Phishing is the attempt to acquire sensitive information, such as: usernames, passwords, and credit card details, often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.
– Wikipedia (https://en.wikipedia.org/wiki/Phishing)

At Aviator IT, we’ve seen phishing attacks on our clients for years, and, recently, they seem to have gotten more devilishly clever. The FBI reports that business email scams have netted criminals $1.2 billion. So I wanted to share some tips that might help protect your own business from online scammers.

The basic idea is that a scammer will send a message like this one that appears to be from the CEO or some other trusted source:

John (in Accounting),
I need you to initiate a wire transfer of $50,000 to a vendor, ACME Holdings, right away. Here is their bank information. I am jumping on a plane now, send this payment right away and I will explain when I land in Heathrow.
Cheers,
Robert, CEO

The recipient might look at the from field of the email and it will seem like a legitimate corporate email address. The attackers might have even gathered the CEO’s actual travel schedule by sending a similar fake message to the admin assistant, requesting an updated itinerary. Most people would hesitate to send such an irregular payment without a PO, but a request for some innocuous seeming information, like an itinerary, might seem less suspicious. But even a simple act, such as clicking a link to a website, can infect your system and give hackers control of your machine.

The problem is that it’s extremely easy to spoof or fake the from address of an email message. The fact that an email address shows a valid address in the from field is not proof that the email is legitimate. There are technical steps that we in IT can take to prevent spoofed mail from landing in your inbox, by setting up special rules in the email system. But there are ways around this, such as using similar looking domain names (e.g. Say your company is BestIndustries.com, a spoofer might register Best1ndustries.com and use that). Attackers might also just register a Gmail or Yahoo account with the first and last name of a member of senior management.

In this case, the best defense is education. IT should hold a brown bag lunch or take some time during all hands meetings to warn the end users to beware of suspicious requests and give some examples of the types of attacks that are occurring. It might be a good idea to set a policy of not using any personal email addresses for business purposes.

To summarize, the top three ways to protect your company from business email scams are:

  1. Have IT put technical solutions in place to block spoofed email addresses,
  2. Educate the end users about phishing threats, and
  3. Put policies in place to make it harder for attackers to gather information.

Contact Aviator IT today to have a discussion about your own email security.