Why a simple typeo may be leaking your business's private data
Have you ever mistyped an email address? Ever had someone misspell yours? Email address typos occur all the time, and these misspellings can actually be a very large security concern for your business.
We've all had this phone conversation:
"That sounds great, let me just email you that document. What's your email address?"
"Mark Williams at co solution dot com", "Great, is it Williams with one l or two? "One l", and you said solution or solutions with an s?" "no s", and how do you spell co".
Recently a group of security researchers setup an experiment where they registered domain names that were common misspellings Fortune 500 company domains. The researchers then setup email servers that were configured to receive all email sent to any address ending in that misspelled domain name.
You can think of an example of someone at fedex. An email intended for [email protected] might easily be misspelled email@example.com by someone in a rush. That email could have sensitive information, as the security researchers clearly demonstrated.
These researcher's were able to collect over 20 GB of e-mail over the course of six months. 20 GB! These emails included everything from usernames and passwords to trade secrets and highly sensitive network configuration information.
Tips to Protect Your Organization
1. Register Common Misspellings
If you have a domain name that is commonly misspelled, register those variants. Heather Pizzala at Tri-Pointe Community Credit Union recognized years ago that people might forget to include the dash in their name when typing their domain name, so Heather wisely registered the tri-pointe and tripointe versions of their domain. Heather also correctly predicted that people may forget to include the E at the end of the name, so she also registered variants without the E at end.
For credit unions especially, it's not uncommon for people to forget to include the "cu" that is commonly at the end of many credit union domain names, such as applevillecu.com. If you're able to register the variant of your domain name without the CU (i.e., appleville.com in this example), we recommend doing so. You can register domain names at Network Solutions or many other registrars.
2. Do Not Use Email for Sensitive Communications
Secure File Exchange came out of our own needs to prevent exactly this kind of security issue. You must not trust email to share sensitive information. When you are dealing with loan documents, payroll files, tax forms, passwords and other sensitive data, you must take extra precautions to ensure the file you're sending is going to the intended recipient and only to that recipient.
Secure File Exchange helps fix this by only letting you send files to those people you've configured and authorized to receive files. In addition, you receive a read-receipt when the recipient picks up the payload so you know for sure it arrived. Finally, Secure File Exchange automatically purges data you've sent so that it's not a sitting target for data theft.
Give Secure File Exchange a try (free trial, whoo-hoo!) and let us know what you think, we're always looking for great feedback.