According to the FBI, business email compromise scams—also known as “email spoofing”—cost U.S. businesses $747 million between October 2013 and August 2015. More than 7,000 companies fell victim to email spoofing during that time frame, and the frequency and sophistication of these malicious emails is only increasing.
SPYING A SPOOF
Email spoofing is essentially forgery; it’s a message that is sent from one address, but appears to come from another. The most prominent—and costly—scam comes in the form of a fraudulent request for a wire transfer.
The email will appear to come from the organization’s CEO (sometimes with a slightly altered email address, sometimes not) requesting a wire transfer for any number of reasons and providing instructions for where the payment should be directed.
These emails can appear authentic. In fact, often the target recipient has seemingly looped into the tail end of an email chain where top executives have already discussed and approved the transfer among themselves. Such a chain might, for example, appear to be a back-and-forth between the CEO and top executives about an acquisition, with the final message to the accounting department with instructions to conduct a confidential transaction. However, the entire string of emails is phony—all are actually the work of hackers who took the time to do their homework on the organization they’re targeting.
FENDING OFF ATTACKERS
To protect your company from spoofing emails, you’ll need a high-quality spam filter and a strong firewall. Filters can prevent spoofing of an organization’s own domain by blocking emails with that domain name in the “From” field that are sent from outside the organization.
And firewalls can prevent hackers from bypassing spam filters and sending emails directly through your email server. Unfortunately, these methods are not sufficient because most spoof emails are too sophisticated to have the red flags that a spam filter would catch. Plus, many email clients make it far too easy for users to mask their email with another. Therefore, the next critical step is to educate your staff on potential threats.
Train your staff to be highly suspicious of any emails asking for money or personal information. Your employees should be alerted to:
Read email message headers and domain names carefully. Many scammers will use a domain name very similar to the company’s web address. For instance, if your CEO’s email
address is email@example.com, they’ll send an email from the address firstname.lastname@example.org (with an extra “s” in ‘business’).
Verify that emails are legitimate. Before replying to an email with sensitive information or taking any financial action on behalf of the company, call or start a separate email dialogue with
the supposed sender to ask whether he or she did, in fact, send the email in question.
Don’t wait until you’ve been victimized—and paid for the experience—to take precautions. Since there is no foolproof method of “blocking” these emails from reaching your inbox, you and your staff are your organization’s best defenses.