Preventing Corporate Email Scams
As long as there has been email there have been email scams. Bad actors trying to get something that doesn’t belong to them or that they have no right to. No one knows for sure how much is truly lost to this criminal element worldwide, but according to the United States government, reported business email compromise (BEC) scams accounted for losses of $1.7 billion in 2019. These losses were from the 23,775 cases that were reported and are one of the most financially damaging online crimes. Additionally, this figure represents only those cases reported at the federal level.
So many of us rely on email to conduct business, both personal and professional, it is easy to see why this is a serious line of attack for criminals. What is a BEC scam? It is when a criminal sends an email message that appears to come from a known source such as a vendor or bank. The request looks legitimate.
A scammer carries out a BEC scam in many forms.
They can spoof an email account or website by making a slight variation on a legitimate address. This fools the victim into thinking the fake account is authentic. For example, firstname.lastname@example.org may be the real address, but the scammer changes the last name of the sender to email@example.com.
Another common ploy used is phishing. The message may look like it is from a trusted sender and tricks the receiver into revealing confidential information. That information then allows the criminal to access company accounts, calendars, and data that gives them the details they need to carry out a BEC scheme.
Another way to carry out an email scam that gets much more press is the use of malware. Malware is malicious software that can infiltrate company networks. Malware allows criminals to gain access to data, passwords, and financial account information. It also can gain access to legitimate email threads about billing and invoices. That information is then used to time requests or send messages so accounting or financial officers are less likely to question payment requests.
Examples of actual emails scam attempts:
A vendor at your company who you regularly interact with sends an invoice with an updated mailing address
A company CEO asks her assistant to purchase dozens of gift cards to send out as employee rewards. She asks for the serial numbers so she can email them out right away
A home buyer received a message from his title company with instructions on how to wire his down payment
Let’s face it, there is always at least one employee who will click on anything. How can you prevent your organization from becoming a victim?
If an employee uses a company or personal computer or mobile device to access emails, they need to be informed about scams.
Educate your workforce and set procedures and policies to prevent your organization from being scammed. Be sure employees understand to always check the header of an email, the sender’s name displaying is correct and not a spoof email.
Remind employees to use their senses. For example, how does an email look? Is there a spelling error in the subject line, is the salutation generic? These are all possible clues to a scam email. It the email uses urgent or threatening language, such as “your account has been suspended” or “your data has been compromised” are also signs it may be a scam.
Another key point to make with employees is to never, never, never click on a link in a questionable email. Do not engage with a phishing email. Never open any attachments in an unsolicited email. Additionally, reputable companies will never use an email to ask for login credentials, money, or personal information.
Remote workers are not immune to scams. In fact, now more than ever, organizations need to have preventative measures against scams that cover all operations, on-site or remote. If your organization needs assistance in assessing its vulnerability or in setting up back-up disaster and recovery in the event you are hit with a scam and malware, contact LightWork ® Managed Services. Having a specialist work hand-in-hand with your IT staff to cover all your bases is a smart and responsible course of action.
If your business does not have an IT specialist, consider using LightWork as your ‘in house’ IT team. For more information, click here.