Amber Rudd, the British Home Secretary was tricked into an email exchange with someone posing as her own communications chief.
The Minister was using an Outlook.com account which is pretty amazing, even for personal use, by someone in such a senior position.
It does show how insecure email is from an identification point of view. It’s too easy for someone to setup an email account in a false name and impersonate another. ‘Sinon Reborn’ is a master of this trickery having fooled senior officials on both sides of the Atlantic.
What can you do?
Be alert when you get emails. Ideally, you’d notice when an email arrives from an unexpected or new address.
What can Microsoft do?
Microsoft could improve the features that match incoming emails to contacts. When messages arrive from email addresses NOT in the contact list, they are highlighted in some way. Users can then either add the incoming email to the contact list or check if the new address is really the person they expect.
Email has methods of verifying sending domains but not individual users. Digital certificates for email are poorly supported, especially by Microsoft. Redmond shows little interest in improving certificate support, preferring inadequate and proprietary solutions.