During a business e-mail communication a lot of people tend to include non-business related information. Such unrelated information is usually generic info about the senders company but it can expose the company to unwanted risks of social engineering attacks or reduction of competitive advantage.
Here is one of the less disastrous e-mails that drop in my mailbox. It is anonymized so it will be recognizable only to the author - should he choose to read this post.
Let's analyze the information and it's relevance to the possible attacker:
- The confidential content of the message can be fake - the sender dropped an entirely fake information to create the appearance of great importance. While such information cannot be used in creating an attack, it is a great weapon in discrediting the company. All the attacker needs to do is to continue the communication and draw out more such e-mails. Then, it's just a matter of 'leaking' such e-mails to the public with appropriate commentary and reference to any commercial promise of their product.
- The confidential content of the message is true (partially or fully) - the sender dropped a true information, trying to increase the importance of his company or trying to extend confidence in the recipient of the e-mail. In any case, this leaves a great foothold for a social engineering attack:
- The attacker can continue the communication, even returning fabricated confidential information in order to gain further trust and extract more information
- With just the information about a trip to Spain, it would be easy to craft a message from an apparently Spanish sender, referencing a meeting with the owner during such and such time. In such a message the attacker can try to receive more confidential information or build a trust relationship with the sender or others in the company.
- Information about travel of a company executive can be used to research the possible partners in Spain, and launch a social engineering attack on them.
Whatever the reason for communication, always stick to the matter at hand, and under no circumstances volunteer or drop additional facts which are not relevant to the subject matter.
For companies, the above sentence should be a part of the internal security policy and e-mail usage policy.
Talkback and comments are most welcome
Tutorial - Mail Header Analysis for Spoof Protection
Tutorial - Measures for minimizing Spear Phishing Attacks
Example - SMTP message spoofing