The email impersonation scam is a growing threat to businesses nationwide, no matter their size. Cybercriminals are targeting business personnel to elicit money transfers, sensitive information, or even user credentials through fraudulent hyperlinks. This form of spoofing, also known as CEO fraud, often prevails because the attacker is posing as someone the employee knows from within their organization. 1.4 million people were affected by CEO fraud in 2018, an increase of over 38% from 2017. Protect yourself from this scam with the following strategies.
How Does the Email Impersonation Scam Happen?
To better understand how to protect yourself from an email impersonation scam, we’ll explain how cybercriminals execute their attacks. We often think of these bad guys as tech masterminds, but in reality, spoofing someone’s email address is relatively easy. But, before they create a fake email address to impersonate someone from your organization, they do their research to learn all they can about you. They’ll peruse your business’ website, social media profiles, or other publicly-available information. Once they understand your organization’s structure, they begin to target specific employees based on the goals they’re looking to achieve. For example, if money is their target, they may pose as someone from your financial department. If they’re looking to access your databases, they’ll target someone in your IT department.
After creating a fake email address of this employee, they’ll email staff and ask them to perform tasks they shouldn’t, e.g., wire money or provide information. The reason they’re able to deceive so many is that their emails look almost identical to your company’s average internal emails. They steal logos and signatures from your company, and even use the same jargon your staff does. Their forged email addresses are even similar to your organization’s. As you can see, email impersonation isn’t a black-and-white issue. Let’s talk about three ways to stop an imposter before you’re affected.
Identifying Deceptive Emails
Your employees are your best line of defense. Train your employees to spot a forged email by looking for any discrepancies between the sender’s email address and your organization’s email address. A deceptive email address could have even the most minute alteration (e.g., dot com versus dot org). If they spot something unusual, they should always follow-up with the sender in person or over the phone. This practice may seem trivial, especially when employees are already juggling heavy workloads, but it could save your organization thousands of dollars.
Alter Email Service Settings
Cybercriminals are far more advanced than they were in the past, but so are our email services. A lot of attackers squeak by into our inboxes by forging their sender address located in the email header. Every email has two senders, and the one in the email header is what a receiver sees upon opening their mail. If you have a trusted IT professional on staff, have this person create DNS records (SPF, DKIM, and DMARC specifically). Add these so that your company’s domain name blocks incoming emails from a forged address. If you don’t have a member on staff, you can outsource for this kind of project or follow the instruction guides provided by your email service provider. You can also enable warnings within your email settings to flag any incoming and outgoing mail from outside your organization.
Implementing Internal Processes to Reduce Risk
The following strategies we list are more general internal processes that can be applied to reduce the risk of CEO fraud:
- Implement a system for managing wire transfers of money, which should include a checklist of approvals to meet before a large sum of money leaves the account.
- Purchase domain names similar to your own to prevent a cybercriminal from doing so. Consider alternate spellings of your domain name, capitalization, and numerical values.
- Multi-factor authentication (MAF) is a necessity. Refer to the following MAF processes: pins, challenge/response questions, magnetic stripe cards, mobile fingerprints, one-time password tokens, and smart cards.
If you receive an email that doesn’t feel right, go with your gut. Some common indicators of an attempted attack is an unusual sense of emergency, an altered signature, or even the name the sender refers to you or themselves by. When in doubt, walk over and verify in person or pick up the phone and call- but not with the number listed on the email in question. The Front Porch Solutions team can help protect you from email-based scams and other fraudulent activities. Contact our marketing professionals to learn more.