How Safe Is Sending Financial Documents Through the Internet?
It Depends on Your Cybersecurity.Jim Stewart. Founder DocuSend, powered by MTI
Posted on August 12, 2019
Cybercrime is growing fast. And I do mean =FAST=. Internet outlaws delight in sending fake invoices and other financial documents as malicious attempts to victimize organizations and their employees for criminal purposes. These crooks attempt to steal our money by convincing us to provide financial information, passwords, or logins to an e-communication or phony website. The spoof websites look very similar to an actual site the recipient has a financial relationship with. But perhaps most alarming is how rapidly this illegal industry is spreading. Here are just a few quick bullets outlining why their burgeoning prosperity is so prevalent today:
How Lucrative Is It in Reality?
- Fake emails are often used to gain information to commit identity theft.
- These emails may include links to copycat websites that pose as government agencies that ask for your username, password, or other personal data.
- At least 3.4 billion fake emails are sent around the world every day, according to a new report from email verification company Valimail.1
- Email impersonation accounted for 1.2 percent of all emails sent during the first quarter of 2019.
- Cybercriminals' favorite weapon is phishing, and their primary objective is breaking into your networks, systems, intellectual properties, and just about any asset you have containing sensitive information.
- Using instant messaging, social networking, and other online interaction will not provide immunity. Email addresses are still required to access these accounts. All forms of online communications do.
- Transactional e-commerce for banking and shopping cannot be accomplished without a valid email address.
- Some experts indicate the cost of global cybercrime could reach $6 trillion in just the next two years.
- Phishing is implicated in the vast majority of breaches, mostly identity based.
- Cybersecurity costs for the next five years could exceed $1 trillion.
- Ransomware damage may well reach $18 billion by 2021.
And it gets even worse when you consider that they are not just targeting business owners, managers, and upper-level personnel. These thieves zero in on anyone in your organization that has an email. Why? Because that’s all they need to get the scam started. Just one employee who clicks on a fraudulent link is all it takes to infect your whole computer system and bring down your business.
Fake Invoices: Growing at Epidemic Proportions
Invoicing is an enormous target and the online predators know it. Here are just a few of the methods they use to steal from us:
- A scammer posing as a recognizable tech company emails a phony invoice indicating that you have recently purchased services from them. The email instructs you to click on a link if the purchase was not authorized. If you do, they install ransomware that can lock you out of your computer.
- Fake invoices are used to install malware on our systems. They can include viruses, spyware, and other programs that cause your system to crash. They can also be used to monitor and control your online activity.
- Be wary of macros in Microsoft Word or other Microsoft Office email attachments that claim you must enable macros to view an invoice or other document. The macro may be malicious, and can download and install malware on your computer.
- Fake invoices sent electronically are also used as a way of obtaining confidential information from the recipients or to get businesses to actually pay nonexistent invoices.
- Fraudsters often target a company based on their business model, size, and location, to narrow down what suppliers they use. They use this information to create phony invoices that look legitimate. They often create a sense of urgency by sending false invoices with “This invoice is 90 days past due.”
"It remains clear that fake emails from hackers, phishers and other cyber criminals constitute the major source of cyberattacks," said Alexander García-Tobar, CEO and co-founder of Valimail."1 As more companies recognize and respond to email vulnerabilities, we expect to see organizations continue to deploy authentication technologies to protect against untrusted and fraudulent senders. The fact is that too many attackers are using impersonation to get through existing email defenses. A robust approach to sender identification and authentication is needed to make email more trustworthy, once and for all."
Are SMBs Particularly Vulnerable to Email Impersonation Attacks?
All businesses are vulnerable, but many SMBs simply lack the resources to systematically implement network security protections on the same scale as larger organizations can. Furthermore, some small businesses may lack the expertise to put procedural and structural protocols in place to properly respond to the rapid rise in cybercrime. Don’t get me wrong, it certainly can be done, but we need to understand what we are getting involved in. The following bullets outline some of the technologies that can be implemented:
- Sender Policy Framework (SPF) is an email authentication method designed to detect forging sender addresses during the delivery of the email. SPF allows the receiving mail server to check during mail delivery that a mail claiming to come from a specific domain is submitted by an IP address authorized by that domain's administrators.
- DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol. It is designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. The purpose and primary outcome of implementing DMARC is to protect a domain from being used in business email compromise attacks, phishing emails, email scams, and other cyberthreat activities.
- DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in emails (email spoofing), a technique often used in phishing and email spam. DKIM allows the receiver to check that an email claiming to have come from a specific domain was indeed authorized by the owner of that domain.
- Authenticated Received Chain (ARC) is an email authentication system designed to allow an intermediate mail server like a mailing list or forwarding service to sign an email's original authentication results. This allows a receiving service to validate an email when the email's SPF and DKIM records are rendered invalid by an intermediate server's processing.
