It used to be the case that email scams were easy to spot – a Nigerian prince giving you a large amount of money, a lottery you won but never entered, or even a family member in crisis abroad – but scammers are getting smarter. They’ve developed a new target: the office.
Spam filters can spot a Nigerian prince scam a mile away and smart readers won’t even open these poorly composed messages declaring that family members (who are safely at home) have been robbed while traveling abroad, but are you positive your boss didn’t send you that message? Fake emails from supervisors are among the most popular scams today, but they’re not the only kind you need to watch out for.
Modern Email Phishing: What’s Trending
The most dangerous form of phishing impacting professionals today is known as business email compromise (BEC). This type of scam is especially pernicious because it appears to come from your company’s personal email servers and it primarily targets companies that operate internationally – including small nonprofits – and therefore rely on wire transfers as an integral aspect of their operations. The FBI estimated, based on Arizona cases, that the average target in such scams loses between $25,000 and $75,000.
Another common phishing approach striking businesses today are those that appear to be affiliated with service providers such as banks, credit card companies, and ecommerce sites. These messages typically request that the user log-in to their account and update certain types of information, or notify the user that there has been some sort of security breach. Instead of linking the recipient to the legitimate site, however, the emails lead to false fronts that steal your information.
In these latter cases, always look at your browser to see if you’ve reached a secure website before entering any information. False front sites can be very convincing, appearing to be legitimate web pages for a company, but this is one area where they often fail.
Towards Enhanced Security
Since these new email threats look much more legitimate than past scams, what can your company do to protect itself? One of the first things you should do is undertake a comprehensive encryption strategy. How you do this will depend on who your email provider is.
For companies that use a variation of Gmail for their professional emails, it’s important that you enable Gmail’s in-house encryption program, Transport Layer Security (TLS). However, if a TLS encrypted email passes through a hacked server, this won’t be enough. For enhanced security, it’s worth adding an encryption plugin that’s harder to interfere with.
Depending on your industry, you should also spend some time researching encryption requirements and best practices. Some industries require that you encrypt client data, while others have broader encryption standards. There are also ways to specifically encrypt attached files and password protect them, further deterring hackers.
Don’t forget to encrypt your mobile messaging systems as well. It’s easy to be excessively lax when sending emails from your phone, but these can be targeted just as easily – or even more so. And if you’re going to send business communications via any system other than email, make sure it uses end-to-end encryption like iMessage. Skype messaging, for example, doesn’t encrypt user communications.
Ask First, Act Second
Beyond encryption, there are other simple steps you can take to protect yourself, your company, and your clients. One of the most important and simplest things you can do when you receive a suspicious email is to directly contact the supposed sender. Not sure your boss really wants you to wire $30,000 to a specific account? Call them to confirm.
The same rule applies to emails from service providers – if American Express really wants you to make account changes, they’ll be able to confirm that over the phone. If you choose to look for evidence on the site, don’t click the link in the email, but navigate directly to your account. This, too, can help weed out scam notifications.
Finally, it’s important for companies to raise awareness about security fatigue. Because security has been such a high level of concern in recent years, users have started to feel overburdened by long, complicated passwords and multiple authentification processes. Though it’s easy to become lax about our security practices due to increasing demands, it’s important to recognize that we’re being asked to intensify our security practices for a good reason.
Scammers may be using more sophisticated methods to steal information and money from companies, but we aren’t helpless to protect ourselves against these acts. Particularly at the corporate level, we can use institutional resources to shore up our accounts, heavily encrypt our servers, and take advantage of professional data security training.