12
Dec
Email Scams: A Growing Threat
in General
Comments
Hardly a day goes by without an email arriving in our inbox with an attached payment advice from some unknown third party, claiming funds are about to be deposited regarding a transaction we know nothing about.
Today it appeared to be from the Indonesian branch of Sumitomo Bank. The sender’s address looked legitimate and, like a scratch card or a lottery ticket, it is so very tempting to take a closer look at this potential “windfall”.
Opening the attachment will definitely reveal a surprise. In its simplest form it will ask for more information so that the transaction can proceed, what is known as “phishing”. At worst it will contain ransomware or other viruses which have the potential to cost you thousands, immobilize your systems and possibly even destroy your business.
Evidenced by the frequency of these emails, the maritime sector, with its multitude of documents and different parties, is unfortunately now recognised as a fertile hunting ground by a growing number of scammers, “phishing” being used by many of them. In this article we look at the increasing regularity of these attacks, what to watch out for, the various types of phishing and how to protect against them.
What is it? Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. The information is then used to access important accounts and can result in identity theft and financial loss. <courtesy of http://www.phishing.org/what-is-phishing>
Takeaways
Some key phishing statistics from Proofpoint’s 2019 Report Protecting People: A Quarterly Analysis of Highly Targeted Attacks are:
Features to watch out for
Email remains by far the top means of attack by fraudsters and it relies on the fallibility of humans to succeed. Attackers rely on our curious nature, our weakness for a good deal and the speed of communication and, with that, the pressure to respond quickly.
Make sure everyone in your organisation is aware of danger signals that should help protect against the scammer who is determined to steal from or damage your business. Examples of these include the following:
IT’S TOO GOOD TO BE TRUE
Most business people will know who owes them money and to whom they owe money. If you receive an email from someone you don’t know – which should arouse suspicion anyway – saying they are about to transfer funds, it’s most likely too good to be true. The chances are there will be an attachment – which the scammer claims is some form of bank advice – that, on the contrary, contains quite the opposite to good news, most probably a virus. Don’t be tempted to open it, even out of curiosity, especially if it’s a zipped file. The flip side of this, again targeting the curious, is an email with an invoice attached, from a “supplier” you don’t know claiming that you owe them money. These tend to arrive during holiday periods when staffing is low or covering for those on vacation. Whilst on this subject of invoicing, it seems opportune to mention the following, most dangerous, variant:
A CHANGE IN DETAIL
This time imagine your email service has been hacked and the scammer is watching the correspondence in and out. Sadly, this is not so uncommon these days, we probably all know someone whose account was taken over and we received an email saying they were stranded in a foreign country needing money to get home. The scammer looks out for emails with invoices attached, both incoming and outgoing. At its most basic, the scammer intercepts an email from your supplier, substitutes the invoice having changed the bank details to their own, and then sends it on to you. You think it’s from your supplier and pay the money to the wrong account. To counter this, make sure your accounts department seek confirmation for all changes to payee details – both with a phone call to a member of staff of the supplier that they know, then confirmed in writing. Alternatively, one of your own invoices is substituted, your own bank details are changed to theirs and money intended for you ends up in the scammer’s account. Hopefully your customer will have internal controls in place, but for some protection you should consider making a bold statement on invoices and statements that there will be no changes to banking details without a separate, authorised statement being issued.
BADLY WORDED EMAILS
A scammer will be sending out thousands of emails across the World, the more that are sent the greater the chance of finding unquestioning individuals. That means your own language may not be their native language. In this case it is bad grammar, or sentence construction, that will hopefully give the game away, with spelling mistakes capable of being eliminated with spellchecks.
MISSPELT EMAIL ADDRESSES AND DOMAIN NAMES
What may be deliberate misspellings however are email addresses and domain names, to make the recipient believe it’s a genuine email from a well-known company. It may be as simple as the genuine “abc@example.com” being replaced by the fake “abc@exarnple.com”. At first glance they look the same to someone not paying particularly close attention when hitting “reply”.
“REPLY TO” DIFFERENT TO SENDER’S “FROM” EMAIL ADDRESS
Often there is a legitimate reason for these to be different, many of the newsletters we receive on a daily basis have such characteristics. However, again in an effort to convince the recipient that the sender is the legitimate company, a scammer can fake the sender’s address by changing the message header. It’s more difficult, or even impossible, to change the reply address and so the recipient should watch out for such differences when replying to emails – it may well be a scammer sending the email and not who you thought it was.
TIMING, A SENSE OF URGENCY
Phishing emails have a greater chance of success if they put the recipient, particularly the individual not too familiar with normal procedures, under pressure. A good example is the overdue account reminder sent during the height of Summer, the scammer hoping it will be received by a temporary worker filling in for someone on vacation, with the usual signatories possibly not available. Adding a threat of legal action may well help push a fraudulent payment through. A more common ploy is an email purporting to be from your bank, saying your account has been closed due to some inappropriate activity, and will remain inaccessible until some changes are made that involve confidential information being disclosed. Particularly dangerous are scams purported to be from senior colleagues seeming to be waiting urgently for you to take action. Even with suspected foul play, some employees may be reluctant to question whether their manager is being serious.
OTHER WARNING SIGNS
These include links inside an email that do not contain the name of company who appears to have sent the email (seen by hovering over the link); emails claiming to have found viruses on your computer; Nigerian 419-type scams (originating from Nigeria, 419 being the section of their Criminal Code outlawing the practice) claiming that you are due money from overseas; public email domains when you would expect to see corporate domain names, e.g. barclays@gmail.com; and finally emails addressed to a generic or vague recipient when you would expect the sender to be able to retrieve your full name from their database.
The different types of phishing
The cybercrime known as “phishing” is where the scammer poses as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.
Phishing is so widespread now that there are categories defining the different variations, some of which are described below. Each relies on human fallibility, which is why education and awareness is critical for the protection of organisations and individuals.
“Every individual and every employee in your organisation needs to be aware of phishing and to expect to be targeted, sooner or later”
It is interesting to see from the Proofpoint Report: The Human Factor 2018 at what times of day employees are most likely to respond to phishing emails, statistics that may help when communicating the nature of these risks.
Across all regions, 52% of clicks were found to occur within one hour of a message being received and within one minute of receipt 11% had already clicked on a malicious message. In North America the most vulnerable times are at the beginning of the day and lunchtime. In Europe employees are more likely to click at the start of the day, gradually reducing as the day progresses.
Protect yourself
For those in your organisation who don’t know about the existence of these scams, make them aware.
“Remain vigilant at all times”