In the late 1990s, when email was first becoming widespread, many people reported receiving emails from an individual claiming to be a Nigerian prince. These emails promised substantial financial rewards in return for helping the prince transfer his finances out of the country, where certain unnamed nefarious types were allegedly trying to steal his fortune. All you had to do was provide your bank account information, and voila!— you’d be a millionaire. While most people immediately saw through this scam, some did fall for it and ended up taking large financial hits. In fact, as of 2019, CNBC reported that Americans lost over $700,000 to Nigerian prince-style email scams. It may be difficult to believe that these scams are still going strong after so many years, but as a spokesperson for ADT Security Services told CNBC, “As long as these types of scams keep working, people will continue to use them.”
Professional cyber criminals have an arsenal of tried-and-true methods for undermining corporate security infrastructures, and they’re even more highly motivated to scam, defraud, and otherwise infiltrate businesses than they are the general public because the potential profits are so much greater. Some of their methods of attack are quite sophisticated from a technical standpoint, but even so, they often use very simple methods for getting their foot in the door.
In this article, we’ll explain some of these methods with respect to email scams. We’ll tell you why email security is important and how you can train your personnel to act as a sort of human firewall against cyber criminals.
What Kind of Threats Come through Email?
Email vulnerabilities revolve around spam, malware, and phishing attacks, which are designed to infect your network and/or obtain sensitive information. Typically, these attacks focus on three specific target areas:
- Credentials: Usernames, passwords, pin numbers, and other authentication factors can be used to obtain money, access personnel records, or commit industrial espionage.
- Personal Data: Typically, this focuses on money. If cyber criminals can obtain your personal information, they can take out loans, change billing addresses so they can charge things to you without a physical bill coming to you, and transact other kinds of business under your name—often without you becoming aware of their activity for some time.
- Medical Data: This isn’t an area most people think of when it comes to email scams, but cyber criminals can use medical data to file claims and collect payments in your name.
All of these attacks boil down to types of identity theft.
How Do These Attacks Work?
Email scams often require you to click on a link or open an attachment containing some type of malware, which could then infect your network, hijack sensitive information, and potentially set you up for ransomware attacks. Many people have been trained to be cautious about clicking on unfamiliar links and opening unsolicited attachments, so cyber criminals will often use a little social engineering to try and persuade recipients to voluntarily surrender certain types of useful information. These attacks can masquerade as official-looking requests of some type, and they will usually convey a sense of urgency. For example, you might get an email allegedly sent by a healthcare provider asking you to immediately verify your social security number or else face the risk of losing an insurance policy.
How Can I Prevent Email Scams?
Email Filtering Software
Email filtering software can help protect your business to some extent by sorting incoming messages through known-threat parameters, with an emphasis on deviations from your typical business usage patterns. For instance, if you get an email including a link or an attachment from a business or an individual that ordinarily doesn’t send you such things, the software may block or flag the message for your review. Filtering software may also search for certain keywords that are typical of phishing emails, along with other potential fraud indicators, such as requests for payment and originating email addresses that don’t match the sender’s name.
Training Your Human Firewall
Unfortunately, security software is not perfect and cannot prevent all phishing emails from coming into the company. Intelligent cyber criminals are very good at finding ways around filters, and they only need to get through once to cause significant harm. For this reason, personnel needs to be trained to recognize potential threat indicators and take appropriate action. Again, the key factor that all of these attacks have in common is identity theft. For this reason, your personnel should be thinking in terms of: “What does my identity do?” “How could someone use my identity to get money?” and “What things do I have access to that could be damaged if someone could appear to be me?”
It’s important that your company have a security culture where everyone understands basic procedures and why they’re in place. Sometimes, it may be appropriate for your personnel to follow up on their own when they receive something out of the ordinary. For instance, an employee who receives an unusual request claiming to be from someone in Finance or Human Resources may want to follow up with a phone call to that person to verify that the request is legitimate. At other times, however, it may be preferable for personnel to forward unusual or suspicious items to appropriate internal resources for further investigation. Be sure that your people know what’s expected of them and why their compliance is important.
Keeping all of these things in mind, it’s also extremely important for your personnel to recognize that they may not be the primary or ultimate target of email phishing attacks. A person may feel that he or she is unlikely to be targeted because their position isn’t one of particular sensitivity or importance within a company, and for that reason lets their guard down, but cyber criminals sometimes deliberately target lower-ranking employees in a company’s hierarchy in order to gain insights into how usernames and other authenticating factors work across the company as a whole. They can then use this information to target corporate officers, high-dollar vendors, and other individuals with access to finances and/or sensitive information. Thus, cyber criminals can utilize lower-ranking personnel as stepping stones to their true objectives higher up the corporate ladder.
Multi-Factor Authentication
Given that usernames can be deduced from email addresses and passwords are often weak and can even be stolen, we strongly encourage our customers to employ multi-factor authentication in their security infrastructure. For instance, if a user attempts to access a given system, in addition to requiring an email and password, the system could generate a text message with a PIN number that has to be entered within a short amount of time. Biometrics (such as fingerprint recognition software) can also be employed to good effect. Whatever system you ultimately decide upon, however, be sure your personnel is thoroughly trained in its operation and that you revisit it from time to time in order to re-evaluate its effectiveness against ever-changing threats in the digital domain.
Reinforcing your IT security measures
Malicious attacks are growing and evolving. Even if you have a cyber security team in place, ERP Suites Managed Security has the experience to assist your team to keep your enterprise safe. Schedule a cybersecurity assessment and get a custom plan.
