If you’re anything like our clients, you’re worried about being vulnerable to email scams.
Our company has been providing IT support for over 25 years, and never before have we seen this level of concern about phishing, spear-phishing, and email spoofing – all of which are forms of malicious emails.
It makes good sense to be on high alert; according to Symantec’s April 2017 Internet Security Threat Report, these kinds of attacks are on the rise:
One in 131 emails sent were malicious, the highest rate in five years. Email’s renewed popularity has been driven by several factors. It is a proven attack channel. It doesn’t rely on vulnerabilities, but instead uses simple deception to lure victims into opening attachments, following links, or disclosing their credentials.
What exactly are these scams, how do they commonly present themselves, and what steps do you need to take to keep your business protected? We’ll walk you through it below.
What is phishing?
“Phishing” is an umbrella term used to describe an email scam where the sender tries to trick you into handing over valuable information such as account credentials, banking information, social security numbers, or other valuable personal information.
The email will appear to come from a trusted entity like Google, Dropbox, PayPal, your bank, or even a form of law enforcement. In many cases the email will direct you to click a web link where you will enter your credentials. This web page, of course, is a fake, and will deliver whatever you enter directly to the scammer.
What is spear-phishing?
As you might guess, spear-phishing is a more focused, targeted type of phishing. With spear-phishing, the sender does some research first; rather than posing as a trusted entity, they’ll pose as a trusted individual like a work colleague (generally a superior).
Our COO, for example, received an email that appeared to come from our CEO. After some back-and-forth, “Heinan” asked that David transfer funds to a bank account as soon as he could.
Some scammers will go so far as to fabricate an email chain between multiple company executives where they were discussing the wire transfer, and then send that to an organization’s head of finance hoping that they’ll oblige the request.
These fraudulent wire requests are a very common spear-phishing scam. Another popular scam is for the sender to request copies of employee W-2 forms, which conveniently feature all the information needed to steal someone’s identity.
What is email spoofing?
Email spoofing is a method by which phishing scams are often carried out. Here, the sender masks their email address so that it looks like it’s coming from someone else (so, Google or your CEO or whomever).
This is unfortunately not very difficult to do, and the emails will often get through spam filters since they have all the appearances of a legitimate email.
How to best keep your business protected
An up-to-date firewall and a robust spam filter are a good start when it comes to protecting your business from malicious emails. Scammers, however, are savvy enough to get around both of these technical controls; no preventative measure is foolproof.
The best way to minimize your company’s risk when it comes to email scams is to educate your staff. Walk them through what a bogus email might look like, and how to respond when they suspect they’ve received a scam. The rule of thumb here is that if you think an email isn’t legitimate, either start a fresh email chain with the supposed sender to verify, or give that person a call to double-check.
You might find value in simulation tools, too – with these services, you can send faux-phishing emails to your staff, see how they respond, and set them up with educational materials if they fail the test.
In today’s climate, it would be a good idea to investigate a full-fledged Security Awareness Training program for your team; our people will always be our weakest link, but with regular, thoughtful training, your risk of an attack will decrease significantly.