Phishing emails (emails which appear to be from a legitimate sender, asking for personal or financial information) have been around for many years. However, in the last few months we’ve seen a big rise in spear phishing (scam email specifically targeting a company or person) and ransomware (viruses which encrypt files on your computer and network, and demand a ransom payment to have the files unlocked). These threats are very real for anyone using email.
In short, if you receive an unexpected email requesting sensitive information, a funds transfer, to click a link (which may then prompt for your password or to install a file), or to download an attachment, STOP and think for a moment. If it seems a bit strange, even if it’s from someone you know, pick up the phone and call them (at a number that you already have) to verify it. If you’re still not sure, call your company’s IT helpdesk and ask a support engineer to check into it before you do anything.
These email scams have become very commonplace, and receiving them does not mean that your system has been compromised in any way. We employ numerous security layers which block most of the threats for our clients, but no system is 100% safe and safe computing practices must always be followed.
FYI: Legitimate companies will never ask you for your login credentials, social security number, or banking information via email.
I encourage you to read Safe Internet Browsing – Best Practices.
What is spear phishing?
Spear phishing is the act of sending targeted emails to end users, using specific details in the email to try and convince them that the message is real and they should reply to it with whatever sensitive information is being asked for.
A very common example we’ve seen is an email from the CEO of a company to its CFO, asking to send a wire transfer to a vendor with specific account details. Another may be an email from an attorney or accountant to a client with a link to download a file. The emails will be from familiar names, may reference a specific client or vendor, and may even contain the same email signature as the sender normally uses. So far, in both emails, everything looks real.
So, where is the scam?
The devil is in the details, as they always say. The scammers (let’s call them what they are) usually try a few different tricks:
- Changing the reply-to address. It’s easy to fake the ‘from’ address on an email, so scammers will do this and keep the reply-to address different, and something you normally won’t see when reading an email in Outlook, Gmail, or on most smartphones. The only time you would notice this is if you reply to the message and look at the address in the to field of the reply (again, something that normally isn’t shown on a smartphone)
- Similar (but different) domain names. If the target is worthwhile, scammers will often buy a domain name that is just one letter off from a company’s, sometimes swapping an m and n, adding an extra letter, or switching a capital I for a lowercase i. For busy people who may receive hundreds of emails a day, these small typos often go unnoticed (such as conpany.com or fulfilllmentcenter.com – note the n and extra l in the names).
- Download an important document. You may receive an email from someone you know with a link to download an “important document”. Upon clicking the link, you’ll be prompted to enter your credentials for Google Mail or Office 365 (the scammers assume you use one or the other). But there is no document to download, instead, you’ve just given the scammers the key to use your email account to spread the same malware to your list of contacts, and may have also infected your own PC.
- This type of malware has been around for several years now, and is unfortunately still going strong. It arrives as an email attachment, often from someone you know, with a vague message body such as “see the attached past due invoice”, “shipping confirmation”, or “important document” with usually either a ZIP file or a Microsoft Word document. Opening the ZIP will reveal another file, typically named something like “invoice” or “confidential information; opening the Word document will start with “Enable macros if the data encoding is incorrect.” Both the file within the ZIP and the macros in the word document will immediately activate the virus and start encrypting files on your computer and any network drives that you have access to. The only way to recover this data is to restore from a recent backup, or pay a ransom fee of several hundred dollars or more!
How do email scammers get your personal details?
While we don’t know their methods firsthand, we do know that they most likely have NOT hacked into your company’s network. Most probably, they are gathering data from public sources such as social media and business directories, compiling this information into databases which they can then use to “mass spear phish” various companies. Directories of professionals (such as lawyers and accountants) are prime targets since they often contain contact details of trusted professionals, and in the case of accountants, ones who have sensitive information on their clients. We suspect they use cheap overseas labor forces to scour the internet for this information.
Finally, sometimes it is an inside job from someone specifically targeting one victim. For example, last year, a client of ours who deals with many vendors in Asia received an email from one of those vendors instructing them to make all future payments to a new bank account, with a list of two large invoices which were coming due. The invoices were real (for orders the client has placed), and the email was from a familiar name at the vendor. It was only upon further investigation that the client realized the email domain was misspelled by one letter, and the email had not come from the vendor itself, but someone (possibly a rogue or former employee who had access to all of the right information) impersonating them.
How can you protect yourself against email and Internet scams?
- Secure your profile information on Facebook, Linkedin, and other social networks. Ensure that sensitive personal information, such as your date of birth, email, phone #, home town, etc are only viewable by your “friends,” and if your friends list contains a lot of people who you don’t actually know, as is common, maybe make the information private altogether. Remember, many websites ask for exactly these details in the ‘forgot password’ process.
- Remember that the IRS and other government agencies will NEVER contact you about a ‘problem with your account’ via email.
- Beware of fake URL’s - If you ever receive a link prompting you to logon to an account (including for any bank, PayPal, Google Apps, Microsoft Office 365, Dropbox, etc.), look at the URL (web site address) that appears in the web browser. Most browsers today will highlight the actual domain you are on (such as citi.com). Just because a website is secured (with a https://) doesn’t mean it’s the right website. Be suspicious for URL’s such as citibank.website.us – that website is website.us, not Citibank. The page may look like Citibank, but it’s not.
- When you receive these scams, don’t reply. You may be tempted to, but replying only validates your identity and may cause you to receive more of them.
- Always play it safe. Despite seatbelts and airbags, we still drive carefully. Despite vitamins, antibiotics, and vaccines, we still keep our distance from someone with the flu. The same applies to using email and the Internet. Never assume that because you have spam filtering, anti-virus software, or good backups, that you can click on anything and do whatever you want on the internet. The scammers are always trying to stay one step ahead. If you’re ever not sure, pick up the phone and double-check. (see Safe Internet Browsing – Best Practices)
- Use strong passwords, and try to vary them a bit. Passwords are not a fun thing to manage, which is why password managers, including LastPass, Roboform, and others, exist. Use one to keep your passwords strong and secure.