<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=18068&amp;fmt=gif">

Mobile Device E-mail Security - How to use a Hub Transport rule to help!

February 01, 2019 in Tech Tips and Industry News, Small Business Security

Mobile devices can easily pose a major cybersecurity risk that can catch many people off guard, even with good email security systems in place. One reason for this is their smaller screen sizes of all things, let’s explain why!

Email applications on smartphones must make the most of the tiny screens they occupy. As a result, the only information shown about the source of emails on your mobile is the senders display name by default, e.g “John Doe”, to adhere to modern-day sleek user interface design mantra. To view John Doe’s email address, even when replying to his message, the user must tap the sender’s name to view the full email address.

Can you see the problem yet? This feature makes it possible for emails from randomguy@email.com to look identical to johndoe@mycompany.com when viewed side by side on a mobile device, as long as the display name is configured to be “John Doe”. Throw in a pinch of social engineering and an email signature tailored to fit based on someone’s out-of-office autoresponder (holidays anyone?), and you suddenly have a killer phishing email from CEO “John Doe” sent to Jane in accounting at 5:17 PM requesting an emergency ACH transfer to a known supplier with a false bank account number that she is going to see in her Inbox on her mobile device. The next morning, she expresses some confusion about the $9,000 invoice she paid last night, and the deceit is uncovered, but by now the money has been moved dozens of times before it was converted to a digital currency such as Bitcoin. The cash is not recoverable due to Jane having authorized the transaction. But this incident would still pale in comparison to the attacker managing to dupe Jane into exposing her password and then using it to gain back-door access to swaths of the company network and finances.

Unless Jane tapped “John Doe’s” name in the email app to reveal the randomguy@email.com address, she could easily be duped into doing whatever the message is directing her to do. The company spam filter is not going to recognize or prevent this threat 90% of the time, because the sender is not faking John’s Doe’s actual email address johndoe@mycompany.com (Referred to as “Spoofing” in tech jargon) and is instead sending properly authorized emails from randomguy@email.com.

The only defenses are locking down the email server to an extreme and training all employees to be diligent about checking the source email address on every email they receive on their mobile. On the email server, one would need to configure rules to the effect of:

If the sender display name is “John Doe” mark the message as Junk and alter the subject to include “WARNING: Phishing Email” except if the sender is johndoe@mycompany.com

Identify Phishing Emails

But even this technical approach is no silver bullet, if the display name is “John D0e” with a zero instead of an O, the attack could still work if Jane wasn’t extremely careful. At the end of the day, it’s John’s responsibility to ensure Jane is trained to constantly be on the alert for this kind of threat, and better yet, ensure that all company processes are structured with security checks in mind.

Benno Van Waeyenberg

Benno Van Waeyenberg

Born in Belgium, Benno grew up travelling the world with his parents and brother in a mobile home until they finally settled in Mexico. He got into computers as a hobby when he was 14 years old by hanging out with a retired British engineer who was really into computers as well. He started fixing computers for a fee starting at age 15 and opened a dedicated shop as soon as he was old enough to sign a lease the day after his 18th birthday.

Connect with Us


Subscribe to our blog!

 

New Call-to-action

 

 

 

 

New call-to-action

 

 

 

 

 New Call-to-action