According to the FBI, email fraud cost over $26 billion dollars worldwide between June 2016 and July 2019*.
Frequently malicious emails have an attachment or link that downloads a virus. Some fraudulent emails entice the recipient to visit a fake Web site setup to appear real. By logging in, the recipient then reveals his passwords to the hacker. Some recent email scams try and scare the recipient by threatening to release compromising pictures if the recipient doesn’t pay a bribe (usually no such pictures exist). Often the intent of fraudulent emails is to solicit money under false pretenses, with the malicious sender pretending to be someone else. These are called ‘phishing’ emails.
Effective phishing emails will appear to come from someone the recipient knows. For example, the email may use the actual name of a company’s CEO and request an employee’s password (note: employees should never share passwords with anyone). Or the email may contain the name of a vendor claiming an invoice is past due and providing a hacker’s untraceable bank account information.
Individuals can just as easily fall pray to email fraud as a corporation. Remember that doctor’s office I wrote about (see this post)… last week I got a fake email from their receptionist (using her actual name) claiming I owe them for an unpaid invoice. Despite their claim that my information had not been compromised, the attacker had clearly stolen my email address and their employees’ names.
Phishing emails fall into one of two categories:
- The hacker has gotten control of a real email account and is sending malicious emails
- The hacker uses a bogus email account with a name that the recipient is familiar with
It is not hard to mimic the name of someone known to the recipient. The attacker might have gotten known associates from successfully attacking coworkers, friends, customers, or vendors. Connections are easy to find on social media sites like LinkedIn or Facebook. There are services that offer lots of information on company executives. It is also easy to conduct a ‘social engineering’ campaign, in which the attacker calls coworkers and gathers information. The attacker might simply call the company’s main line and ask for the name of the CFO or IT Director, for instance.
Fortunately, there is an easy way to protect yourself from many phishing attacks… check the email address! This technique won’t protect you if the attacker has taken over a real email address. The majority of the time, however, the hacker is just using a bogus email address with a real name. By default, most email programs show the ‘name’ of the sender but not the sender’s email address. However, if you look near the sender’s name or click the sender’s name (each email program is different) you will see the email address. Check the email address and ensure it’s a real account.
Because this doesn’t cover you should the attacker have taken over the actual email account of a friend or colleague, there is an even better way to protect yourself… don’t trust your email! If you get an email you are not expecting, that is poorly written, asks for money, asks you for a password, asks you to download software, don’t trust the email. Instead, pick up the phone and call the sender and verify that the email is real.
Several times a year co-workers ask me to validate an email they have received. I have simply called the sender. In some cases the sender has even told me that their email had been hacked.
Unfortunately, we all need to be a bit suspicious when reading our email or clicking around on Web sites. Email fraud has become prevalent and thieves have gotten clever. However, the consequences of getting tricked can be expensive.
The FTC issues a warning in 2017 entitled: “Fake emails could cost you thousands.”* Increasingly under new regulations, such as the CCPA, companies may also owe a fine if they do not take measures to secure customer (and employee) data.