How to Prevent Scams, Phishing, and Mis-Sent Emails

When you open your email inbox in the morning you no doubt experience a tidal wave of emails. You are not alone. Radicati¹  looked at the world of emails and found that by the end of 2019 there will be 2.9 billion email users in the world. They also found that email use is only getting stronger every year. By the end of 2019, there will be 246 billion emails sent and received every day.

Email is an amazing way to communicate. Even with the advent of messaging tools and mobile messaging apps, email is still a major tool of business. But is this trust also its downfall?

In this article, we will look at three ways that email trust can and is broken, and how personal vigilance and the use of managed IT support can help you to fix it.

Email Scams

One of the most worrying scams of recent years is the Business Email Compromise (BEC) scam.

BEC scams are big business for cybercriminals. The FBI released a report on BEC scams² showing losses of over $12 billion. And it is only getting worse, with BEC scam rates up by 136% since 2016.

BEC scams are all about tricking companies into releasing money. The cybercriminal behind the scam uses a number of techniques to achieve this. An example is the case of Walter Stephan³, the CEO of Austrian company FACC Operations GmbH. This BEC attack started with surveillance of Mr. Stephan. The thief was able to then send an email to the finance department that looked like it was from the CEO. This email contained an urgent message to transfer money to a new project (the recipient bank account being controlled by the scammer). In the end, FACC Operations lost around $47 million to the fraudsters.

How to Avoid Becoming the Victim of a BEC Scam

1. Use a specialist service such as Novatech Unified Email Management (UEM) which can help to stop spoof emails entering your inbox.
2. Buy any domain names similar to your company domain – BEC scammers may create an email address that looks like your company email address to trick users.
3. Use a training program to ensure staff are aware of the issue and know how to spot the signs.
4. Use a double-check system when transferring large sums of money.

BEC scams rely on surveillance of key members of staff and tricking other staff members by masquerading as a key employee. The scam may or may not involve email account takeovers. It also may or may not, involve phishing emails, so let’s look at phishing.

Phishing

Phishing is all about stealing information such as personal data and/or login credentials, e.g. username and password. According to Wombat Security, 76 percent of businesses were victims of a phishing attack⁴ in 2017.

Phishing takes a number of forms:

Email phishing: An email which looks like it is from a legitimate company but is, in fact, a spoof. The email will either have a link to click on or contain an attachment that is infected with malware. The link will, typically, take you to a website, which looks like a real brand. It will ask you to enter personal data or login credentials. If you do, they will be passed immediately to the cybercriminal behind the phish. Links sometimes go to an infected website which will infect your computer with malware. Email attachments in phishing emails are infected with malware. If you open the attachment it installs malware on your machine.

Spear Phishing: This is a targeted form of email phishing. Many major data breaches have started with a spear phishing email, targeted at a system administrator. The cybercriminal stealing login credentials to privileged areas of a company’s IT network.

SMiShing: Text messages and mobile app messages are being increasingly used as phishing conduits. Kaspersky⁵ saw a 300% increase in SMiShing (the text equivalent of email phishing) in 2017.

Vishing: This is a voice form of phishing. The phisher will call, pretending to be from a well-known organization such as a government tax office or bank. They will then attempt to extract personal information from you.

How to Avoid Becoming the Victim of a Phishing Campaign

1. Use a managed IT service company like Novatech to apply Unified Email Management (UEM) to prevent phishing and other email-borne threats
2. Ensure your IT resources are patched and up to date
3. Use second-factor login credentials wherever possible
4. Security awareness training offers phishing simulation exercises to teach your staff how to spot a phishing email

Mis-sent emails

Data breaches aren’t just about cybercriminals stealing credentials and using them to access databases. Data leaks and accidental disclosure is a major issue for companies too. Data compiled by Gemalto shows that in 2017, 1.9 billion data records were accidentally leaked. Mis-sent emails are one area where sensitive information and personal data can be exposed. An example was seen during the 2014, G20 Summit. The Australian immigration department accidentally sent an email⁶ to the wrong person, revealing personal details of world leaders like Obama and Merkel. Sending sensitive or personal data to the wrong person can cause financial losses, reputation damage, and non-adherence with regulations.

How to Avoid Mis-Sent Emails Leaking Your Data

Preventing complex human-centered email threats, like mis-sent emails, requires a layered approach to security. Novatech Managed IT services can look at your normal working patterns and apply the right tools and training to ensure email is not your weakest link.

Sources:

1. Radicati
2. FBI released a report on BEC scams
3. Walter Stephan
4. 76 percent of businesses were victims of a phishing attack
5. Kaspersky
6. Australian immigration department accidentally sent an email