By: Mike Maggs, President
Think that email from your boss actually came from your boss? You might be wrong.
These days, most of us are so buried in emails that it has become socially acceptable to ignore them—at least for a little while. Still, most people stand at attention when they get an email from their boss or another member of company leadership.
When an email from the CEO hits your inbox, your natural inclination is most likely to try to address the email as quickly as possible and, in many cases, without reservation, right?
That self-imposed, or even expected, sense of urgency may play a major role in exposing your email inbox as one of the most significant threats to your company.
Welcome to the era of scams.
Because Sentric is in a high-risk industry for these types of scams, our employees are always on high-alert. Still, practically no one is immune to the ever-evolving tactics employed by cybercriminals. A few of our employees have almost been misled by convincing emails from “Mike Maggs” asking for things from the innocuous “Got a moment? Give me your personal cell number as I need you to complete a task for me” to the more suspicious “Are you available to make a Wire Transfer? Get back to me as soon as you receive this.”
Another example that, at first glance, appears to have been sent from one employee to another:
Fortunately, in the examples above, our employees recognized the threat and took appropriate action to protect our business and our clients because we’ve educated Sentric staff about email fraud tactics.
Email fraud is a growing—and lucrative—industry.
According to the FBI, CEO email fraud is now a $12 billion scam. Between December 2016 and May 2018, the FBI uncovered a 136% increase in identified global exposed losses, with scams reported in all 50 states and in 150 countries.
The FBI calls this kind of email fraud Business Email Compromise (BEC) or Email Account Compromise (EAC):
“Business Email Compromise/Email Account Compromise (BEC/EAC), is a sophisticated scam targeting both businesses and individuals performing wire transfer payments.
The scam is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct the unauthorized transfer of funds.
The scam may not always be associated with a request for transfer of funds. A variation of the fraud involves compromising legitimate business email accounts and requesting Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees.”
Last December, the IRS issued a warning to watch for fake payroll direct deposit and W-2 related emails. According to the IRS, a range of industries, employers, and tax preparers are being targeted by business email spoofing.
“These email scams are often masked to look like they are coming from a company employee—often someone in a leadership role. The fake employee will request a change in his/her direct deposit information or W-2 information, and sometimes even provide a new account number (which, in reality, belongs to the spammer).” —Victoria Beppler, Marketing Specialist, Sentric
In the last month, authorities have observed a new spin on the classic BEC email: this time targeting HR. These email scams attempt to trick HR personnel into changing an employee’s bank account and routing information to those belonging to fraudulent direct deposit accounts. Once sent to the attacker’s account, the victimized company is responsible for reimbursing the impacted employee and the employee is faced with the disruption of a late paycheck.
In the past, spoofed emails were loaded with errors, making them easy to spot. Unfortunately, these latest attacks are harder to catch. As hackers have become more organized, they’ve also grown sneakier. The most recent attacks used email signatures gathered from legitimate accounts accompanied by unassuming and straightforward text. The goal of these emails is to trick the recipient into rerouting an employee’s payroll or downloading an attachment carrying malware.
And it works.
In the lead-up to tax day, many professionals were hit by the TrickBot financial malware campaign. Designed to fool recipients into downloading a malware-infected Microsoft Excel file by “spoofing” two leading payroll service providers, TrickBot was successful in disrupting tax season for more than a few employees (and businesses).
Knowing that most employees are unlikely to say no to a request from leadership or another trusted source, criminals have found an easy way to gain access to data—and dollars.
Which brings us to my next point: while employees are the first line of defense against email fraud, they are also the weakest link. Regardless of the security measures you have in place, it takes just one mistake to create a significant problem.
This is where HR comes in.
It was once common practice to place the burden of cybersecurity exclusively on the shoulders of IT. I believe that HR must be involved because HR is now one of the primary targets of email fraud. Our HR department includes cybersecurity training and awareness in our onboarding and ongoing training programs and I think this has played a key role in protecting our business from scams.
What you can do.
Fraud is a scary thing, and it’s important that you take it seriously—but you don’t need to panic. Here are a few preventative measures that you can take to avoid email fraud:
- Train employees to become the first line of defense in your security risk prevention framework. This means educating them on the latest cybersecurity threats as well as malware/ransomware training.
- Avoid the email inbox altogether. Use collaboration tools for most, if not all, internal communication (this might have the added benefit of a productivity boost).
- Build a culture of open communication to ensure employees feel comfortable voicing concerns if they notice something off-kilter.
- Work with IT to ensure that all devices, computers, and networks are running the latest software with security patches applied and be sure that those systems, computers, and devices have anti-virus software installed and are secured by firewalls. This includes your employees’ home computers and any devices used to access the company network or online application.
- Make sure you and your employees regularly update account passwords. Require them to be complex so they are difficult to decipher and NEVER share passwords with ANYONE. In addition, you should make sure your password policies don’t allow repeat passwords.
Additional reading: Schneider Downs published a great article discussing password complexity.
- NEVER share confidential information using email unless you are using encryption.
- If you have to use email, train your employees to never open an attachment from an unknown source and always review the actual email address, not just the name presented to them.
- When in doubt, pick up the phone or stroll into the “senders” office to ask them if they actually sent the email in question. A quick conversation can help you prevent a data breach. When deciding whether or not this is necessary, consider what the email sender is asking you to do for them. Any email with a link attached that might result in information or monetary loss must be questioned.
“The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone. Don’t rely on e-mail alone.”—Martin Licciardo, special agent, FBI Washington Field Office
How Sentric protects data.
Protecting client data (and our own information) is a significant aspect of what we do both within the SentricHR platform as well as in our physical spaces. Learn more about our Security Standards.
It’s not if, but when.
Unfortunately, it’s not a matter of whether or not you will be confronted with a cybersecurity issue. For most businesses, it is a matter of when. Through the adoption of technology, ongoing education, and open lines of communication between IT, leadership, Human Resources, and employees, the potential for exposure will be significantly reduced.