We are all aware of the potential for spam and phishing emails to hammer our inboxes on a daily basis. This is why it’s prudent to protect your network with a hosted email filtering service, such as Trend Micro. However, even with the best email filtering service in place, an amount of spurious emails will most likely still make it to your inbox. This is mainly because the criminals who send out such emails are employing ever more sneaky ways to fool their victims.
Although there are hundreds, if not thousands of different types of dodgy emails being sent round, there are two particular types which merit taking immediate action to protect your data and your bank balance. These two types of emails have taken things to the next level in terms of how far these crooks will go to part you or your company from your cash or data.
Urgent Request from the MD to make a bank transfer
text boxAn email arrives from your MD, or other senior person who can authorise payments. It instructs you to make an urgent payment to the company detailed in the email. The MD will usually be out of the country or away when this email arrives. The crooks know this as they have most likely sent a phishing email and received an out of office response with the recipient’s job title. They then do some research on your company and establish the hierarchy and who would deal with bank payments. The crooks edit the “From” field of the email so it does indeed look like the MD’s email address and usually use the signature: “sent from my mobile” or similar.
We are aware that globally this type of email con has managed to trick some pretty large companies out of some significant amounts of cash. In one instance a US company transferred a six figure sum to the fraudster’s bank account. This may seem incredible but remember these crooks have done their homework on their victim’s company. They probably know the turnover of the company and possibly some of their clients or suppliers. They have even been known to hack their way in to the company’s email system, and obtain their contact database. This means that when they send the request for payment, the name may even be that of one of the company’s clients or suppliers, just with a different account number and sort code.