David Jones wrote on 29/06/16 12:46 AM: > This is pure social engineering that can't be stopped by technology. The AP > dept has to have proper safeguards and out of band validation (i.e. phone > call to the "Recognized Name").
No, technology can help. The IT department sets up the mail client that the CEO uses when out of the office so that it sends mail using the company mail server with SSL/TLS and user authentication. Or it uses the company's ISP's mail server. Or send domain mail using GMail for business. There are a number of choices that are as easy for the CEO to use as any personal email method is, but will restrict email sent from the company domain to being sent through one of a known set of mail servers. Then the company's receiving mail server blocks any mail that pretends to be from a company domain sender address that was not sent through one of the known valid mail servers. That can be a local SpamAssassin rule or something run even earlier in the process. You are right that social engineering can't be stopped by technology. The company should have procedures in place that provide the flexibility that CEO seems to need but will still prevent the fraud even in the face of successful social engineering. But there is no reason the mail setup has to allow spoofed headers From the company domain. Sidney
