
My colleague Iain Hunneybell and I have developed what we believe is a comprehensive whitepaper detailing the practical and technical steps an organisation can take to both abate this scourge and reclaim control of their domain.
The whitepaper – entitled Combating fraudulent email; a recipe of real world controls – provides readers with a step-by-step ‘how to’ guide to combating this threat, with technical implementation details making it easier for organisations to implement these steps.
The only way we can truly address the fraudulent email threat is if we apply consistent and coherent controls across the industry
Edward Tucker, HMRC
The reason for developing this paper was to provide an answer to the industry as a whole.
When seeking an answer for ourselves we found there were some bits and pieces of advice and a series of recognised – and less recognised – technical standards, but nobody had taken the time to look at the problem in the round and address all aspects of the issue. So we took it upon ourselves to do just that, and this is where the idea for the whitepaper was born.
We decided on the whitepaper approach, as when looking at this threat we saw that it is all well and good implementing these controls in isolation within an organisation, but your customers are still at risk from the raft of fraudulent email that does not bear that organisation’s branding. The only way we can truly address this threat is if we apply consistent and coherent controls across the industry.
This whitepaper hopefully provides a global blueprint for not only combating fraudulent email, but also in taking back control of email as a communication channel.
It is not a panacea, but it does provide a series of measures which, when coupled together, deliver a step-change in the approach to fraudulent email through proven technological and procedural controls from a framework that actually works. This approach has dual benefits: not only does it address the fraudulent abuse of an organisation's brand, but also allows them to legitimise their own communications and ensure delivery to customers’ inboxes.
An online hub for security advice
The whitepaper can be downloaded from CISO Central, a new website designed to provide security professionals with practical advice and guidance on information and cyber security issues and solutions. The website has been designed and built as a mechanism for drawing on the experience of seasoned security experts to impart knowledge and technical guidance to the wider community.
The whitepaper is the first release and outlines the premise for this new hub. With the industry being awash with buzzwords, myths and myriad conflicting theoretical information, we decided to build a hub that provides practical advice distilled from proven experts to be shared across the industry, and this is the first such piece. Simply, it is two seasoned security professionals sharing their experience with a Haynes Manual-type solution to a global problem.
You will need to register with the site if you want to download the full paper. If you feel you have something of value and wish to contribute to the site and information hub, please register and get in touch.
Edward Tucker is a founding member of CISO Central and head of cyber security at HM Revenue & Customs.