Email is not secure. Over 90% of all cyber attacks begin with email. Despite all the advances in cyber defence, email still provides an open door for attackers to knock on. Email is your biggest security risk, by a long way.

Finance staff are, of course, very heavy email users, and are dealing with money on a daily basis. Finance staff in charities also have to deal with a mixed quality of IT systems, often on stretched budgets (especially for their own systems, which mostly aren’t frontline facing), and sometimes with a very limited team around them, meaning higher workloads.

It’s a heady mix, so it is perhaps not surprising that targeting the finance team with phishing emails is very common. Everyone working in finance should be aware of the types of attacks they may be receiving, and the red flags to look out for. Organisations should appreciate that email is likely to be their highest cyber security risk, and the finance team one of the most highly targeted.

The good news is that there are a mix of protection measures that aren’t expensive, which greatly reduce the risk of fake emails getting through. The bad news is that many organisations do not have these in place. So, we hope the below helps you to ask the IT team to check and then check again that you are doing what you can to protect yourself, and keeping awareness front and centre when using email.

What is a phishing attack?

Phishing emails are when someone tries to get you to do something or provide them with some information by engineering a very convincing email. Most often this is used to try to gather usernames and passwords, for example the email could say your password has expired and ask you to put in your old password and a new one to sign in. If you do so they have collected your password.

With finance staff it’s often a payment request that looks legitimate, but payment is made to an attacker rather than a legitimate supplier (eg the sort code and account number is changed, or the link to make the payment is false).

Attackers may be silently monitoring a mailbox for months, looking at the patterns of email messages, approvals and so forth, before seizing an opportunity to launch their attack.

Types of attack

A common attack is an email that appears to come from someone important in your organisation, potentially a finance director or CEO, sending you an invoice asking you to make payment for a service or product. The email has actually come from an external email address that looks like the colleague and if someone falls victim to this attack then a payment would be made to an account used by the attacker. This can happen in the middle of a genuine email conversation that the attacker is passively watching, ready to intervene at the key moment when bank details get shared, or approval to make the payment is sent.

Another method, more difficult to identify, is when the attack actually comes from a legitimate email account, that has been compromised silently. Attackers gain access to an email account and lie in wait, looking through emails and gathering information, looking for something like an invoice in a thread that they can put themselves in the middle of. Once they find what they are looking for they might send through an invoice for a legitimate service that you have received but where they have asked you to change the payment details to their new account. Making this payment would result in the money being paid to the attacker rather than a supplier.

Top five protection measures

Reducing an organisation’s risk and exposure to these attacks requires a blend of ongoing defences, and as a minimum we recommend the following:

1. Finance teams should have a process to verbally verify requests for new or changed payment details, every time.
2. User awareness training is absolutely essential. Anyone can send anyone an email, so knowing what to look for is vital. There are lots of free cyber security training resources on the National Cyber Security Council (NCSC) website.
3. Testing knowledge. Phishing simulations are training exercises that deliberately send a spurious email to staff (one that is safe) and if clicked, directs them to training, and can be reported centrally to see how aware staff are. We recommend doing this quarterly.
4. Domain-based message authentication, reporting and conformance (DMARC) is a techie process. DMARC and sender policy framework (SPF) exist to help stop outsiders impersonating your domain name, yet few use it fully.
5. A lot of charities use Microsoft 365 for email, and this comes with a huge array of security controls which are often not configured fully. The Centre for Internet Security (CIS) sets out a framework that your organisation can adhere to if they use 365, which includes more advanced phishing controls, use of two factor authentication and so on. Microsoft provides a handy tool to measure your security posture and recommend improvements to achieve best practice, free of charge, called the Microsoft Secure Score.

Conclusion

Working environments are fast paced. Can you be sure that while you are juggling priorities, a genuine looking email couldn’t slip through the net?

It’s important to remember that email is, inherently, not secure. Email security should be continually reviewed and re-assessed as part of your cyber security strategy, to ensure that the right things are in place.

By blending technical controls with policies and user training, you stand the best chance of staying protected, but vigilance is always required, within the finance team more than anywhere. And if you aren’t confident of your organisation’s cyber security, speak to someone independent to get a second opinion.

Andrew Coyle is head of information security at Smartdesc

Charity Finance wishes to thank Smartdesc for its support with this article