Protecting Against Email Scams

All organizations think it won’t happen to them, but phishing isn’t a trap that only ensnares the gullible or those unacquainted with technology. Far from it. Gone are the days of poorly-worded, patently obvious attempts at scamming users out of their hard-earned cash. Some of today’s most sophisticated phishing attacks are almost indistinguishable from legitimate business communications – they’re well-written, thoroughly researched, and establish a thread of communication with the victim before attempting to steal their credentials, bank balance, or ask them to send gift cards.

Common Scams

CEO\Executive Impersonation
Impersonating a VIP – often the CEO – is big business for adversaries, knowing the recipient will often action the request straightaway. Threat actors research their executive target thoroughly to make sure their spoofed email is as convincing as possible- including the proper email signature of the VIP- so it stands more chance of succeeding. Attackers prey on users’ implicit trust of their seniors to coerce them into providing sensitive or personal information, bank account details, or initiating financial transactions.

These deceitful requests often convey a sense of urgency, and imply the interaction can only be carried out via email – the victim, therefore, has no time to question the validity of the request and is unable to call the CEO to confirm if it’s genuine.

Spear Phishing
Perhaps the most widespread form of email-based cyberattack, spear phishing targets individuals and specific companies with links to credential harvesting sites or requests for confidential information, such as bank details and personal data. Attackers study their victim’s online presence to include specific information that adds credibility to their requests, such as purporting to be a supplier that is known to the company.

Vendor Impersonation
Cybercriminals often masquerade as a supplier, requesting invoices are paid to alternative bank details. They can also pretend to be an employee, asking the HR department to pay their salary into a different account. Payment diversion fraud targets both businesses and individuals and the results can understandably be devastating.

There’s little point requesting someone to make a bank transfer or change payment details who isn’t authorized to do so – threat actors target finance and HR teams, who would expect to process payments and deal with changes to personal account details, so are more likely to comply with the fraudulent request.

How to Detect and Prevent Scams

Like most successful fraud schemes, scams are based on trust. Impersonated emails appear to come from people and businesses that are well known and trusted by others within the company. These scams prey on human vulnerabilities by targeting an employee’s desire to do a good job and fulfill an executive, vendor, or customer request. While fraud schemes are getting more sophisticated and harder to detect, there are things that you and all employees can do to better protect yourself from fraud. A few things to keep in mind:

1. Carefully check the email domain portion of an email sender’s address - the portion between @ and .com
   1. Verify it is correct and known to you
   2. Look for any replacement characters, such as 0 instead of the letter O, or l (lowercase L) in place of I (uppercase i).
2. Validate each email-based payment request coming from a company executive by telephone using a known phone number (not the one listed in the email) or in person. 
3. Pay attention to unusual circumstances and red flags: Does the email sound like typical emails you and your colleagues may have received from the CEO or other company executives in the past?

Organizational Review

Common types of social engineering attacks should not be ignored by any organization – these threats are very real and won’t disappear anytime soon. Organizations need to treat email as the serious security risk that it is and review their handling procedures for financial transactions.
The ICS Mail Security platform, along with other email security services, enables potentially concerning emails – such as those attempting to harvest credentials, mislead users or spread malicious elements – to be automatically flagged, meaning employees can make quick, informed and confident decisions as to whether the email should be trusted. However, a few clients have reported to ICS they’ve been a victim of social engineering- even though the email from the attacker was marked as Possible Scam. 

While sophisticated technology may be in place to detect these phishing attempts, this growing threat landscape shows no sign of slowing. Thus, organizations should make immediate changes to their internal payment procedures to adequately protect themselves from these attacks. As an example, a semi-annual company-wide meeting can be held to reiterate IT or mail security issues the company is facing and how to prevent them.

Notice to Staff:

• Heed warning signs, such as the subject line “POSSIBLE SPAM”, or requests for urgent\discreet actions.
• Verify abnormal or sensitive requests via a known secondary contact method
• Check the "From" address line in the email. If you receive an email from a sender that you are already familiar with, always check the "From" address line to make sure that the email is coming from the correct domain. If viewing the email from a smartphone and you have suspicions of where the email originated from, open the message up in an email client on your computer to view the email domain name.

Additional Scam Prevention Tips

• Gift Cards are for gifts, not payments.
• Beware of urgent language. These emails oftentimes come with a sense of urgency. Phishers in particular tend to use this, attempting to elicit panic in their victims. A frazzled and fearful victim can be more apt to follow instructions in the email.
• Avoid clicking suspicious links or downloading suspicious attachments
• Be careful of unexpected, out of character emails. When receiving a message, ask yourself if this is normal communication from the sender. If not, do not reply to the email- rather call the person to verify the request

Company Policy Considerations

• Adjust company policies to require management and the employee to verify by voice call with each other any transactions of money\finances.
• Adjust company policies to require at least two people to verify a payment can be made to recipients. These two people will verify the request, payment information, and legitimacy of the recipient.
• Consider limiting the amount of staff\employee information shared on the company website or social media. Some organizations implement NDA’s that prohibit employees from divulging their current employer. Attackers will search public information to gather names of individuals occupying management positions such as President, CEO, COO, etc.
• Create an “Incident Response Plan” to use when an employee falls victim to a phishing attack. Planning for that scenario now will ensure that the company has the highest chance of financial recovery and the lowest risk of reputational damage. Such a plan may include contacting the financial service organization such as a bank or gift card supplier, contacting the Federal Trade Commission, the State Attorney General, and the FBI Internet Crime Complaint Center.