Email phishing scams are becoming more and more sophisticated with many businesses, customers and employees targeted.
This week Telstra customers received an email offering refunds on payments. It was not addressed to recipients, instead calling them “customer”, its link directs to a false landing page requiring bank details, and it provides a fake receipt.
These are details only realised later and MailGuard has since blocked the scam, according to IT Wire.
But it’s not just fake bill scams that small businesses should look out for.
“Don’t underestimate the infiltration of Business Email Compromise (BEC) because you are a SMB – it is a threat faced by companies of all sizes, not just big business, “ Proof Point managing director Tim Bentley told SmartCompany.
“What may be a slap on the wrist for a large company, could be the end all for a small business.”
Unlike other imposter scams which take a “shotgun approach” with mass emails asking recipients to disclose login details by clicking a URL or filling in a form, BECs are more sophisticated.
According to Proof Point, BECs involve deep background research on select targets.
Instead of hundreds of emails in a traditional mass cyber attack, BEC phishing emails go out to one or two recipients in an organisation.
“The emails spoof senders so they appear to be from the CEO, CFO, other executives, or even outside parties such as partners and vendors,” Proof Point says.
“They rarely have links or attachments, and they include urgent instructions to the recipient to transfer funds to a designated account, send W2s, or forward other financial or personal information.
“These attacks can also start out as innocuous interactions and then build up to a more substantial attack.
“For example, the sender may start by asking, “Hey, are you at your desk?” and escalate to a request for a wire transfer only after a few more interactions.”
BECs have an estimated cost of about $US3.1 billion ($AUD4.2 billion) worldwide and attacks are on the rise.
“This dwarfs losses from any other kind of attack including phishing, ransomware and credit card fraud [and] because it’s so lucrative it’s only going to get smarter and more convincing,” says Bentley.
“Actors are already researching employees’ social media platforms, websites and annual reports to gain vital intel and we can expect the level of research going into each attempt to increase.”
How to protect your business
“There are a number of tell tale signs that indicate whether an email has come from a genuine or fraudulent source – businesses need to be educating their employees on what these signs are,” says Bentley.
“The most popular giveaways include, a request from the source to not discuss the email with others and to act urgently.”
To identify these emails, Proof Point recommends checking to see that senders are legitimate by clicking reply to verify the address and domain.
Keeping an eye for consistency in language and tone can also help determine if the sender is the person you know.
Bentley says these are often the biggest red flags.
“For example mannerisms or tone that may not fit quite right with the person who is supposedly sending the email, non-local date formats,” he says.
Proof Point reports that attackers are also increasingly tricking recipients with lookalike domains that appear legitimate on first glance.
A domain may read “@abccorporationc.om” instead of “@abccorportation.com”, which can easily be missed by the naked eye.
Build a culture of transparency
Business owners should ensure their employees understand the role they play in the company’s overall security.
“Encourage employees to trust their instincts so much so that if an email is sent to them instructing that they keep the request confidential or to reply only via email, they are comfortable asking for clarification in person or forwarding the email in question directly to IT,” says Bentley.
“Vigilant employees are the last line of defense against BEC threats.”
Implement security processes
He adds that businesses should set up processes to check authenticity of emails.
“Implement appropriate procedural controls for the kinds of transactions BEC phishers are after,” he says.
“Put internal finance and purchasing controls in place to authenticate legitimate requests. This may include adding a secondary, out-of-band in-person or phone approval by someone else in the organisation.”
Prevent personal email use
Bentley recommends preventing employees from communicating via personal email accounts.
“The use of personal accounts should be a policy violation and therefore yet another warning sign for employee recipients that an email is a fraud,” he says.
“Why? Because in some cases, actors may use what appears to be a personal email account so that the Reply-to field is less suspicious.”