Email Flow Rules Help Prevent Scams
A popular attack or threat vector for cybercriminals is to send an email pretending to be from a top-level executive or in the case of local governments the City Manager. The email is designed to manipulate an employee to disclose information, transfer money, or click on a link that leads to malware. This type of an attack is called business email compromise or CEO fraud. Both names may be a bit misleading but that is what is called by the FBI and FTC. In a previous post, Most Popular Cyber Scams, I describe this attack along with other popular scams.
As an auditor I have noticed a sharp increase in scams targeting finance, payroll, and human resources departments of local governments. The scam involves emails that look like they are coming from the City Manager or equivalent to staff requesting either a wire transfer or employee W-2 information. Several local governments have fallen victim to this scam and almost all my clients report having seen such emails.
In this post I want to give you some practical things you can do to help prevent your organization from becoming the next victim.
First and foremost, employees must be informed about this attack. At the very least all finance, payroll, and human resources staff should be notified to be on the outlook for such attacks. Ideally every local government should have a cybersecurity awareness program. I cover some aspects of a cybersecurity awareness program in a previous post.
Second, ensure dual authorization for all wire transfers.
Third, setup some email flow rules that will help to either identify emails originating outside of your organization or will prohibit emails with social security numbers from being emailed outside the organization.
Email Flow Rules
If you haven’t used email flow rules you will be surprised all the things you can do with them, including warning users email came from outside your organization. Email rules can be created natively in Exchange, Office 365, or other email server. You may also have the ability to set rules in your SPAM prevention software or service. There are too many to go over here, you will need to check with your anti-SPAM provider on how to setup rules in their system. You may also be able to set this up on some firewalls that act as email gateways.
One popular rule is to create an email rule that will flag external emails with “EXTERNAL” or similar identifier added to the beginning of the subject line. If you opt to do this, you may wish to create a rule that removes the “EXTERNAL” from the subject line for outbound email otherwise, replies will have “EXTERNAL” in the subject line.
The other option is to add warning text, probably in red, to the message body that says something similar to “Email originated outside our organization.” Note that altering the message body will break digital signatures on signed email.
In Office 365 go to Exchange Admin Center and select Mail Flow. In the sample below, I have the email rule apply to a person or group. The risk for finance, payroll, and human resources is higher so you may only want to apply this rule to them. To do so make a group in Active Directory for the departments and select it where you see the purple box below.
Here is a sample rule:
Note mail flow rules in Exchange 2016 and Office 365 are similar. For more information on how to setup rules and the breadth of what can be done with these rules see the Microsoft documentation at: