The new frontier of email fraud
If you received an urgent, realistic request from your manager via email, that sounded like them and used internal/industry terminologies – would you question it?
Most would probably not.
This is the strategy behind a recent string of cyber attacks on small to medium businesses.
Criminals will pose as a manager and request an employee urgently ‘pay an invoice,’ ‘buy a device,’ or ‘download a program’ on behalf of the manager/business.
The scam is a combination of social engineering, phishing and business email compromise; but really, put simply it’s attempted email fraud.
How does the “Boss Email Fraud” attack work?
Email fraud is not new. However, hackers are becoming increasingly sophisticated in their approach.
10 years ago, you may have received an email from a “prince” or “long lost relative” saying you have just inherited a large sum of money.
A few years ago, a scammer may just try to trick an employee with a generic email pretending to be a service provider such as a courier, government or general enquiry. The email itself may have been generic and included spelling mistakes and incorrect names.
Today, however, the landscape is very different making it hard for employees to instantly spot a scam.
Here’s how the new email fraud works:
- The attacker finds out the name and email address of a manager or executive in a company. As well as identifies a potential employee victim.
- They then create a fake email account that looks like the manager’s email address (for example, by using a similar domain name and the same naming convention as the company).
- Next, they will send an email to an employee in the company, pretending to be the manager. The email might ask the employee to do something like transfer money to a certain account, or provide sensitive information like passwords or company secrets. The email is often well written using correct English and industry terminologies. Often, the email will also appear to be part of an email chain between the manager and an external party. This makes the employee believe it is legit.
- The employee, thinking they are following orders from their boss, complies with the request.
The attacker then uses the information or money obtained to commit fraud or theft.
Who is at most risk of email fraud?
Unfortunately, small to medium-sized businesses are particularly vulnerable to email fraud. This is primarily due to SMBs having less robust cyber security frameworks in place than their larger counterparts.
Whilst many SMBs may have adequate anti-virus, email fraud works on scamming innocent employees and leveraging vulnerable internal processes.
Therefore, employee training, processes and policies are the core defence against this type of attack.
Hackers know that many SMBs will not have sufficiently trained employees to identify and respond to suspicious emails. This makes these businesses easier targets than larger organisations; allowing hackers to use social engineering tactics to exploit employee trust and gain access to sensitive information.
Additionally, SMBs often have simple processes (or no written process) for invoice payments and approvals. Hackers will leverage this knowledge to encourage employees to act ‘urgently’ to pay fake invoices.
Can I prevent email fraud happening to my business?
Fortunately, email fraud is easily prevented with the right balance of employee training and business processes. Here are five strategies businesses can implement to reduce the risk of success email fraud:
1. Employee cyber security awareness programs:
The number one thing businesses can do is implement regular cyber security training for employees. These programs should educate employees on how to identify and respond to suspicious emails. In addition to email fraud training, a wide range of topics can be covered to increase the overall cyber safety of the business. This may include phishing scams, business email compromise (BEC) schemes, and social engineering tactics.
Business owners can set strong email filters and spam blockers to prevent fraudulent emails from reaching employees’ inboxes. These tools can help to reduce the likelihood of employees falling victim to email fraud.
Businesses can implement a simple invoice verification policy for transferring funds to any new business account before paying them. They can do this by contacting the supplier directly and confirming that the invoice and the EFT is legitimate.
Having policies and procedures in place is essential for preventing email fraud. By providing clear guidelines and training, limiting access to sensitive information, requiring verification processes, and having an incident response plan in place, organisations can reduce the risk of email fraud and respond effectively to incidents. It is important for organisations to remain vigilant and stay up-to-date on the latest email fraud tactics to protect themselves against this growing threat.
If your business does not have these strategies in place, talk to us at Jam Cyber to get your business better protected.
What should I do if my business falls victim to email fraud?
If you think your business has fallen victim to email fraud you should immediately contact your bank or financial institute to advise them of the activity. Depending on the nature of the fraud, your bank may be able to help you recover lost funds.
The best option is to follow your internal Incident Response Plan. This document will advise how to manage this cyber incident and if there are any legal notification requirements under the Notifiable Data Breach scheme.
If you don’t have an Incident Response Plan, you can download our free template!
It is also important to engage with your internal/external IT team, as well as your internal/external cyber security specialists.
Need more help? Contact our Cyber Security Experts!