Cyberattackers are adept at finding new ways to ply their nefarious trade — some of the more elaborate scams we’ve detailed over the years include fraudulent Microsoft support calls, health care enrollment phishing attempts, and business email compromise.
The latest email scheme to come to our attention concerns wire transfer requests, which target business executives and financial department employees via spam email. As the FBI’s Internet Crime Complaint Center has reported, the goal is simple: to convince the recipient to process a payment for goods or services via wire or credit transfer. Scammers either hack or spoof domain names — think hard-to recognize alterations like “yourwebsiite.com” instead of “yourwebsite.com” — then create email account names that duplicate or closely resemble that of the CEO or other senior executive. That way, an unsuspecting employee in the finance or business department might not think twice about following orders from the boss.
So we thought we’d compile a list of strategies to employ so that you can avoid falling victim to such a scam:
1) Check the email header to see where a message actually originated from. A hacker can name an email account anything he wants — CEO, Vice President, even, in more elaborate social engineering scams, an executive’s actual name — no matter what the actual address is. So before you respond to anything that asks about money, payment, or compensation, check the firstname.lastname@example.org address in the email header. Doing this differs by email program, but in most versions of Microsoft Outlook it’s achieved by clicking Message > Options > Message Options > Internet Headers.
2) Also check subject lines and body copy for ANY discrepancies. Notice any misspelled words, odd grammar forms, or other inconsistencies that don’t seem consistent with your co-worker’s email style? Those can be big red flags that can help you avoid trouble from the get go.
3) Validate any link in any unfamiliar email before clicking on it. Hover over or right click all links and look for a legitimate URL that matches the one the email came from — not long strings of jumbled numbers or letters. All it takes is one click on one bad link by one employee to give hackers exactly the entry point they need to your company.
4) Do not open any email or attachment from any sender you don’t recognize. Last year’s CryptoLocker virus spread primarily through malicious PDFs, audio files, and other attachments that computer users unwittingly clicked on. If you don’t know the sender and aren’t expecting a file, don’t click on it!
5) Avoid using free, web-based email for business purposes. Establish a company website domain and use secure email accounts for all communications. Strongly consider a proactive monitoring or comprehensive network security solution, which should conduct regular malware scans and daily updates, as well as deploy strong firewalls and anti-spam protections that can filter out scams like the one described above — and alert security experts to spoofed or hacked accounts.
Avoiding the threat of email scams and other malicious cyberattacks is critical to business success — but it’s not a task you should undertake alone. That’s where a trusted IT partner like CMIT Solutions comes in. Contact us today to find out how our proven security measures can keep you and your employees safe.