On Wed, 29 Jun 2016 01:30:55 +1200 Sidney Markowitz wrote: > David Jones wrote on 29/06/16 12:46 AM: > > This is pure social engineering that can't be stopped by > > technology. The AP dept has to have proper safeguards and out of > > band validation (i.e. phone call to the "Recognized Name"). > > No, technology can help. The IT department sets up the mail client > that the CEO uses when out of the office so that it sends mail using > the company mail server with SSL/TLS and user authentication. Or it > uses the company's ISP's mail server. Or send domain mail using GMail > for business. There are a number of choices that are as easy for the > CEO to use as any personal email method is, but will restrict email > sent from the company domain to being sent through one of a known set > of mail servers. Then the company's receiving mail server blocks any > mail that pretends to be from a company domain sender address that > was not sent through one of the known valid mail servers. That can be > a local SpamAssassin rule or something run even earlier in the > process. > > You are right that social engineering can't be stopped by technology. > The company should have procedures in place that provide the > flexibility that CEO seems to need but will still prevent the fraud > even in the face of successful social engineering. But there is no > reason the mail setup has to allow spoofed headers From the company > domain.
That wont work in this example because nothing has actually been spoofed.