Case studies

CASE006

Email fraud: an INFOSEC case study

This case study looks at the possible consequences of an email scam. 

Themes covered include:

  • posting personal information online
  • poor awareness of spoofing email
  • agency protection against spoofing email.

Scenario – what happened

Amy, an agency head from a small government organisation receives an email message from someone she believes is a Ministry of Foreign Affairs (MFAT) colleague.

The colleague’s email address looks genuine because at first glance it features her colleague’s name and his organisation in the usual way, eg, Joe.Smith@mfat.x.co.nz  

The email asks Amy to make payments on behalf of the organisation for routine administration expenses and that she click on a weblink, taking her to another website, as part of the payment process.

Amy, being busy and unfamiliar with the capabilities of the SEEmail system that protects agency-to-agency email, clicks the weblink and forwards the payment request to finance. 

Finance immediately notes that the email address is not an official government email address (it should have been Joe.Smith@mfat.govt.nz) and confirms that the email sender is, indeed, a fraudster who has obtained the name and organisation of Amy’s colleague from his LinkedIn profile. 

The weblink Amy clicked on infects her workstation and the entire network with malware, resulting in a widespread compromise of information. 

It also presents a threat to the other agencies and contractors that were networked with the agency, undermining official and public confidence in its reliability.

Lessons learned – what should have happened

Amy, Amy’s colleague Joe, and her agency made a couple of errors.

Amy’s colleague Joe should have:

Posted as little personal information online as possible

Employees working for government, especially those in possession of a national security clearance, should take care to post as little personal information on the internet about themselves as possible as their identity could be fraudulently used to obtain access to information, resources or assets. 

See also the Management protocol for information security.

Amy should have:

Been more aware of spoofing email and known what to do

Spoofing emails, which may be motivated by financial, criminal or political gain, attempt to appear legitimate by using content, templates and email and web addresses that look very similar to official or legitimate ones. They often contain an active web address directing personnel to a malicious website to either obtain illicit information or infect their work station with malicious code.

Employees should verify the source, be adequately trained to detect and react to malicious or suspicious-looking emails and never send or click active weblinks at work or in official emails.

Amy’s agency should have:

Taken steps to avoid spoofing threats

Agencies should configure their email infrastructure to avoid spoofing threats. For example, agencies should filter malicious or unidentifiable content received by email, strip active web addresses from emails and enable DKIM signing on all emails originating from their domain and on emails received.

See also the Management protocol for information security.

Page last modified: 5/08/2019