Email scams have been around almost as long as email itself. But each year, just as users think they know what to look for to keep themselves out of harm’s way, cyber criminals come up with a more advanced, harder to detect style of attack. Each year, Mimecast, a leading email and data security company publishes its state of email security report. The latest one found that of its 1,025 respondents spread throughout the globe, 85% had experienced an email impersonation attack of some type in 2018. Even scarier, 73% of those victims lost money, data or customers from the attack.
With so much at stake and the alarming rate at which email scams are growing and changing business leaders can no longer afford to stay complacent. One of the best ways to keep your company from falling victim is to educate yourself and your employees on the latest trends in email scams and what they can do to stay safe. So, let’s start by exploring four of the most common email scams posing the biggest threat to businesses.
Four email scams every business leader (and their employees) must understand
Scam #1: Email Spoofing
This is one of the simplest and most common email scams. In a spoofed email, the cyber attacker attempts to forge an email, often using logos or other images from the business they’re trying to impersonate. These are easy to steal. All it takes is a simple Google image search to give an email instant credibility.
These messages will often ask you to take action to protect your finances or other sensitive data. Their links send you to a website that looks trustworthy but are far from it. They usually contain malware and send the personal information you enter on them directly to the hacker.
The reason these attacks are successful lies in simple psychology. When people believe a message comes from someone they know and trust, they are more likely to open and click it, with little thought. But an easy way to avoid spoofing is to look carefully at the from address on emails before you open them. Often the sender name will look legitimate but be followed by an unknown address.
Notable examples of spoofing:
- A leading manufacturer of wires and cables lost approximately $44 million when a finance employee at the Romanian office fell for a phishing email claiming to be coming from one of the company’s senior German executives.
- A US drug company gave hackers more than $50 million over three weeks while they impersonated the company’s CEO, sending fraudulent emails to an Accounts Payable employee asking them to make nine fraudulent water transfers.
Scam #2: Spear Phishing
Spear phishing works much the same way as spoofing but builds upon it. Rather than the “spray and pray” approach, where hackers send the same message to thousands in the hopes someone will fall into the trap, they direct spear phishing attacks at a tiny group, or even a specific person. Executives are common victims because of their access to so many other people.
To help make these messages look even less suspicious, hackers take the time to personalize each email to their target. So, by the time you become a victim of spear phishing, your attacker already knows a bit about you. They likely have details such as your name, your company name, your friend’s names, websites you visit.
Notable examples of spear phishing attacks:
- A European cinema chain sent hackers more than $21 million when two top-level executives received emails impersonating the CEO and asking them to transfer funds to an offshore account.
- A commodities trading firm lost more than $17 million to hackers who while pretending to be the CEO sent emails to the controller. The messages asked he/she to wire funds to their bank account. The unique thing about this scam was the emails referred to the company’s real accounting firm, though the contact information they gave for it was false. They traded the real phone number and email address for Israeli and Russian ones, respectively.
Scam #3: Business Email Compromise
Business email compromise is a more sophisticated email scam. Though, the spear phishing I explained above serves as the basis for it. Here, a hacker will use spear phishing to gain access to a victim’s email account. Then, they will monitor and mine that account, until they find real transaction(s) either past or current they can replay or change to redirect funds into their account.
Notable examples of business email compromise
- Nikkei, a Japanese media conglomerate lost $29 million when an American employee transferred money to scammers pretending to be a company executive.
- FACC, and Austrian aviation manufacture lost upwards of $54 million in cash and intellectual property when cyber attackers impersonated employees in both its forensics and finance departments.
Scam #4: Vendor Email Compromise
Vendor email compromise is just a slightly different twist on the last email scam we talked about. In these attacks, the hackers target the email systems of businesses who supply others with goods and services. Then, they create realistic looking, but bogus invoices and send them out to the company’s clients. Often, the targets for these attacks are small vendors who supply larger firms with deep pockets.
Notable examples of vendor email compromise
- The city of Ocala Florida lost nearly three quarters of $1 million when an accounting specialist received and paid a fraudulent invoice from a hacker impersonating a known city contractor.
- A multinational social media and online company lost more than $100 million to scammers who posed as a variety of suppliers using forged invoices, letters and contracts.
These last two types of attacks pose particularly ominous threats for businesses of all sizes because they are hard to detect. All the usual signs of email fraud are often lacking. There are no spelling mistakes, the grammar is correct, and the attacker sends the emails from a real, not spoofed email account.
What can I do to keep my company safe from email scams like these?
Some of the best ways to keep your company safe from email scams are also the simplest. As I mentioned briefly earlier, your first line of defense is to educate all employees. Make sure they receive regular training on what to look for in phishing emails. That way, they stop hackers before they gain access to your network. Another effective tool in the fight against cybercrime is enabling multifactor authentication on your business email accounts. So, when someone tries to impersonate you, you’ll know and they’ll be stopped in their tracks, since they can’t see the pin number or password delivered to your mobile device.
For Office 365 users, enabling multi factor authentication is fairly simple. If you need help to get it set up, contact us. We will be happy to assist. Or, if you would like added peace of mind, there are also third-party security tools that work with most business email providers. We’d love to recommend one that fits your unique needs. To get started, send us an email or call (336) 315-3935.
Sources:
- https://www.thesslstore.com/blog/the-dirty-dozen-the-12-most-costly-phishing-attack-examples/
- https://threatpost.com/bec-scam-nikkei-29-million/149834/
- https://resources.infosecinstitute.com/5-real-world-examples-business-email-compromise/
- https://www.bankinfosecurity.com/vendor-email-compromise-new-attack-twist-a-13170
- https://www.mimecast.com/resources/press-releases/dates/2019/10/october-esra/
- https://southfloridareporter.com/ocala-company-hit-with-business-email-compromise/
