Phishing for information: how to avoid common email scams

email Mia Campbell from the anti-fraud charity, Fraud Advisory Panel, highlights some common email scams targeting businesses, and how to avoid them.

Have you ever received an email asking you to review your VAT return, validate your Companies House login details, or confirm your online banking details? The chances are you have, and probably many times. But how often have you actually stopped to consider that these are scams, and that you and your staff might be falling for them?

Fraudsters send millions, if not billions, of phishing emails each day. While most of these emails will never reach our inbox thanks to anti-spam filters, a small proportion – about 10 per cent – probably will. Inevitably, some of these will be opened and have their links clicked or attachments opened, potentially compromising our corporate, financial and security information.  

In fact, phishing emails and websites are now the most common breaches affecting UK businesses, according to the latest cyber security breaches survey, published in April.  

Common email scams

One common tactic used by fraudsters is to impersonate well-known and trusted companies, such as banks, internet companies, online retailers and government departments, to trick the recipient into disclosing information or downloading malware. In the case of businesses, this may extend to the impersonation of genuine suppliers, or even the company’s own chief executive. Three common scams are explained below.

CEO fraud

CEO fraud has caught many businesses off-guard and occurs when a fraudster poses as a company’s chief executive, using a compromised email address, and asks a staff member (often in finance) to make an ‘urgent’ bank transfer. One of the simplest ways to prevent this type of fraud is to ensure that your finance policies do not allow payments to be authorised by email, regardless of circumstance.

Invoice (mandate) fraud

Invoice fraud occurs when a fraudster pretends to be a genuine supplier and asks for their bank account details to be changed so that future payments are diverted away from the legitimate recipient. This risk can be greatly reduced by verifying all change of bank account requests with suppliers using contact details that you know are genuine, and by informing them whenever a payment is made (eg remittance advice).

Ransomware

Ransomware is believed to be on the rise and is spread in a variety of ways, but often by email. It encrypts your computer files and demands a ransom to be paid for its release. Generally accepted advice is that you shouldn’t pay ransom demands if you can avoid doing so. It is crucial to take precautions, such as backing up your data on a regular basis (and storing this somewhere disconnected from the network, such as an external hard drive), and installing software and anti-virus updates as soon as they become available.  

Preventing email scams

Email scams are becoming increasingly sophisticated and convincing, often using a combination of social engineering and online attacks. This can make it very difficult for the average person to distinguish a fake email from a genuine one. Implementing good technical cyber security defences, such as those described above, makes good business sense and can stop many phishing emails before they reach staff inboxes. This can be complemented by a well-informed ‘scam aware’ workforce, who feel able to report their suspicions and concerns, without fear of blame.  

A lot of free advice and guidance is now available online to help organisations build their cyber defences and keep up to date with the latest scams. Key amongst these is the government-backed 10 steps to cyber security and cyber essentials scheme which outline the basic controls all organisations should have in place to reduce their cyber risks. Get Safe Online also provides practical advice for businesses.   

If your business suffers a live cyber attack and data is potentially at risk, you can contact Action Fraud, the UK’s national fraud and cybercrime reporting centre, on 0300 123 2040, to report it and get advice on what to do next. You may also wish to seek professional technical help and visit www.nomoreransom.org for free decryption tools.

About the author

Mia Campbell is manager at the Fraud Advisory Panel, the UK’s leading anti-fraud charity. They produce free helpsheets to help businesses to protect themselves from fraud.