The evolution of business email scammers
Today, most business owners know how important it is to stay vigilant against email scams and phishing attempts. Over the years, email scammers have become more sophisticated in their tactics, making it increasingly difficult to detect fake emails. And recently, these scammers are getting increasingly sophisticated, executing deep fake-level email scams that even the savviest online users have trouble detecting.
A brief history of email scams and phishing attempts
Email scams and phishing attempts are not new phenomena. They have been around for decades but have become more prevalent in recent years as users have become more complacent about clicking links online.
With digital messages arriving through dozens of apps on multiple devices, it’s nearly impossible to screen everything.
Scammers use email and other direct messages to trick people into providing personal information such as login credentials, credit card information, and social security numbers. In addition, scammers introduce spyware and ransomware into seemingly secure business systems.
Historically, they do this by sending fake emails that look like they are from a legitimate source, such as a global bank, government agency, or well-known public company. Online news site The Money Edit recently cautioned about a global scam where fraudulent emails, pretending to be from Microsoft’s customer support, may take over their email accounts and take confidential personal information. In this scam, the perpetrators CC’d legitimate inboxes of the target companies and Microsoft to be more convincing.
But now, scammers are figuring out ways to impersonate people much closer to home. Recently, individuals who made reservations for the Eurovision event in Liverpool are facing a potential threat to their personal data due to scammers who are focusing on hotel chains. Booking.com confirmed to the BBC that some of their accommodation partners had been exposed to phishing emails and direct WhatsApp messages with malicious links.
The rise of the BEC
Another threat that has been on the rise over the past few years is the business email compromise (BEC) campaign. Rather than old-school spam emails with broken grammar and grainy images, the attacker often spends considerable time researching the company and its employees, creating fake email addresses that closely resemble legitimate ones, and crafting convincing messages that mimic the company’s typical communication style.
The attacker may use social engineering tactics, such as posing as a high-level executive forwarding a request to pay an invoice or deal with a late payment. Framed as an urgent request from a boss, this scam counts on diligent employees rushing to take action and failing to notice some of the typical warning signs of a phishing scam.
Burgeoning technologies are making it easier to generate convincing scam messages, too. ChatGPT, for example, can be used to write scam emails in seconds, as pointed out by New Scientist. The natural (and ever-improving) language capabilities make it easy to spoof professional-sounding language repeatedly, helping scammers save time and money in responding to future victims, too.
Another recent example of a phishing attempt is the IRS scam. Scammers send fake emails to people, claiming to be from the IRS and asking for personal information such as social security numbers and bank account details.
A current tactic reported by CNET is to focus on individuals who use the Credits for Sick Leave and Family Leave form to claim an expired tax credit. US taxpayers receive emails tempting them to apply for these credits with the promise of getting free money back from the IRS. Fraudsters offer filing assistance, hack into the victims’ bank accounts, and use their tax filing info for identity theft. Another similar tactic is to fabricate employees who were supposedly employed in their household and then use the Household Employment Taxes form to try to claim a refund based on false sick and family wages that were never actually paid. These scams have become so prevalent the IRS launched a PR campaign warning Americans.
How to detect phishing attempts and fake emails
There are several ways to detect phishing attempts and fake emails. First, check the name and email address of the sender. If the name is formatted differently than you are used to seeing, that’s a big red flag. Look closely at the sender’s domain, and look for extra words or characters that shouldn’t be there. For example, if your company’s domain is acmewidgets.com, beware of emails from subdomains like @acmewidgets.abc123.com or email addresses that appear to be personal accounts.
As new technologies emerge, criminals discover new ways to infiltrate our inboxes to steal money and information. No one can predict what the next trick will be, but by being aware of the evolution of business email scammers, we can protect ourselves and our businesses from falling victim.