2017 hasn’t even reached its halfway point and already it’s been a banner year for email scammers. The hackers may be rejoicing, but if you or your company has been on the receiving end of an email-based cyberattack, it’s hardly something to celebrate.
According to the FBI, email scams have been hitting American businesses hard, to the tune of a half a billion dollars per year. And the pace doesn’t seem to be slowing for 2017.
If your company hasn’t fallen victim to an email scam this year, count yourself lucky. Up to 85 percent of organizations have suffered phishing attacks, according to one report. (Phishing is the blanket name for the most common form of email scam.)
Email scams can be devastating for companies large and small. Here are a few of the most
damaging and high-profile attacks of 2017 (so far).
W-2 Scams Target Companies and Individuals
What happened: In February — primetime for companies and individuals to start work on their
tax returns — the IRS issued a warning. Organizations throughout the country had reported
receiving fraudulent emails aimed at stealing employee W-2 information.
Typically, these scammers used spoofing techniques to disguise their emails as coming from
high-level executives. They targeted HR personnel and asked for lists of employees and their
W-2 forms — and in the worst cases, followed up with requests for wire transfers.
The damage: As of early February, the scam had claimed nearly 30,000 victims. One company
in California allowed the tax information for about 800 employees and former employees to fall
into the hands of criminals.
Even Giants Fall for Phishing
What happened: In March, the U.S. Justice Department announced the arrest of a Lithuanian
man for impersonating a supplier and scamming two American tech firms out $100 million. In
April, Fortune reported the victims were far from small game. They were Google and Facebook,
two of the largest and most powerful technology companies on the planet.
The hacker, Fortune reported, “Forged email addresses, invoices, and corporate stamps in
order to impersonate a large Asian-based manufacturer with whom the tech firms regularly did
The damage: Facebook and Google both say they recovered most of their funds. Harder to
recover, though, is the loss of face from falling victim on such a large scale to a single man with
an email account. Any company whose business model relies on keeping its customers’ private
data secure does not want to show up in the news as the target of a successful scammer.
Scammers Impersonate CEOs
What happened: In March, Israeli police, in conjunction with the FBI, rounded up 20 people
connected to a global hacking operation. The scammers had been posing as high-level
executives, authorities say, and asking lower-level employees to initiate wire transfers.
Thinking they had been given a great responsibility by the CEO or another top executive, many
of these employees unwittingly wired huge sums of money right into the scammers’ bank
This type of attack — which relies on people’s natural deference to authority — is on the rise.
The FBI issued a warning about the dramatic increase in CEO fraud in 2016.
The damage: From October 2013 through February 2016, the FBI says it received 17,642
reports of business email compromise scams (a form of whaling). Combined, the incidents cost
American businesses $2.3 billion.
Hackers Target Gmail Users
What happened: Google again found itself tied up in an email scam in May — this time as the
company being impersonated. Google said it was investigating a rash of fraudulent emails
containing what looked like links to shared Google Docs.
Users would receive the emails, masked to look like they were from familiar senders. When they
clicked on the links, they were taken to a landing page asking them to authorize third-party
access to their private account information. That includes passwords, the contents of email,
contacts, and anything else they used through a Google service.
Needless to say, scammers can have a financial field day with that kind of data.
The damage: Google says it has removed the accounts responsible for the offending emails.
It’s not clear how much damage they caused. But as hackers gained access to their victims’
email contacts, they gained access to new victims.
The scam could have spread across the internet like wildfire.
How to Stop Your Company From Becoming the Next Victim
What’s the common thread in all these high-profile email attacks? In each case, the scammers
used hard-to-spot techniques to disguise their identity and motives and take advantage of their
targets’ trust and carelessness.
As email scams grow more and more sophisticated, users at every level of every company need
to become more aware of the threats and their cost. They need to learn to pay closer attention
to the messages they receive and who they’re from.
This starts with education. For pointers on teaching your employees strategies to prevent
phishing, read our recent blog post, “5 Tips for Teaching Your Employees What Not to Click.”
Your second level of defense is technological. An expert outsourced IT provider can set you up
with the latest software and hardware controls for maintaining the security of your company’s
email system. Learn more about what an outsourced IT provider has to offer in our free ebook,
“The Ultimate Guide to IT Outsourcing.”