Email-based scamming has quickly become the leading cause of financial loss for Australian businesses and individuals, with criminals now stealing $132,000,000 each year.
This guide will show you how to protect yourself and your family by identifying the warning signs and commonly used scams.
Email-based scams have grown in popularity recently due to the speed at which criminals can run them, along with the lucrative returns they generate.
What is an Email Scam?
Often called Email Compromise or Business Email Compromise, email scams are where a cybercriminal uses social and technical tricks to make a person think they are exchanging emails or text messages with someone they already know. The cybercriminal then uses the trust of the relationship to have bank details updated, or initiate the transfer of funds, goods or gift cards.
What Are the Common Scams?
The false invoice:
John recently paid his builder for some renovation work. Later he found out that his builder had not received the payment. When they checked, the invoice and bank details John had paid had not been sent by the builder. Instead, it was sent by criminals who had used a fake email address that looked very similar to the builders.
Jane works in the finance team. She received a routine email from a regular contact at a long-standing supplier advising of a change in their bank details. Jane checks the email address and it is correct and has been used many times in the past, so she makes the change.
In fact, Janes regular contact has unknowingly had her password stolen, and criminals have logged in to her email account. The next legitimate payment to the supplier will be sent to the criminal's bank account.
Gary is the executive assistant to the CEO and just received a text message from a number claiming to be the CEO’s personal mobile. The message says that his boss is out with some potential new clients and urgently needs some iTunes gift cards to give them to seal the deal. Can Gary please buy some, SMS the codes and expense the cost tomorrow.
Of course, the phone number does not belong to his boss, and his boss did not make the request. Instead, the gift cards will go to the criminals to be sold on the black market.
Linda from the Payroll team has received a request from an employee to have their bank details changed in the Payroll system. What has happened is a criminal has covertly gained access to the employee's user name and password and is trying to divert the employee’s next salary payment to the criminal's bank account.
What are the warning signs to look out for?
An unforeseen change of bank details - Criminals often target changing bank details because there is no immediate payment involved, so often does not trigger alarm bells.
An urgent payment request or threats of serious consequences if payment isn't made - urgency is very often used because it makes the intended victim rush and not consider the possibility of a scam.
Unexpected payment requests from someone in a position of authority - Criminals will often use the authority of the CEO or CFO to get potential victims to skip approvals and due process and rush payments.
An email address that doesn't look quite right, such as the part after the @ not exactly matching the supplier's normal email addresses. - Criminals will create new email addresses with small changes to impersonate legitimate contacts, such as @Mircosoft.com instead of the @Microsoft.com, or replacing the letter L with the number 1.
Personal or unrecognised email addresses or phone numbers - Criminals will create hotmail and gmail addresses using the first and last name of the person they are trying to impersonate and trick the potential victim into believing it is a personal email address.
Personal Information - Criminals will often use social media to gain information about a person they are trying to impersonate and relay it to the potential victim to build trust. Information such as close contacts, home location or current holiday location is used most commonly.
Criminals will often combine multiple of the above techniques, such as waiting for the CEO to post holiday pictures on Facebook, then using a fake email with the CEO's first and last name to request the urgent change of a suppliers bank details.
What can you do to prevent email scams?
Look out for the warning signs and be aware.
Don’t be afraid to use a phone call to verify identity – Almost 100% of email scams can be prevented with a simple phone call. use your contacts or corporate directory (don't trust the signature in the suspicious email) to call them and double-check they did send the email you received.
Always check the full email address on suspicious emails, can you spot any minor changes?
Don't be rushed, take your time, follow all the correct processes and think about the possibility of scammers.
Report any suspicious emails to your IT and Security teams.