By: TSP Blog | @TSProckstars
Joe gets an email from his boss asking him to go buy 10 hundred-dollar gift cards for important clients right away — he should use his own credit card, and the boss will reimburse him. Joe is then asked to send photos of the gift card PIN codes because the boss needs them immediately. Joe complies because his boss asked him to and said it was urgent.
This is just one example of a clever new way scammers are stealing money and information from employees who understandably don’t see it coming. The emails look and sound like they’re coming straight from the boss or other top company leadership, and they feel real. The FBI calls them executive impostor scams, also known as business email compromise.
According to a report from Get Safe Online and Lloyds Bank, impersonation fraud is on the rise. The report found that one in 12 businesses has been a victim of impersonation fraud, but because this is only based on reported cases, the real number is likely much higher. Small and medium businesses are the most vulnerable, due to lack of cybersecurity training for employees and lack of security precautions to combat fraud.
The impact is real and widespread. Between 2013 and 2016, the FBI estimated fake executive emails from cybercriminals caused $2.3 billion in losses to more than 17,500 businesses in the U.S. and other countries.
Accenture’s Ninth Annual Cost of Cybercrime Study says cyber criminals are adapting attack methods to target humans, “the weakest link in cyber defense.” Information theft is the most expensive and fastest-rising consequence of cybercrime, with data theft, data destruction, or data change as the criminal’s end goal. And if they can get you to send them free gift cards or wire lots of money, even better.
A BRIEF HISTORY OF UNWANTED EMAILS
The first unsolicited messages started as early as 1864, when scammers used telegraphs to send fishy investment offers to wealthy Americans. The first electronic spam message was sent by Gary Theurk in an unsolicited email to hundreds people on ARPANET, the military computer network that came before the Internet.
In 1994, Usenet, a newsgroup’s Internet predecessor, got slammed with ads for immigration law services; its senders even wrote a book about it in 1995 called “How to Make a Fortune on the Information Superhighway.” According to Spamhaus, an international nonprofit that tracks spam and related cyber threats such as phishing, in order to qualify as spam, a message must be both unsolicited and sent in bulk. So, if you get an email from your boss that’s actually from someone else, that’s technically a scam, not spam.
WHERE DID SPAM GETS ITS ODDBALL NAME?
Spam’s moniker is based on a 1980’s Monty Python sketch where a crowd of Vikings drowns out a conversation by singing the name of the processed meat over and over — in other words, it was about something being repetitive and unavoidable. In 1998, the Oxford Dictionary included “spam” as a word for junk email.
WHY AM I GETTING THESE EMAILS?
You get spam and other scammer emails because they’re free to send, but still bring in a lot of money for crooks. Spam is basically free to send to millions of email accounts — it costs the same to send five messages that it does to send five million. In 2012, the American Economic Association estimated that spammers made about $200 million a year, while in the same year $20 billion was spent trying to fend them off. Taking the time to imitate your boss requires a little more effort, but the payout is just as real if you get tricked.
WHAT SHOULD I DO WHEN I GET AN EMAIL THAT MIGHT NOT BE FROM MY BOSS?
If an email seems suspicious, don’t ignore or hide it. Fear of punishment or embarrassment often makes employees want to brush suspicious emails under the rug, but the best thing to do is report any emails that don’t seem quite right as soon as possible.
If email systems have been compromised, then criminals may have gained access to sensitive information and can continue to make fraudulent requests to other employees. Most people do what their boss asks, especially when the boss says its urgent, but that’s part of how criminals trick employees into leaking funds or information. The minute you think something doesn’t feel right, say something.
WHAT IF AN EMAIL ASKS FOR SENSITIVE INFORMATION?
Impersonation scams take advantage of people’s work ethic and trust in their boss. If you get an email that seems off, or any email that asks for a wire transfer, gift card purchase, or information about you or other employees, first double check the sender’s address. Often, it will have one letter transposed or replaced with a similar letter, or it will be slightly misspelled.
Impersonation scammers are detailed, and they can make emails look and feel incredibly real. Some will even research who within a company can authorize a wire transfer and target those employees specifically. Because it’s easy to set up email accounts without credit card information, at least for a trial period, domain registration companies have a hard time keeping up with fraudulent use until complaints are lodged. Even if the fishy email comes straight from your boss’s correct email address, remember passwords can be easy to hack and verify with them directly anyway.
REMEMBER HOW MUCH INFORMATION ABOUT YOU IS AVAILABLE ONLINE
Scammers can be clever — the smart ones do their homework. Social media websites, a company’s own website, and news reports can reveal employee names, titles, email addresses, and phone numbers, plus information about the type of company they work at.
Fraudulent emailers sometimes pose as third parties, such as the company’s bank, a vendor, or a potential new client looking for information, all designed to trick someone into disclosing confidential information. If an email or call doesn’t feel right, don’t give away any information until you confirm the identity of the person who contacted you. They will often make requests seem urgent, which is a red flag. Take time to verify every request — even ones that claim to be time sensitive.
BE CAREFUL WHO YOU GIVE YOUR EMAIL ADDRESS TO
You want to read a piece of content, so you surrender your email address. You start getting promotional messages and unsubscribe, but your email address has already been sold to tons of companies that start to send emails of their own. This now qualifies as spam, because it’s both unwanted and unsolicited (you didn’t give your address to those other companies). Play it safe and don’t give out your email address or create a second email address you don’t mind using for things like accessing content.
I GET A LOT OF REGULAR OLD SPAM — CAN I MAKE IT STOP?
When you get these emails, always mark them as spam within your email interface or move them to the junk folder, because this is how automatic spam filters learn to identify spam and filter it out. Marking items as junk will keep these same messages from appearing again, and it also helps service providers tag which email addresses and domains are suspicious. Finally, never click on anything in the message. This not only opens you to viruses, it can let the sender know that your email address is both active and monitored, making you a target for even more unwanted messages.