Email security: how to avoid phishing and other scams

The very first email was sent by Ray Tomlinson to himself in 1971, however, we didn’t see major commercial Internet Service Providers until the early 1990s. Remember names like AOL, Prodigy, and CompuServe? Probably not, but now, it is hard to remember a time when you weren’t buried under a mountain of electronic mail with your morning coffee. But as more of the world communicates via email, the less we seem to trust it, and with good reason.

Earlier this year, “Shark Tank” judge Barbara Corcoran lost nearly $400,000 in an elaborate email scam that tricked her staff. The scammer used an email address similar to Corcoran’s assistant’s email address. The email address was misspelled by one letter. ONE. That is how easy it is to get phished.

In this article, we will look at three ways that email trust can and is being threatened, and how personal vigilance and the use of managed IT support can help you to fix it.

EMAIL SCAMS

One of the most worrying scams of recent years is the Business Email Compromise (BEC) scam. These threats have increased as more of the workforce now works from home. 

BEC scams are big business for cybercriminals. According to the FBI, BEC scams account for more than $700 million in worldwide business losses each month, though other email attacks come with pretty big price tags of their own.

BEC scams are all about tricking companies into releasing the money. The cybercriminal behind the scam uses several techniques to achieve this. An example is the case of Walter Stephan3, the CEO of the Austrian company FACC Operations GmbH. This BEC attack started with surveillance of Mr. Stephan. The thief was able to then send an email to the finance department that looked like it was from the CEO. This email contained an urgent message to transfer money to a bank account is being controlled by the scammer. In the end, FACC Operations lost around $47 million to the fraudsters.

HOW TO AVOID BECOMING THE VICTIM OF A BEC SCAM

1. Use a specialist service such as Novatech Unified Email Management (UEM), which can help to stop spoof emails entering your inbox.
2. Buy any domain names similar to your company domain – BEC scammers may create an email address that looks like your company email address to trick users.
3. Use a training program to ensure staff are aware of the issue and know how to spot the signs.
4. Use a double-check system when transferring large sums of money.

BEC scams rely on surveillance of critical members of staff and tricking other staff members by masquerading as a vital employee. The fraud may or may not involve email account takeovers. It also may or may not include phishing emails, so let’s look at phishing.

PHISHING

Phishing is all about stealing information such as personal data and login credentials, e.g., username and password. The leading cause for data breaches, phishing accounts for a whopping 90% of them. (Source: retruster.). Nearly 30,000 people reported being a victim of that type of scam last year. Together they reported nearly $50 million in losses, according to the FBI’s 2018 Internet Crime Report.

Phishing takes many forms:

Email phishing: An email that looks like it is from a legitimate company but is, in fact, a spoof. The email will either have a link to click on or contain an attachment that is infected with malware. The link will, typically, take you to a website, which looks like a real brand. It will ask you to enter personal data or login credentials. If you do, they will be passed immediately to the cybercriminal behind the phish. Links sometimes go to an infected website, which will infect your computer with malware. Email attachments in phishing emails include malware. If you open the attachment, it installs malware on your machine.

Spear Phishing: This is a targeted form of email phishing. Many significant data breaches have started with a spear-phishing email aimed at a system administrator. The cybercriminal was stealing login credentials to privileged areas of a company’s IT network.

SMiShing: Text messages and mobile app messages are quickly becoming phishing conduits. Kaspersky5 saw a 300% increase in SMiShing (the text equivalent of email phishing) in 2017.

Vishing: This is a voice form of phishing. The phisher will call, pretending to be from a well-known organization such as a government tax office or bank. They will then attempt to extract personal information from you.

HOW TO AVOID BECOMING THE VICTIM OF A PHISHING CAMPAIGN

1. Use a managed IT service company like Novatech to apply Unified Email Management (UEM) to prevent phishing and other email-borne threats
2. Ensure your IT resources are patched and up to date
3. Use second-factor login credentials wherever possible
4. Security awareness training offers phishing simulation exercises to teach your staff how to spot a phishing email

MIS-SENT EMAILS

Data breaches aren’t just about cybercriminals stealing credentials and using them to access databases. Data leaks and accidental disclosure is a significant issue for companies too. AT LEAST 7.9 billion records, including credit card numbers, home addresses, phone numbers, and other highly sensitive information, have been exposed through data breaches since 2019.

Let’s take a look at the 2014 G20 Summit. The Australian immigration department accidentally sent an email6 to the wrong person, revealing personal details of world leaders like Obama and Merkel. Sending sensitive or personal data to the wrong person can cause financial losses, reputation damage, and non-adherence with regulations.

HOW TO AVOID MIS-SENT EMAILS LEAKING YOUR DATA

Preventing complex human-centered email threats, like missent emails, requires a layered approach to security. Managed IT services can look at your standard working patterns and apply the right tools and training to ensure the email is not your weakest link.

Sources:

1. Radicati
2. FBI released a report on BEC scams
3. Walter Stephan
4. 76 percent of businesses were victims of a phishing attack
5. Kaspersky
6. Australian immigration department accidentally sent an email

read the original article here