back to article Anti-phishing most critical defence against rife CEO email fraud

Internal anti-phishing programs are essential to prevent chief executive officers wiring money to fraudsters, threat man Donald McCarthy says. The programs are an underrated yet proven method for clamping down on what is perhaps the world's most successful and widely-used avenue to attack businesses and individuals. Business …

  1. jake Silver badge

    Yet another example of why ...

    ... big business needs actual IT professionals in control of IT. Business-types are absolutely, totally, and completely clueless about computers/networking/security.

  2. Anonymous Coward
    Anonymous Coward

    It is not an IT problem. The problem is CEOs that bypass their companies purchasing procedures. The procedures apply to everyone, not just the shop floor. If the procedure is too much hassle for the CEO then it's too much hassle for everyone else and need to be simplified.

    In any case, requests for money should go to the accounts department who are supposed to control and check outgoing payments. It is very common for business to receive fake invoices, bills and other kinds of scams. Not just by email, sometimes by post or phone. Unless everything checks out they go in the bin.

    Of course, the accounts dept might still screw up, because they are usually a bunch of useless idiots, who think they are financial geniuses because they can mistype numbers into a poorly designed excel spreadsheet, but that's a different problem.

    1. Triggerfish

      Or the CEO just bypasses becuse they can't be arsed, seen that a few times, CEO's who think procedure is for the staff not them.

  3. Will Godfrey Silver badge
    Meh

    Size matters

    The small engineering company I do occasional work for has it pretty tightly under control. There is only one person handling payments, and she absolutely will not pay out anything without a purchase order number and payment/account details that exactly match her records.

    However, the company is remarkably lacking in Jags, Yachts & golf courses.

    1. Anonymous Coward
      Happy

      Re: Size matters

      I think we work for the same company...

    2. disgruntled yank

      Re: Size matters

      Sounds good. But it seems to me from a Register story earlier in the week that Cisco got burned but good via engineers. In that case, to be sure, it wasn't money that was stolen, though Cisco may have wished it was.

  4. Anonymous Coward
    Anonymous Coward

    Email is not secure

    Shame no mention of technical options, such as DMARC

  5. Miss Config
    Stop

    Do NOT even read emails, never mind answer them

    Company policy should be that you can only read emails to your company address PROVIDED

    * You know the sender via the sender's address

    * People with whom you are in regular email contact agree with each other how to recognise each other's

    message

    ( eg. agree what the subject says exactlty even though it may have zero to do with the actual message.

    I agree with Jane that her next important eamil will be headed 'It is raining in Borneo'. )

    * a deparment ( sysadmin ? ) must manually allow me to read emails from people I have not previously

    had email contact with ).

    1. Robert Helpmann??
      Childcatcher

      Re: Do NOT even read emails, never mind answer them

      I agree with Jane that her next important eamil will be headed 'It is raining in Borneo'.

      See, this secret squirrel stuff is why actual education is so important. If you think getting people to follow password security requirements is a chore, try implementing this "proposal."

      Ongoing education and personal consequences for failing to follow policies are a much more reasonable and effective approach. This applies to both IT and accounting. Simply having a policy in place that no-one at any level may make expenditures above a certain amount without a defined set of individuals required for approval of the deal go a long way toward killing the effectiveness of phishing scams.

    2. Anonymous Coward
      WTF?

      Re: Do NOT even read emails, never mind answer them

      We handle 2 million emails a DAY. Have 10's of thousands of customers, from thousands of businesses.

      Good luck with your policy.

      1. Triggerfish

        Re: Do NOT even read emails, never mind answer them

        I work with teams around the world, with many email exchanges, on projects across large estates, with loads of people sometimes emailing in on threads if we have a problem, outside contractors, various different companies running sites, getting clearance for access to places etc etc.

        Running an email policy like that would be more work than the actual work I do.

  6. Anonymous Coward
    Anonymous Coward

    @Miss Config

    Jean has a long mustache.

    Is Napleon's hat still in Perros-Guirec?

    Clarisse has blue eyes.

    Code phases are great, but take care that they don't stand out as such

  7. Anonymous Coward
    Anonymous Coward

    If staff are aware that IT are sending mock phishing emails - then are they possibly more likely to open one to see what it says? Familiarity breeds contempt.

  8. teebie

    There are some very dumb people in charge of far too much money

  9. Miss Config
    Meh

    Default Attitude : Do NOT read that email

    As a general rule people are stupid about how many of their emails they actually read

    whether at work or at home. And that includes CEOs.

    Ideally people should not open an email at all unless they absolutely positively MUST.

    And for their own financial sake companies should teach their staff to do that.

    A carrot and stick policy could work : in extreme cases getting fired for opening too many dodgy emails

    and bonuses for avoiding them ( and warning cow-orkers about the latest dodgy subject lines).

  10. Anonymous Coward
    Anonymous Coward

    Rules are for the little people

    Over the years I've come across a number of boss types who are paranoid about what the staff do. To the extent that they will spend more time and money on preventing petty, theft not following purchase rules or skiving than they could actually save. But a good rule of thumb seems to be that the tighter they are with the people below the less likely they are to follow procedures themselves.

    1. Triggerfish

      Re: Rules are for the little people

      Just anecdotal and so IMO, but the boss who takes all the money they spend on watching the staff, and actually distributes it amongst staff in the way of wages, training etc generally speaking tends to have staff loyal enough to need no watching.

      1. Terry 6 Silver badge

        Re: Rules are for the little people

        More to the point, when I did some mangelment courses they said that the evidence was that just trusting staff do the job correctly and honestly got better results than trying to control their every move. And there was also a mention of managers being seen to lead by example.........

  11. BitterExScientist

    The next big silicon valley discovery.

    That has been well known for atleast the past 50+ years.

    Administrative controls should only be considered effective against the hazards posed by lawsuits.

    Or perhaps management already understands this quite well?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022