Risk managers have long been wise to their existence, but increasingly sophisticated email scammers continue to earn rich pickings. Last year, Action Fraud said it received some 8,000 reports of phishing scams every month and numbers continue to rise.
Phishing is also the number one reason for company breaches, with fraudsters targeting pressured employees who are much more likely to click on a suspect link at work than at home. Employees also often do their online banking and shopping on work computers, increasing the overall risk of a breach.
Regular training and communication on what to spot is now a crucial line of defence for many employers. We’ve compiled a list of the 10 most prevalent email scams risk managers should be aware of in 2017.
1) Any email with a sense of urgency
Scammers try to invoke fear or at least curiosity. Commonly used subject lines include words such as ‘Attention’, ‘Your account has been closed’ or ‘Important notification’.
2) Use of personalisation – spear phishing
This technique has been responsible for some of the biggest breaches. The aim is still to encourage the recipient to click through to a malicious link or open an attachment, but personal details obtained from social media such as Twitter, Facebook and LinkedIn engender trust.
Bogus emails purportedly from HMRC continue to flood inboxes. Typically these will say a tax refund is due and ask for personal or payment information to be disclosed. A recent variation said a government gateway account needed to be created, which then requested personal banking details.
The regulator recently warned against a number of emails using fake FCA addresses, which it advised to delete without opening. False addresses included email@example.com, firstname.lastname@example.org and email@example.com.
Scammers pretending to be banks is a well-established scam, but recently they have upped their game, appearing much more realistic. Typically scammers will say an account is suspended. Banks emphasise they do not ask customers for ID such as PIN numbers either in email or on the phone.
Emails tell the recipient that they have ordered expensive goods, such as luxury watches. The aim is to cause anxiety about a supposed transaction and it requests they click on a link to obtain a refund. Email addresses contain the Amazon name, but are not genuine – i.e., payments-amazon.com.
Recently Google’s Gmail has been in the news, with fraudsters sending out a realistic spoof email to attempt to gain login details. The email appears to come from someone the recipient knows (i.e., from their email contacts) and clicking on the attachment results in redirection to a fake Google sign-in page. If completed, the criminals can then gain access to the sent folder and perpetuate the scam.
Scammers fronting as PayPal also play on a sense of fear, such as saying that persons unknown appear to be using the recipient’s account and so the password needs changing.
Unsurprisingly, scammers want to use the Apple name and typically, the email says an iTunes store refund is due. The recipient is told to visit a site that appears identical to the Apple website and asked to enter personal and card details to obtain the refund.
Often, when a disaster strikes, scammers set up fraudulent charity websites in an attempt to obtain donations.