Every authentic email will need to be independently verified if responsibility shifts from the asset owner who's best placed to prevent & detect a BEC attack, and onto the recipient who cannot detect it.
In late 2019, France’s market watchdog, the Autorite des Marches Financier (AMF), fined news agency Bloomberg €5 million (US$ 7.6 million) for publishing a hoax report about French construction company, Vinci.
Vinci was the victim of a business email compromise (BEC) attack in 2016. An email that appeared to come from Vinci’s communications director was sent to Bloomberg’s French news desk, claiming that Vinci’s finance director had resigned following financial improprieties. Vinci’s share price tumbled from €35 billion to €27 billion, later rebounding. It closed -3.5 percent on its opening value.
According to the AMF’s Enforcement Committee News Release, published December 2019, the decision to impose the fine hinged on the following:
- Bloomberg ‘ought to have known it was false’,
- Bloomberg ‘failed to verify the news’ and,
- this failure to verify amounted to a failure ‘to obey the ... codes of the journalist profession.’
Many in the cyber-security industry would argue that those are unjustified assumptions leading to an unreasonable decision. If allowed to stand, recipients of business emails should be very nervous. The AMF has shifted the responsibility from the party who owns the asset and is best placed to prevent and detect a BEC attack onto the party who does not own it and cannot detect it.
To deconstruct the AMF’s argument, let’s consider (i) how BEC attacks are conducted and (ii) available measures to prevent a BEC attack.
Business email compromise
BEC attacks are prevalent because a weakness in an old email protocol (Simple Mail Transfer Protocol) means abusing authentic domains to send emails is easy. If the owner fails to fix it, even a technically savvy 12-year old can send emails from an authentic but unprotected domain.
By all accounts, the email to Bloomberg came from (i) @vinci.com and not (ii) @v1nci.com or vinci.co or similar, an important distinction. The first type means that the email will land in the recipients inbox having all the hallmarks of a legitimate email.
Type (ii), the lookalike scam, does not look authentic, does not belong to the firm, and has no link to the firm. This gives the recipient every chance of recognising it’s a hoax.
Everyday businesses rely on their authentic emails being accepted at face value and acting on instructions or requests. A business domain is an outward expression of the firm, a visible digital asset, trusted by clients and suppliers, used to communicate the firm's will. It is a valuable resource that should be protected.
Protecting domains from the first type of scam (BEC attack) can be done by implementing a protocol called DMARC (Domain-based Message Authentication, Reporting and Conformance). DMARC is a global industry standard that only the owner can configure. Had Vinci implemented DMARC this story would have had a very different outcome.
DMARC is considered a ‘Minimum Cyber Security Standard’, on the recommendation of the National Cyber Security Centre (NCSC), is now mandated by the UK Government for all Government Departments and their suppliers. DMARC is also mandated by the US Government for US Federal agencies as per Binding Operational Directive 18-01. DMARC forms part of the NIST recommendations and guidelines.
Bloomberg couldn’t have known the email was false because emails from @vinci.com are legitimate. The reason that the legitimate email has been abused by a scammer is because Vinci had failed to deploy DMARC, the only sure-fire way to eliminate email impersonation.
Failure to verify
When a source reveals information about themself, using a resource that they own and control, and the source is credible, why would a reporter verify the story and more importantly, with whom would they verify the story? The same people that they believed had just sent the email?
If this decision is permitted to stand, then every authentic email that lands in your inbox would need to be independently verified before any business could act on it. This makes no sense, particularly when the sender side can protect its own domain with DMARC.
Bloomberg is ‘failing to obey the rules and codes’?
The AMF said that the failure to verify amounted to Bloomberg not obeying the ‘rules and codes’ of their profession. That is simply not the case. As explained above, it is not reasonable to expect businesses to verify emails that have the hallmark of an authentic email, especially when the sending side can protect themselves from well-known BEC attacks with DMARC.
But it begs the question if the AMF is concerned with what they perceive to be Bloomberg’s failings as per the journalist set of codes, why are they less concerned with Vinci’s failure to meet their obligations under Market Abuse Regulations?
Market operators ... shall establish and maintain effective arrangements, systems and procedures aimed at preventing and detecting insider dealing, market manipulation and attempted insider dealing and market manipulation...
The AMF’s role is to regulate participants in France’s financial market. Instead of holding Vinci accountable for failing to ‘prevent and detect’ insider dealing and market manipulation, they devised a weak argument to hold Bloomberg’s accountable.
If the Vinci BEC was (i) unique and/or (ii) technically sophisticated then permitting some latitude for failing to foresee, prevent or detect might be reasonable. However, a similar attack occurred in 2015, when Avon was targeted providing sufficient warning to all public companies to configure DMARC.
Reviewing the decision
AMF’s reasoning failed to take account of
(i) BEC attacks are not novel
(ii) The solution, DMARC, is well known and understood since 2012.
(iii) The legal duty to take care of an asset rests with the firm that owns it. It is not for the world generally to preserve another's neglected asset,
(iv) reasonable IT directors implement DMARC
(v) listed companies have a legal obligation to prevent and detect market manipulation and insider trading.
In the interests of fairness and proper accountability, the AMF should withdraw Bloomberg’s fine and consider Vinci’s failings in light of their obligations as per financial market regulations.
If you or your business needs support in configuring your DMARC record, get in contact today and secure your email domain.