Christopher Arehart knows a thing or two about social engineering fraud. As senior vice president and product manager for North American Financial Lines at Chubb Insurance, he has the responsibility for managing all product aspects of crime insurance, financial fidelity and some specialty risk related to kidnap and extortion. Or as he puts it, "things that go bump in the night.”
Listen to our podcast interview with Chris.
While that is a pretty dramatic list of things that do go bump, but what's also on Arehart’s list of responsibilities is much more mundane: email, aka, the heart of almost all payments fraud scams.
What Arehart wants you to know is this: having a healthy distrust is the most vital weapon needed to help companies reduce the roughly $28 billion that has been lost via payments fraud the last 4-5 years to scam artists.
Arehart recently co-authored a whitepaper (disclosure, Taylor Nemeth, Head of Payments for PaymentWorks was a co-author), "Guarding Against Email Social Engineering Fraud: Reexamining a Global Problem" in which he attempted to drill home the point that while email may be essential to daily business for almost all types of employees, it's also essentially a fraudster’s best friend.
"The “re-examining” component of the paper was reminding folks that there is a common thread to all of these claims and these losses, and it stems from email," Arerhart said. "Email is inherently insecure. It is intended to be insecure. It was built that way."
Realization: he is right.
"I can be pretty confident in saying this, and it’s a bold statement, but there is no technology that will screen for an account takeover email," Arehart said.
False Sense Of Security
It wasn't too long ago that getting an actual physical check via snail mail was the preferred form of authentication for a vendor's banking and remit information. Of course, this was an exceptionally slow, inefficient and expensive way to onboard vendors. And slow.
Also, it is slow. Slow.
In recent years, verifying payment/ACH details by email became the new normal. The issue here was that people started trusting the information in an email the same way we trusted the information in the envelope that arrived in the mail. Email has a veneer of security around it. Arehart maintains this is a myth.
"It looks fancy and I may have a whole lot of IT in front of it to try to keep it from being taken over or being infiltrated by bad people," he said. "At the end of the day, those are all just protections against the inherent vulnerability because it's built around an open protocol. You can't talk with each other unless it's open, inherently."
Email Is Not Secure, But That's Just The Start Of The Problem
Arehart points out that the most nefarious type of email compromise and risk is an email takeover, which is when a bad actor gets into a system and can appear as absolutely legitimate by sending out communications in the name of the account he/she has taken over.
"I can be pretty confident in saying this, and it’s a bold statement, but there is no technology that will screen for an account takeover email," Arehart said. "(No technology) will say that there is an inherent aspect of this email that is bad, that it was taken over and that I'm going to prevent it from coming in.
"An analogy would be that we're trying to get into Langley Air Force Base and they have a scanner for license plates. I steal an agent's car and I drive the car up to Langley and they scan my license plate and go through. I'm in. The car is supposed to be there, the driver is not,” he continued.
“Likewise, maybe the information contained inside this email is not supposed to be there," he concluded. And he is right, an average email box has enough information in it to allow a scammer to take an invoice and make it look exactly the same as an official one and then send it back to the AR department from the legitimate email address.
"This is not the stuff of espionage," Arehart said. "It's pretty basic."
So, ultimately, who at an organization is responsible when there is a breakdown in the process and fraud occurs? We'll cover that next week in part two of our captivating interview with Chris Arehart.
Listen to our podcast interview with Chris here.
Read our co-authored free whitepaper - Guarding Against Social Engineering Fraud: Re-examining a Global Problem.