If you use email on a regular basis (and who doesn’t), you have probably heard about phishing or spoofed email campaigns, where the sender pretends to be a business associate, your bank, or even a trusted friend. The attacker’s goal is to gain your confidence and get you to do something-click on a link, visit a website, or perform some other behavior that will compromise your security.
In the past, these scammers would “mask” their true identities using formatting techniques that hid their email addresses, so only the name of a real person or company displayed in the email. Employees were warned to hover their mice over email addresses, which would reveal the true address. Many firms shifted to “plain text” formatting, which shows the actual email address as read by the system.
How It Still Works, and Why
Those approaches helped until the advent of domain spoofing, where an email sender could make it look like a message came from [email protected] when it actually came from a scam artist. (Domain spoofing is also used to make fraudulent websites look real, but that’s a discussion for a different day.)
Top Five Prevention Tips
- Confirm the request via phone or message to the known, valid email address of the requestor of a wire transfer or other unusual action.
- Do not reply to suspicious email. It confirms your email, which the scammer may not actually have. He/she may have guessed it based on a company directory and common addressing protocols (e.g. [email protected]).
- If the email is from a free personal email service, like Mail.com or Yahoo.com, report the email account to the provider.
- Develop a training program, including sample emails for personnel to identify as real or not.
- Deploy an email authentication system that can identify suspicious emails. TCP/IP, the protocol on which email transfers, is not designed to pinpoint spoofed emails. (We can help with that.)
One of our clients recently received such a message from her boss, asking for a same-day wire transfer to pay a vendor invoice. Fortunately, the recipient of the message recognized something was amiss and reached out to us for advice. We confirmed her suspicions, and the scammer went away, empty handed.
This “wire transfer” scam has been proliferating since at least 2014, but scammers keep at it because it is successful. In some cases, they set up a fake email account, like [email protected], that a worker might assume is the requestor’s personal email address, or they use a domain that is spelled almost, but not exactly, like the real one. The most sophisticated scammers spoof the domain so it looks 100% legitimate.
Tricks that Work
Some scammers ask for the money outright, using a pretense of urgency-“I am stuck in a meeting and I need to wire a vendor $5,000 before 4 pm or an important inventory shipment will be delayed.” Others start with a short message that seems innocuous-“Donna, are you in the office right now?” Once the target responds, they lead them through a conversation designed to gain trust and then make the final request. Scammers also know that requests for large sums send up red flags, so they generally stay below a reasonable threshold, based on company size.
In 2015, the U.S. Secret Service announced that this type of scam, called a Business Email Compromise (BEC) campaign, had bilked U.S. firms out of at least $1 billion over a single 18-month period. To avoid this happening to your firm, review (and share) our Top Five Prevention Tips. Then, call Carmichael Consulting at 678-719-9671 to learn about technologies that can help identify these fraudulent emails as well as security training services that will teach your staff to “Just Say No.”