Email scams: spoof, spam, phishing and attachments. Don’t be a victim
The majority of business communications are carried out by email. It is a highly useful tool as it allows information to be conveyed across the globe in a method that can be tracked, responded to and referred back to in the receiving person’s own time.
It can be urgent or of low importance and the owner of the email inbox gets to decide what priority should be put on the communication, whatever the sender indicates, unlike a telephone call which, once answered, requires an immediate response. Business people love it, to the extent that some are accused of hiding behind email, which is great for those planning to carry out email scams.
When it comes to hiding, there are other potential issues within email. Spam is a known quantity. Links within the text, once clicked upon, can lead readers to compromised websites, or to download, unbeknownst to them, hidden malware or spyware. Most email users have become accustomed to receiving these kinds of emails now and if they get through their spam filter, up to date anti-virus software should protect them in most cases. People have also become educated to the fact that clicking on these links is a bad idea, even when the emails appear to have come from people they know, though curiosity can sometimes throw caution to the wind. The attempts to lure money from individuals by the chance to process or inherit vast sums of money from the estate of a general of a foreign state or from a long lost relative appear crude and the friend stranded abroad who needs you to send funds urgently, even though you only saw them in the pub last night, has done the rounds so many times that most people see this one coming.
Email remains as popular as ever, and so it goes that email scams remain a useful route for cyber criminals. It is just they have had to make their attacks more sophisticated. The spammers apply business techniques in the same way a legitimate business would. The CEO Fraud email scam, sometimes called the Business Email Compromise, is an obvious example of understanding how businesses operate and taking advantage. Where authority for payment comes in the form of an email from the CEO of the company to the person responsible for processing payment, the fraudsters either spoof an email address (making it seem to come from a supplier) to send a modified invoice requesting payment to new bank details or they compromise or spoof the CEO or CFO’s email account and send payment demands to a junior colleague who unwittingly actions them. HSBC has a particularly good explanation of how this works, which can be found on their business banking website.
Fraudsters also pay attention to the seasonal activities of businesses. HMRC has worked hard to reduce the spoof emails from cyber criminals regarding tax refunds, which would start arriving in people’s inboxes not long after the January deadline to submit tax returns. To protect taxpayers, HMRC has clearly spelt out when they will make contact and their methods of doing so, this can be found here. Due to the deadlines for automatic enrolment, pension providers are now the target. Spoof emails, which appear to come from NEST, suggest there is a new message to be accessed via clicking on a link in the email.
As one route closes, another one opens and email attachments are still delivering ransomware and malicious viruses into organisations. This time though they appear to be coming from the office scanners as PDF documents. A new favourite is the unsolicited Curriculum Vitae. This is the cruellest weapon of all as it creates barriers for those genuinely seeking employment with businesses. For example, here at Beaming we don’t take the risk of opening CVs sent to us as email attachments, we request that applicants include all information within the body text of the email.
What can you do?
So how do you protect your business? Investing in Unified Threat Management devices, which incorporate a traditional firewall with Intrusion Prevention and Detection, malware and spam protection with content filtering, application control and web filtering, is a good way to deal with the threats but there are costs associated with this, which may be beyond micro businesses.
For all sizes of organisation though, training yourself and staff within your organisation to understand the risks of clicking links and opening email attachments is a sensible start and keeping anti-virus software up to date will also help.
Email is a great way of communicating and an essential element to doing business. Keep your business communications safe by understanding how it can be used against you and take every step you can to protect your organisation, including the judicious use of “shift delete”.