Gone phishing: 3 common email tricks that could cost your business big

Cybercriminals are causing chaos for UK small businesses, and email tactics are some of their favourites. You might have heard of phishing attacks, where emails pretending to be from a trusted source dupe the recipient into unknowingly granting access. When it comes to approaching small businesses, a range of new strategies are being used – which you might not be aware of. Here are three to look out for:

CEO fraud

Imagine you get an email, like any other. It’s from your CEO, asking the finance person to transfer some money to complete a project, finalise an acquisition or pay a large bill. The recipient thinks nothing of it and sends the funds through before signing off for the day. Alarm bells only ring once the receiving business flags that they haven’t received the money days later. So, where’s it gone?

If you’re fortunate and spot the problem quickly, you could get some of the money back through the banks. Otherwise, it’s probably in the hands of hackers who fly under the radar and cash-out by using a money laundering network.

Attacks like these leave staff red-faced and companies flummoxed. The email had ostensibly come from the CEO’s address and his account had not been hacked, tricking the employee into a (understandably) false sense of security. Unfortunately, most small business employees still take email at face value, meaning these kinds of CEO frauds (otherwise known as Business Email Compromise) are on the rise.

How to spot CEO fraud: The fraudulent emails spoof the real thing, meaning they’ll likely look identical to something your CEO would actually send. Look out for a sense of urgency and demands for money to be moved around, often towards the end of the day. If in doubt, encourage employees to check directly with management by phone, text or face to face. Checking is well worth the delay.

It’s also worth keeping an eye on emails from staff who aren’t necessarily at the top of your org chart, as business leaders wise-up to the tactic. Victims tend to have readily searchable or easily guessable email addresses. Recent attacks have included emails from staff to HR departments requesting wages into a new bank account, for instance. Small businesses, who tend to have fewer cybersecurity-trained staff and less stringent financial processes, are a growing target.

Monday mornings

Another common strategy employed by cybercriminals is sending scam emails first thing on Monday mornings. One study found that nearly a third of spoof emails arrive on Mondays, designed to capitalise on the pressure of clearing weekend backlogs. They play on ‘social jetlag’; the idea that employees are more easily fooled at key times when they may be dealing with other things.

How to spot Monday morning scams: Unlike your cybersecurity software, human error opening the door to hackers is less easy to protect against. Good ‘cyber awareness’ is vital. By regularly training your staff on the tactics cyberattackers use, you’re equipping your ‘army’ against the threat. Tell your staff to be especially vigilant at times when they’re under pressure or feeling distracted – don’t let cybercrime get a foothold.

Fake forwards

Fake email threads are another way hackers gain users’ confidence in the supposed legitimacy of emails. These involve emails which have ‘Re:’ or ‘Fwd:’ in the subject line, which gives the illusion of being part of a previous conversation. In some cases, they may also fabricate the rest of the email thread, making it look even more convincing.

Research reported by the BBC found that these kinds of attacks are increasing more than 50% year on year, making it an issue your staff need to be well aware of.

How to spot fake forwards: Fake forwards are another way that criminals are preying on human behaviour. Employees should check the contents of an email carefully before acting on it. Typos, low quality logos and other inaccuracies are obvious giveaways. And, in the case of issuing payments, make sure you have two-factor authentication enabled, another layer of defence.

Small businesses thrive on getting things done – and fast. But, to prevent these common forms of email scams, encourage employees to take the time to check their emails. A quick check could make all the difference. Looking for support in training your staff in Cyber Awareness, or implementing the Government’s Cyber Essentials certification? We can help.