As originally published in the American City Business Journals.
—
Not too long ago my COO received an email from my address. The chain started out simply:
Hi David
Are you at the office? Write me back when you are.
Kind Regards
Heinan
A few exchanges later, David uncovered the real motive:
David, Process payment for $19,785.10 and to be paid into the account information below…
This was an email spoof– the same kind of scam that has cost businesses nearly $750 million between October 2013 and August 2015.
Scammers will use basic online searches to identify business executives. They’ll forge that executive’s email address, and will send rather sophisticated requests for wire transfers straight into their pockets.
Sometimes they’ll even manufacture exchanges where multiple executives “approve” the transfer before emailing their target, who is typically a member of the company’s finance department.
These spoofs have hit several of my clients, and have accounted for 38 percent of all cyberattacks over the past year.
It is yet another form of malicious email that we as business owners need to be aware of, and know how to combat.
How to sniff out a bogus email
Whether we’re talking about spoofed emails or emails that contain viruses or ransomware, there are a few red flags that you and your staff need to keep top-of-mind:
- The email feels “off.” In the case of the spoof above, one of the giveaways (beyond the fact that I would never request a wire transfer) was the language the spoofer used; I have never in my life signed an email with “Kind Regards.”
- It’s asking for personal information. Always be suspicious of messages that request any sort of sensitive, personal, or financial information, even if it seems to come from someone you know or an authority figure like law enforcement.
- It doesn’t address you by name. A legitimate email will likely not refer to you as “Sir/Madame” or the ever-personal “Hi.” Approach any email that begins this way with caution.
- Attachments end in “.exe,” “.com,” “.bat,” or “.scr” and so forth. Rarely will they need to be an executable file or a file that actively runs a program on your machine. In most cases, this program will be malicious.
- Web links are masked. Make sure that URLs in an email are taking you where they claim to, not to a site that’s swimming in malware. Check this by right-clicking the URL and opening the properties to view the actual web address.
How to protect your company from theft or malware
If you see any of the above warning signs, stick to these tips to keep your money and your network safe:
- Don’t open any attachments you weren’t expecting.
- Verify all web links before clicking on them.
- Call the sender to verify any email, attachment, or link that appears suspicious.
- If you absolutely must send sensitive information, start a new email chain (with an email address you know is legitimate). If you have an encrypted email service, use it.
Sure, these steps take some time out of your already jam-packed day. And sure, you might feel a little silly calling your boss to ask “Did you really want me to send this?”
But I’m sure you’d feel a whole lot sillier if you transferred $20,000 of your company’s money to some hacker’s bank account in Missouri.