You don’t have to be a high-tech hacker to make mischief with the personal emails of some of the most powerful people in the world, as one prankster has revealed. The joker, who goes by the Twitter handle @SINON_REBORN managed to dupe the bosses of both Barclays and the Bank of England into thinking they were chatting with their respective chairmen.
Fortunately neither Jes Staley or Mark Carney revealed any particularly sensitive information and both came out with their reputations relatively intact. The former make himself look like a kiss-ass (‘You are a unique man, Mr [John] McFarlane,’ he wrote. ‘You came to my defense today with a courage not seen in many people. How do I thank you?’) while the Bank of England governor’s gravest error was implying one of his late predecessors was an alcoholic.
It’s all good fun. But what worked for a prankster could equally work for a criminal. Cyber security companies are increasingly talking up the danger of ‘whale phishing’ – email scams directed at or mimicking powerful people. Imagine your CEO is away on a work trip and you get an email purporting to be from her:
‘Hi, hope all’s well back in the office. I tried to call but no reception here. We’ve signed a deal with Company X to buy 100,000 widgets but we need to pay a down payment immediately or we might lose it. Please wire £500,000 to bank account XXXXXX. Don’t worry about checking with the FD, I ran it past him already but he’s v busy today.’
It looks extremely suspicious, of course, and nine times out of 10 you would call anyway and do everything you could to ensure it was legit before sending the cash. But mistakes do occur and if the email is well crafted and the recipient is short on time it’s easy to see how some get through the net. In 2015 the US tech firm Ubiquiti Networks lost a whopping $46.7m (£36m) through just such a scam.
The criminal doesn’t even need to have hacked one of your employees’ emails. It’s easy enough to set up a domain with a similar name (e.g. Acme.net instead of Acme.co.uk) and create an email account that looks almost identical to yours.
There are technological solutions to this problem – some companies have software that flags any email that is from outside the organisation, making it easier to spot frauds. But the most important thing is vigilance. If you smell even the hint of a rat then double and triple check that email is from the person it purports to be.
Above all, don’t make the mistake of thinking that your emails are and always will be private. Even if you’re not hacked they could be revealed in response to a customer’s subject access request under the Data Protection Act, or seized by a court as part of a legal claim against your business.
Faced with a racey email from a colleague it’s best to take a leaf out of Mark Carney’s book, calling it out instead of joining in on some lewd 'banter'. You never know who’s watching.