Email is fallible after all, and we’d all do well to be careful

Select an option below to continue reading this premium story.

Already a Honolulu Star-Advertiser subscriber? Log in now to continue reading.

Get unlimited access

From as low as $12.95 /mo.

Subscribe Now

For all of its convenience as a method of communication, email has its share of problems. This has become more evident in recent months, as it seems that many folks have forgotten some of the basic tenets of using email.

In recent months we’ve seen a spate of leaked email messages that were obtained through nefarious methods. The consequences of these messages have ranged from mild embarrassment to loss of employment.

For years, email users have been instructed to avoid putting anything in an email message that you wouldn’t want the world to see. Profanity, for example, or name calling are no-no’s. Did Amy Pascal, former co-chairwoman of Sony Pictures Entertainment, really need to make racially insensitive jokes in her emails? By all accounts, she had been doing a stellar job, but of course, once the emails were released, she got the ax.

Similarly, how does a seasoned politician like former Democratic National Committee Chairwoman Debbie Wasserman Schultz say anything even remotely controversial in an email? In the good old days, before hackers infiltrated email systems, the concern used to be that the recipient of the email might forward that message on. In the case of Wasserman Schultz, this seems to be at least one of the methods in which her controversial messages were compromised.

To this day, email still has security holes that can be exploited through technical means. The bottom line is that email was built around 40 years ago, and security was much less of a concern. It was secured by the limited number of folks who had access to it.

Of course, technical exploits of email are only part of the problem. Social engineering is being used in conjunction with email to try and trick folks out of money.

Don't miss out on what's happening!

Stay in touch with breaking news, as it happens, conveniently in your email inbox. It's FREE!

By clicking to sign up, you agree to Star-Advertiser's and Google's Terms of Service and Privacy Policy. This form is protected by reCAPTCHA.

The most recent scam involves the bad guys figuring out the reporting structure within a given business. Such an organization is typically “cherry picked” as one that conducts numerous, relatively large financial transactions. The reporting structure can often be discovered by simply looking at the company’s website and identifying the chief financial officer (for example, Pat Aloha), controller, accounts payable supervisor and others.

Under this scenario, the bad guys then buy domain names similar to the target organization and set up email accounts under that domain. For example, paloha@staradvert1ser.com instead of staradvertiser.com. Then it’s just as simple as sending an email down the chain, instructing the accounting department to wire funds to the bad guys. The email looks an awful lot like it’s coming from the person in charge.

Unfortunately, there is no good technical way to prevent this scenario from occurring. Users, especially those responsible for sending money out of an organization, need to take care whenever receiving such a request.

John Agsalud is an IT expert with more than 25 years of information technology experience. Reach him at johnagsalud@yahoo.com.