Blog

4 examples of scam emails that target businesses

/ IT Security Services
August 17th, 2020

IT security - How to spot four key types of email scams

Many people believe that email scams are easy to spot, but even email scams that target businesses?

They’re poorly written, full of spelling and grammatical mistakes and usually contain an offer which is too good to be true… right?

Things have changed a lot since those days. Email scams are now alarmingly sophisticated, personalised and as a result, much more dangerous. Hackers now take the time to craft messages tailored to a single recipient, meaning that even experienced users can be fooled.

We’ve listed some of the most common email scams below which you should be aware of. Remember, if you receive a suspicious email, don’t respond until you can confirm the request is 100% genuine.

1. SPAM

Not necessarily all of it is malicious, but it is illegal in many countries. SPAM is repetitive, unsolicited bulk emails which the recipient hasn’t requested to receive. Most commonly these are commercial in nature, but they can also include things like chain emails.

There are two origins of SPAM emails. SPAM which comes from spammers themselves who are selling products or attempting to commit fraud. And SPAM which originates from computers infected with a virus or worm that are sending out bulk emails. This is the type which tends to more often be malicious.

Several spam messages which are potentially scams being caught in a spam filter

An example of the types of messages caught by a SPAM filter.

2. Phishing

This is a type of scam intended to trick you into entering personal information like usernames or passwords. The best way to identify a phishing email is to look at the from address and verify that it’s real. This can be difficult when the domain (the bit after the @) is similar to the legitimate version. But a quick message to the genuine sender (don’t reply directly to the suspicious email!) can verify if it’s legitimate rather quickly.

Phishing emails usually try to scare or tempt you into submitting your details. After all, if ‘[email protected]’ said you were the lucky winner of a £500 voucher, who wouldn’t want to claim that by entering their account details. Or if ‘[email protected]’ told you that they had detected suspicious activity in your bank account and needed you to sign in to reactivate your credit and debit cards, why wouldn’t you.

These may seem like obvious fakes, but this kind of stuff works on the best of us. All it takes is one click when we’re rushed and panicking or when we’re not paying full attention at the end of a long day.

A phishing email with the various mistakes to look out for

An example of a phishing email pretending to be from Outlook.

3. CEO fraud / Business email compromise (BEC)

This type of scam is where someone pretends to be the CEO of your company. It usually involves a request to the finance department for a money transfer.

A real looking email address can be set up using information easily harvested from social networks. Scammers can now easily address your finance department on first name terms, using an account with your CEO’s real name and real picture. Or alternatively, gain access to the real account through a phishing campaign, letting them send emails from there.

A sophisticated scammer might also be stalking your CEO’s social accounts. Learning exactly when they’re out of the office or on holiday and only sending their email then, requesting emergency funds for an important client deal that’s come to them whilst they’re away.

Of course, the account they ask you to send the money to isn’t really related to your business or any clients and is owned by the scammer.

An example of a CEO fraud or BEC (Business email compromise) email requesting the transfer of funds from the CEO

An example of a CEO fraud email asking for funds to pay an ‘invoice’

4. Spoofing

Spoofing involves forging email headers so that emails appear to originate from a genuinely legitimate source. Not to be confused with setting up a similar address. Spoofing is where a scammer tricks the email server into genuinely thinking that an email came from who the scammer says it did.

Spoofing is a common technique used by hackers and can occur in many forms. But the most common is to try and use the authority of their disguise to trick users into visiting a malicious website or downloading a malicious file.

The biggest issue with spoofing is that there is no way for an average user to find out that the email is illegitimate. Both the sender name and sender address will appear as legitimate (not slight alterations or misspellings). And if the sender is a known contact of the recipient their email program will ‘handily’ populate the email with their profile picture, custom footers and other information associated with the sender as it would with a legitimate email. This results in very convincing looking emails which are difficult to detect as fake.

The way to detect the true sender is to look at the internet headers by viewing the source of the email Unfortunately this is very difficult to navigate.

an example of the source of an email.

An example of the source of an email. As you can see it’s difficult to understand.

Bonus point: Social engineering

Phishing, spoofing and CEO fraud emails are all part of a type of hacking called social engineering which is where scammers use tricks or tactics to gain information from legitimate users of a system. Then they use this information to either perpetrate more scams or sell it on the dark web.

Don’t think that social engineering is exclusive to email though. It can come through any channel of interaction such as social media, phone calls or impersonating trusted parties, like delivery drivers.

Conclusion

While products like SPAM filters remain crucial in the fight against email attacks. You can protect your business with user training – a prime way to protect detect these tactics. Employees are often the weak link when it comes to security, so you should invest in security training. This will help them understand the risks and how to avoid them.

READ NEXT>> 9 red flags which should make you doubt an email