- Brand Indicators for Message Identification (BIMI) is the new open standard to visualize your brand in the recipient’s mailbox with an image. Email marketers are on a constant search for that one trick that will give them better visibility in front of subscribers and get their messages opened. It is an industry-wide standard to use brand logos as indicators to help people avoid fraudulent email while putting their brands in front of consumers for free.
Everything of Value Comes at a Price
Email is a quick, efficient, and effective way for businesses to communicate with just about anyone. But it comes with a cost. Any organization, regardless of size, should consider the true cost incurred by sending documents containing sensitive information through the internet. And that means carefully analyzing the risk factors involved when using internet services that cannot be fully controlled and so could contain criminal activities.
Once the analysis is done, it doesn’t stop there. SMBs will face the even greater challenge of factoring in the cost and ROI of installing the correct software to ensure that their systems are secularly maintained. Most small businesses don’t have in-house resources for this and will need a computer IT support company to make sure it is done right.
Don’t agree? Take another look at the security options above.
Help for SMBs
If you are concerned about receiving fake emails, or the possibility of your clients being apprehensive about receiving them, there is another alternative for distributing sensitive information.
Once you determine the true cost of electronic invoicing, if you conclude that your business doesn’t have the time, inclination, or resources to commit to upgrading your systems or optimizing your security protocols, it’s time to consider the cost and efficiency of the other option you have available: mailing your documents through the United States Post Office.
Before you reject this idea as a step backward, consider…
Just a Few Facts on Distributing Invoices by US Mail
- There are more than 200 federal laws that protect the sanctity of the US mail, and all are aggressively enforced. That’s more than 200 reasons criminals don’t even try to exploit the mail.
- Nearly 2/3 of American household bills and statements will still be printed and mailed through the US Postal System.
- Nearly 60% of consumers said they would consider changing service providers if they were forced to go paperless.2
- 97 percent of paper bills and statements are opened, with the average read times between two and five minutes.
- The Postal Service is the only organization in the country that has the resources, network infrastructure, and logistical capability to regularly deliver to every residential and business address in the nation. In many households, email is not checked regularly, while people tend to check their postal mailbox every day.
- Postal inspectors are federal agents, mandated to safeguard the nation's mail—including the people who move it and the customers who use it. Sensitive documents like invoices and statements mail First Class® and receive top priority.
- 42% of customers are less likely to interact with a brand name after being phished.
- Consumers named the USPS® one of the United States’ 20 most trusted companies and the number one most trusted government agency for the last 10 years.
- The USPS requires bills and statements to be mailed First Class, which guarantees that mail forwarding and return-mail actions take place. Consumers can be nearly 100% certain that no matter where they are in the US, their mail will find them.
- Over 70% of American households prefer to receive sensitive financial documents through the US Postal Service.
- If an important document is sent electronically and is inadvertently blocked, it can impact the intended recipient’s income and credit rating.
- If a recipient opens a physical piece of mail, they don’t have to be concerned that it will infect their computer system.
OK, that’s enough of that. Now let’s talk about the cost. Considering the cost of maintaining a secure system to send emails, can you safely send a one-page black-and-white document to your customer for eighty cents? If the answer is no, read on. If your answer is yes, please let us know how you do it! I’ll even write about it in my next blog.
What Is the Cost vs Benefit Ratio of Using DocuSend’s Cloud-Based Mailroom?
That’s easy. Consider the following:
- Takes up no space: All the advantages of having your own mailroom with a zero-square-foot space allocation.
- No need for equipment: No leases, maintenance contracts, or postal software to detract from your users' focus on growth.
- Eliminates manual labor: The average time it takes to manually print, fold, stuff, seal, and stamp 200 documents is about 2 hours. DocuSend: 1 to 2 minutes to upload. That’s it. You’re done.
- No overhead: Pay for it only when you need to send documents. There are no monthly or annual fees, so the mailroom just sits there waiting for you at no cost until you need it again.
- Eliminates inventory: The cost to use DocuSend for a single-page black-ink document is between $0.80 and $0.84 cents depending on paper and envelope options, including postage and materials.
- Maintains a record of everything mailed: Users Users can retrieve file dates, mailing volumes, invalid addresses, and PDF images.
- Works with just about any addressed document: Regardless of where the addresses are located.
- Increases cash flow with ZERO risk: No minimums. Stop anytime. Expenses drop while documents get in the mail quicker.
You can spend your time and money learning how to use and maintain various sender authentication and recipient identification methods, or you can just mail it through DocuSend and use the oldest and most trusted law enforcement agency in the United States, the US Postal Service. And you are done. PERIOD.
Finally, let me finish by saying that electronic invoicing should be part of any robust, comprehensive accounts-receivable system. But we must be careful not to turn a blind eye to the actual costs to safely email sensitive documents on a regular basis. Show me how you can distribute documents securely for less than a buck apiece, and I’m right there with you.
1 For more information visit www.Valimail.com.
2 A June 2017 survey of 2,131 US consumers commissioned by Two Sides and carried out by research company Toluna. https://twosidesna.org/Survey2017/