We all laughed heartily when James Veitch told his story (scroll below for video) of working with a spammer to ‘sell gold’. But most phishing scams don’t have such happy endings. Real people and businesses have lost millions of dollars and confidential information as a result.
What is a phishing scam? An email, text or social media post through which a scammer tries to steal sensitive information or gain access to bank accounts.
As email filters have become better at stopping email scams from your inbox, cyber criminals have found ways to make scams more effective. Gone are the days when scammers outright asked for your bank details.
In this article we are breaking down some phishing email examples. The takeaway is simple: the best way to protect your employees and organisation from email scams is security awareness.
Heard of social engineering? It’s an attacker manipulating social situations to fool you into divulging information or performing an undesirable act.
‘Fake CEO’ Fraud
A fake CEO scam works like this: a scammer will send an email with an email address that mimics formal communication. Maybe some information about the work you are doing or your name to give you the feeling that it is authentic will be included. Then comes an ‘urgent demand’, which you will feel inclined to fulfil at the earliest.
Emails from the CEO will always receive the highest priority from all employees. You will drop whatever it is you are doing and put your fullest attention into whatever the email says. Here are some things to watch out for:
- Check the ‘From’ address (it will likely be a close imitation of your company account)
- Check if the email actually matches company emails
- Verify the email with a colleague
- Don’t send confidential information or perform a financial act unless you have confirmed its authenticity
Employment scams take advantage of people looking for jobs. Two common recruitment scams are: asking for bank details for temporary or remote work, and; asking for deposits before continuing with the recruitment process.
In the first, the scammer will tell you to send personal information to apply for a work-from-home-job. That data will be used for identity theft. In the second, the scammer will contact you showing interest in your profile. They will begin a dialogue to ask you to hold a ‘phone interview’. Once you are sufficiently invested, they will ask you for bank details, from which they will siphon off funds. If it sounds too good to be true, it probably is. Do the following things to make sure you don’t want to fall in the trap:
- Check the business’s credentials before you communicate with them
- Make sure the company’s own website lists the job
- Check the ‘From’ tag of the email to validate its source
- Do not share personal or financial details unless you are absolutely sure of the other party’s intentions
An officious sounding email drops into your inbox, saying ‘Urgent: Overdue payment’ or ‘Legal Proceedings’. A legal sounding attachment from a law firm, insurance company or law and order agency says you will be prosecuted or jailed. Then comes the demand for replying with your personal details, such as your Social Insurance Number, date of birth, driver’s licence number and more. More audacious attackers will ask for your bank details outright too.
The legal notice scam, also called the ‘Fake FBI’ scam, is one of the oldest phishing email scam examples. It continues to be a lucrative channel of attack, especially if it is targeted at an employee in the workplace. Here’s what you should do:
- Take a deep breath and don’t respond hastily
- Get details of the sender of the email and check with your colleagues if they have received something similar
- Speak to your supervisor if the email pertains to your workplace
- Confirm the notice or demand with the company or law firm (do not use the contact details in the email!)
‘Your account is expiring’ and ‘Overdue invoice’ are some of the more effective email scams targeting organisations. In a busy everyday routine, an employee may find it easier to just pay off a small invoice, than face the ire of angry team members. Simple things that will stop you or your company becoming victim of fraud:
- Take the time to understand what is ‘owed’
- Ask yourself if you are the one responsible for making payment typically
- If yes, check your records; if not, forward to the team member responsible
- Don’t make payment in a panic
Online business directory
There are thousands of industries and thousands of business directories. Since directories have become predominantly digital, it is not always easy to discover the credibility of an online directory. Many are legitimate, but cyber attackers understand the difficulties that can arise in doing so. Don’t be cajoled into paying for a listing that doesn’t exist:
- Check the ‘From’ field to see where the email has come from
- If you are unable to verify if your organisation subscribes to the directory, speak to a superior
- Check if there are previous emails conversing with the sender
Email scams have proven to be one of the most effective social engineering attacks. They offer lucrative returns on investment for attackers. Security awareness and vigilance must be maintained at the workplace and in your personal email at all times.
One hasty action can prove very expensive indeed!
Speak to Technical Action Group about security awareness tutorials and regular training for your employees. Regular cyber security training helps sensitize people about the real threats they face. Now watch how James Veitch deals with a ‘once in a lifetime’ opportunity.