Every day thousands of emails move in and out of your company’s virtual inboxes. Since email has become the most relied upon method of communication for most organizations, short notes and quick replies have become second nature to most of us. Unfortunately, this simple delivery method makes it easy to for security threats to slip through the cracks.
A new kind of email fraud is making the rounds, and it's called “email spoofing.” It’s vital to your company’s security that you understand the threat and take a few simple measures to ensure your company isn’t victimized.
The purpose of email spoofing is pretty straightforward: get the recipient of an email to send money by way of wire or credit transfer. It’s the way scammers get this information that is hard to catch.
A scammer will draft and send an email to an employee in your organization, often a member of the finance department, pretending to be the CEO or other high level executive. They’ll make a request that a wire transfer immediately be sent to XYZ bank account for an urgent business transaction of some kind. The reason that the scammer is able to get the employee to transfer the money is because they’ve purchased a domain name very similar to the company’s web address.
For instance, if your CEO’s email address is firstname.lastname@example.org, they’ll send an email from the address email@example.com (with an extra “S” in ‘business’). If you’re not looking carefully, it’s hard to catch, the scammer hopes that the employee will simply hit ‘reply’, or that they’ll be too nervous to question the CEO’s request.
Two Ways To Avoid Becoming The Victim Of Email Spoofing
The biggest danger with email spoofing is that once funds are transferred, there’s very little you can do to recoup the stolen funds. That’s why it’s necessary to take preventative measures to ensure this kind of fraud is weeded out up front.
The first step is to implement a high quality spam/phishing/virus filter. These phishing attempts are becoming increasingly more complex and intentionally targeted. In the case of email spoofing, the scammer has proactively sought your company out and has taken steps to emulate your web properties. Because of this, having best-in-class spam filters in place is a vital first step to ensuring you’re protected. You’ll want to consider an enterprise ready spam filter (meaning, something a little more robust than your default Gmail filter) and set the parameters to fit your company’s exact needs. This can be done by your IT team or a trusted IT partner. We recommend a system called Mimecast. Mimecast allows an admin to go in and set very specific parameters that can try and catch attempts at email spoofing or alert you if something is unusual about an incoming email address.
Once you’ve implemented your spam filter, the next step is to educate your company on new potential threats as you learn about them. Remind every employee (and executive) to maintain a mindset of caution, especially when dealing with requests for money transfers of any kind. Make sure your employees take note of any strange or unusual requests. If you receive a request that seems random or out of place, get in touch with the requestor to verify the request. Over-the-phone verification will go one step further in ensuring its validity.
When it comes to your company’s funds, it’s better to be safe than sorry. Taking the necessary precautions to avoid being caught in the middle of a scam should be at the top of your priority list. To learn more about working with an IT partner to proactively protect you from threats such as email phishing, check out The Ultimate Guide to IT Outsourcing: