16 January 2020
The New Criminals Targeting Your Inbox: How to Avoid Email Scams
From schoolchildren to grandparents, everyone with an inbox has received scam emails that take a mass distribution approach. There is, though, a new breed of scam that is carefully targeted at businesses… and some are losing hundreds of thousands of dollars before they find out.
Just recently, we were talking with a local business. A staff member had received an email, appearing to be from the boss, asking for an invoice to be paid immediately to a new supplier. This wasn’t an especially unusual request, and, after a quick exchange of emails, payment was processed. The business is used to dealing with large sums, so the bill for tens of thousands wasn’t surprising. Until the next day, when it was discovered that the supplier didn’t exist. The hacker had done their homework, learning who processed payments and who approved them.
These new email scams depend as much on social engineering skills as on hacking skills. In some cases, organisations have had their systems breached to ascertain information that enables perpetrators to mimic key personnel. In others, sheer audacity goes a long way. Just days after hearing about the first scam, another client told us about an incident where they’d received an email from a worker who had left the organisation, asking for their final payment to go into their new bank account. They complied, and only found out when the real worker queried when they would be paid.
Email Scams: How to Protect Yourself
This kind of attack is becoming more and more common, and the key protective measures are education and tighter processes. When we looked at the details, the attacks could have been prevented by:
- Confirming requests for payment via SMS to the correct person before processing large sums. In this way, you are using a trusted communication – rather than simply hitting reply and inadvertently communicating with the fraudster.
- Ensure that any changes to banking details are verified by phone with suppliers or staff, using a trusted phone number rather than automatically using the one on an email.
- Check the email address that sent the request. In the above case, while the email appeared to be sent from the correct person, later checks showed that the sent email address was entirely different. All staff should be educated on this very simple check.
- Check email signatures. In one of the above cases, the senior staff member’s usual email signature was missing.
- Verify new customer and supplier details directly using trusted contact details.
- Inform staff what to do if they suspect there is a problem, and encourage them to report problems immediately. If a hacker doesn’t succeed with one staff member, they may move on to another, but if details of attempted attacks are shared, everyone is on guard.
- Create a cyber safety culture in your organisation, just as you create a workplace safety culture. Display information, send updates, and include cyber safety training in induction processes and staff training. This keeps your people and your business safer online.
Cyber-crime and email scams are big business, and new methods emerge all the time. While you are busy with your own activities, IT security is a core part of our business at TechPath, and our specialists spend time daily keeping up to date with the latest threats.
To find out more, contact our expert team.
For more tips on cyber-crime and simple protective measures, follow TechPath on LinkedIn and check through our blogs.