Why You Need Encrypted Email

Everyone knows there are scammers on and offline bending over backward to screw you out of your hard- earned money. But, despite the frequent warnings, publicity from various sources and personal experiences victims tell us about, scammers are still winning.

The following article confirms this:

"According to the Australian Federal Police, more than $79 million has been lost to cybercriminals in the past 12 months through business email compromise, also known as BEC scams or payment redirection scams.

In such scams, cybercriminals trick victims by getting them to redirect their legitimate fund transfers, which victims think they are making to a business, into the criminals' own accounts.

The cyberthieves usually do this by intercepting legitimate emails sent from a business to a client. They then send a new email to the client, with a notice to send money, but changing the business's bank account details to their own.

The unsuspecting victim transfers funds to the fraudster and is unaware they've been tricked until the business contacts them, asking what happened to the payment.

Police say that business email compromise scams occurred at least 3,300 times last year. Unfortunately, the police managed to retrieve only $8.45 million, a fraction of the total lost. "

- Tony Mitchell, Aviso EIA, Insurance Brokers

There are two things that concern me about this situation.

First, in Australia anyone opening a bank account has to provide 100 points of proof from official documents like passports, birth certificates, driver's licences, and Medicare Cards. Additionally, any transaction over 10 thousand dollars, especially those out of the country, is vetted by AUSTRAC.

Given the above, one would think that when someone is duped out of money, it would be easy for police to identify the accounts involved and the people who own the accounts. Apparently not which raises some serious questions.

Second, the people handling an organisation's payments, or individuals transferring money, aren't making sufficient effort to ensure their transfers are secure.

Encrypted Email

There are numerous email clients available that provide end-to-end encryption. This means that when an email leaves your device, the content is encrypted so that if it is intercepted, it cannot be read. It can only be read on the device of the recipient.

Find out if the email client you use is encrypted. If it isn't, perhaps think about getting a different one or using a different approach to transfer at-risk data eg, software that encrypts specific data (see below).

Encryption is a great safeguard, but with highly confidential or high-risk email transmissions, the message should not be left either on the senders or the recipient's hard disk drive/device because it could be hacked and is not encrypted. It's highly unlikely someone would benefit from this information given the types of scams we are speaking about, but it should be a precaution you take with all confidential data.

Encryption Software

If you used this approach, you would put confidential data in an encrypted, password-protected file and attach it to your email. Adobe Portable Document Format (PDF) files have this capability if you have Adobe software or some others that are available that convert files to PDF. You can assign a password for the document to be opened and much more. Data inside the document are encrypted.

There are other alternatives. I use a software program called Folder Lock that provides several useful functions including the ability to create a ZIP file with date encrypted and password locked.

Obviously, encryption of files won't stop someone intercepting your email if you use an unencrypted email client. However, it's good to think about documents that need to be protected during and after transmission and have a routine for doing so.

Talking of Routines

When I was a manager, I ensured my staff had access to Standard Operating Procedures that instructed them how to do tasks.

In an accounting department there should be an instruction to check all BSB and Bank Account numbers before sending money over a certain amount. This could be done by looking at clients' previous bank details if they are regularly paid eg, accounts payable, or telephoning them to confirm their details before making a large money transfer.

It's up to people responsible for money transfers to design a procedure that works for them. That will reduce considerably the risk involved in paying scammers instead of those for whom the payment was intended.

Good luck.

Robin

How to Lose a Customer by Dell

Dell Receipt

Throughout the years, I have had three or four Dell desktop computers and have never had a problem with their technology. Last year I bought my daughter a laptop from Dell. 

A couple of days ago I ordered a new laptop worth $1258 dollars. I placed the order online and used my credit card to pay for the purchase. As part of the credit card processing activity, my bank sent me an SMS message with a code that I had to enter online before the payment would be authorised.

The payment was authorised which meant that Dell had my money. I received an official Dell email telling me that they had received my order and a confirmation would follow soon.

The next day I received an email from Dell that had all the hallmarks of attempted fraud. Although it quoted my correct name, order number etc, it was poorly formatted and looked amateurish. My first thought was that fraudsters had intercepted my order or otherwise obtained details of my purchase.

The email asked me to provide an alternative email address and verify my residential address. This seemed strange since I had already provided those details. 

I replied to the email stating that I had already provided the details and had no intention of providing them again as I deemed it unnecessary when Dell had already been paid.

I received another email asking for the same details and advising me that I could cancel my credit card order and send money via a bank transfer. This made me even more suspicious.

The author of the email advised me that they required verification because I was using a "free email address".

To my knowledge half the world uses free email addresses. They had my money, my phone number, my residential address and my email address. What more could they want?

Because I expected this was an attempt to defraud me or Dell, I cancelled my order and ensured the $1258 was refunded.

If it was an attempt at fraud by a third party, then obviously it's no fault of Dell's, however, if it wasn't a fraud attempt, it demonstrates what would be best called a piss poor business practice.

The concept of a customer for life doesn't enter my thoughts now that I think of Dell. They've lost me forever.

Robin