Bank’s Email Domains Impersonated to Commit Fraud Against Prothious Engineering Services
An Engineering Service company called Prothious Engineering Services, became a victim of this fraud activity, thus incurring a loss of around 20 Lakh. An impersonated IndusInd email id sent repeated emails to Prothious. The email contained requests for details like mobile phone numbers, current account numbers linked and some other sensitive information.
Prothious employees failed to notice that there was an extra ‘e’ in the email address (firstname.lastname@example.org), although the rest of the domain looked perfectly legitimate and responded with all the mentioned details.
As per the incident reported in January 2014, a phishing mail was carried under the domain name of the bank. https://indianexpress.com/article/india/bank-domain-id-used-to-send-fraudulent-mail-told-to-pay-phishing-victim-rs-20-lakh-6500007/
Cyber security is tricky to pin down to one liable party. Often times, it is no one’s fault that a phishing attack falls through the cracks. Ultimately, the bank was proven to be at fault. The order issued demanded that the bank pay a reimbursement of Rs 20.55 Lakh back to the company.
There are a couple other points, security wise, that you can understand from this case.
Below are the possible reasons noticed for the lapse in the bank’s security system
- The bank did not implement DMARC when this fraud occured.
- Recipient email server did not check for DMARC record
- Sender (in this case, the Bank) may not have implemented strong password policy, Multi-Factor Authentication to or have enabled Mail Forwarding to external email servers.
Remedial Actions That Could Have Avoided This Attack
You can stop the fraudster from spoofing email domains by setting DMARC status to Quarantine or Reject. Before setting the DMARC policy to Quarantine or Reject you need to analyse your email traffic first.
Setting Reject Policy means the receiving servers – on receiving emails from the spoofed/impersonated email domain, would have blocked them and reported back to sender on why message failed validation. The bank would’ve received alerts of the spoofing almost immediately.
If your Domain has No DMARC or DMARC set to None, any fraudster can send Emails to your Customers, Vendors or Business Associates in your name to commit fraud.
Find more details about various DMARC policies here.
Multi Factor Authentication (MFA)
Multi-Factor Authentication act as an extra layer of protection for your online accounts making it harder for fraudsters to gain access to your sensitive data or account. As Bank employees deal with critical data, they need to have two step verifications for higher level of security.
You can read the finer details of MFA in a previous blog.
Sometimes, employees enable mail forwarding option to drop messages from their business mailbox to their personal email IDs. Employees should avoid forwarding emails to any external mail server, for safety reasons.
This was one of the cases which resulted in an inversion of losses. But that won’t always be the case. Better security and awareness can help you stay away from the unnecessary headaches of cyber fraud. Logix posts frequent news reports and current happenings in the security world on its blog. Keep visiting for regular updates!