Identifying email scams that target businesses
Forensic Focus - August 2015
Sophisticated email scams are successfully defrauding New Zealand organisations.
Most people are familiar with email scams promising vast riches as a result of an “inheritance” from distant relatives you have never met, lotteries you have not entered or money/gold/shares that simply require an advance of funds in order to “unlock” the said riches. These scams are obvious to most people and you likely delete these emails well before you finish reading them. Clearly the business model for the traditional email scams is a volume game – the fraudsters send out vast volumes of emails, needing only a small percentage of the population to fall for the scams.
Most of the victims of these “traditional” email scams have been individuals. However we have seen a sharp rise over the last six months in what are highly sophisticated email scams targeting both business and public sector organisations.
How do these new sophisticated email scams work?
It appears that the fraudsters are now taking the time to learn your business (presumably leveraging website, social media, etc.) and determining who the senior decision-makers are to greatly increase the chance of the email scams succeeding. Often this will involve impersonating a client or supplier (“We have changed our bank account, please make payment to…”) or impersonating someone from your organisation (“Please pay the attached invoice …”).
We are aware of at least three main variations:
- Email purportedly from the CEO (or similar) requesting payment – similar email account. These are emails that appear to be from the CEO that are sent to accounts payable/finance requesting that an urgent payment be made for services rendered (or similar). The email visually appears similar to a genuine email sent from the CEO, but the email address will be slightly different from the CEO’s genuine email address. For example:
Subject: invoice for consulting services
Could you please ensure that the attached invoice is paid asap. Code the cost to consulting.
In this case, the genuine email address is "firstname.lastname@example.org", so provided accounts payable do not spot the subtle difference in the email account, there is a reasonably high risk the fraudulent payment will be made.
- Email appears identical to the genuine sender’s email address, but has been ‘spoofed’ to appear that way. These are email addresses that have been ‘spoofed’ to appear the exact same as the sender’s genuine email address, but were actually sent from a different email account.
- Email purportedly from the CEO (or similar) requesting payment – genuine email account. In this version, the fraudsters send the email using the CEO’s (or similar) genuine email account. The fraudsters are able to do so after hacking the email account.
What are the red flags that the email may be a scam?
Despite the considerable increase in sophistication in these newer email scams, there are some red flags:
- The payment request will be for a “new” supplier or to a new bank account for an existing supplier/client.
- Payment will often be to a non-New Zealand bank account, PayPal, or Western Union.
- Often the payment requests will be in large round dollars (e.g. $50,000, $100,000, etc.)
- The request for payment will be urgent.
- The email may contain bad grammar or unusual word choices.
- The sender may claim to be difficult to contact and request email contact only.
What should we do if we are a victim of this scam?
Contact your bank, forensic provider and Police immediately. There are two important immediate considerations:
- Recovering the funds. If you identify the scam the same day the payment is made your chances of the funds being “frozen” in the banking system are greatly enhanced. The prospect of recovering the funds will diminish greatly as each day goes by;
- Determining who the perpetrator is. While in most cases the perpetrator will be based overseas, it is important to consider the possibility that the perpetrator could be an insider or local person.
How do we reduce the risk of falling victim to this scam?
Our top five recommendations for safeguarding your organisation from these email scams are:
- Review how your organisation handles email instructions for payment. Increasingly we are seeing organisations choosing not to rely on email instructions given the fraud risk involved.
- Consider whether your controls around payments would successfully defend against these fraudulent payment requests being actioned in the event your organisation does rely on email instructions.
- Consider how “fraud aware” your team is. Your people are your best defence against fraud, so it is important that they are alert to this and other fraud risks.
- Revisit your IT security to understand the level of vulnerability.
- Consider whether your insurance policy would cover these fraud losses.
If you have been the victim of an email scam or you would like to discuss how you can protect yourself better, please do not hesitate to contact Jason Weir.