The email impersonation scam is a growing threat to businesses nationwide, no matter their size. Cybercriminals are targeting business personnel to elicit money transfers, sensitive information, or even user credentials through fraudulent hyperlinks. This form of spoofing, also known as CEO fraud, often prevails because the attacker is posing as someone the employee knows from within their organization. 1.4 million people were affected by CEO fraud in 2018, a major increase of over 38% from 2017. Protect yourself from the business email scam with three simple strategies.
How Does the Email Impersonation Scam Happen?
To better understand how to protect yourself from an email impersonation scam, we’ll explain how cybercriminals execute their attacks. We often think of them as some sort of tech masterminds, but in reality, spoofing someone’s email address is relatively easy. But, before these scammers attempt to impersonate someone from your organization through a forged email address, they do their research to learn all they can about your employees. They’ll peruse your business’ website, social media profiles, or other publicly-available information. Once they understand your organization’s structure, they begin to target specific employees based on the goals they’re looking to achieve. For example, if credit card or bank account information is their target, they may pose as someone from your financial department and send out fake invoices. If they’re looking to access your databases, they’ll target someone in your IT department. They may even ask for social security numbers and other sensitive personal information by posing as someone from Human Resources.
After creating a fake email address of this employee, they’ll email your staff members and ask them to perform tasks they shouldn’t, e.g., wire money or provide financial information. The reason phishing emails are so deceptive is that they look almost identical to average emails sent amongst your organization. They steal logos and signatures from your company and even use the same jargon your staff does. Their forged email addresses are similar to your organization’s. As you can see, identity theft isn’t a black-and-white issue. Let’s talk about three ways to stop an imposter before you’re affected.
Identifying Deceptive Emails
Your employees are your best line of defense against email scams and other cybersecurity threats. Train your employees to spot a forged email by looking for any discrepancies between the sender’s email address and your organization’s email address. A deceptive email address could have the smallest alteration (e.g., dot com versus dot org). They should also check the subject line for any indication of a suspicious email. Fraudsters try to employ urgency in the body of their message, to trick individuals into providing account numbers, PIN numbers, and other sensitive data. When employees spot something unusual, they should always follow-up with the sender in person or through a phone call. This practice may seem trivial, especially when employees are already juggling heavy workloads, but stopping scam emails could save your organization thousands of dollars.
Alter Email Service Settings
Cybercriminals are far more advanced than they were in the past, but so are our email services. A lot of unsolicited emails sneak into our inboxes with forged sender addresses located in the email header. Every email has two senders, and the one in the email header is what a receiver sees upon opening their mail. If you have a trusted IT professional on staff, have this person create DNS records (SPF, DKIM, and DMARC specifically). These will enable your company’s domain to block incoming emails from forged addresses. If you don’t have a member on staff, you can outsource for this kind of project or follow the instruction guides provided by your email service provider. You can also enable warnings within your email settings to flag any incoming and outgoing mail from outside your organization.
Implementing Internal Processes to Reduce Risk
The following strategies are more general internal processes that can be applied to reduce the risk of CEO fraud:
- Implement a system for managing wire transfers of money, which should include a checklist of approvals to meet before a large sum of money leaves the account.
- Purchase domain names similar to your own to prevent a cybercriminal from doing so. Consider alternate spellings of your domain name, capitalization, and numerical values.
- Multi-factor authentication (MAF) is a necessity. Refer to the following MAF processes: pins, challenge/response questions, magnetic stripe cards, mobile fingerprints, one-time password tokens, and smart cards.
If you receive an email that doesn’t feel right, go with your gut. Some common indicators of an attempted cybersecurity attack is an unusual sense of emergency, an altered signature, or even the name the sender refers to you or themselves by. When in doubt, walk over and verify in person or give that person a phone call – but not with the number listed on the email in question. The Front Porch Solutions team can help protect you from email-based scams and other fraudulent activities. Contact our marketing professionals to learn more.