Here at CCCit we have been made aware of a number of businesses that have fallen for an email spoofing scam which could end up costing them a tremendous amount of money.
Scammers are doing their research and are finding out the key decision makers within a business. This includes finding out who the owners, managing directors and staff working in the finance/accounts departments are. When they know this information they spoof the email address of an owner or director to impersonate them, an email is then sent to key finance resources asking to transfer potentially thousands of pounds into a bank account owned by the scammers themselves.
As emails look to be coming from legitimate email addresses belonging to owners or directors of the business many people have been fooled and this, in turn, has left them considerably out of pocket. Companies caught out by this type of scam will find it tremendously difficult to recover the lost funds as many banks will have very little sympathy.
What is spoofing an email?
Spoofing an email is as simple as sending an email with a forged or fake sender address. This address might be firstname.lastname@example.org however when you respond, the reply address will belong to the scammer e.g. email@example.com
Spoofing an email is a comparatively simple thing to do, as the main protocols that email use had originally been developed to be open and basic with only a small number of people enable the more advanced security features.
Protecting your business
Due to the nature of spoofed emails, even with the correct security features in place it can still be very difficult to prevent a scammer from setting up an email to look like it has come from an owner or managing director. Some technical prevention methods have been set-out below although one of the most important prevention methods is staff awareness training and implementing processes that limit the risk.
Staff training – It is important for staff to recognize a fake email or invoices and what to do if they receive one. It is essential to make your accounts payable personnel aware of possible scams and train them to follow policies on purchasing and processing of payments. These processes should be documented and available to all employees.
Obvious Indicators of fraud:
- An incorrect domain name used to send emails, invoices and fund transfers. Hovering over the email address may reveal the originator’s email address if different from that displayed.
- The delivery address is not a company address.
- Poorly written email with grammatical errors.
- Use of a false or unknown contact from the company. If requests for quotations, invoices, purchase orders or fund transfers are received from a new company contact or account that raises your suspicion then please contact the person directly to verify the validity of the request. Do not contact the name/number used on the email/invoice/purchase order.
- Phone numbers not associated with the Business.
- Unusually large amounts are requested.
Purchase Order Process – It is a good policy to implement a purchase order process which requires a purchase order for all payments made using company money. Most popular accounting software will include the ability to create purchase orders or incorporate a purchase order system to make sure any payments or transfers are correctly authorised and properly recorded. These authorisation systems do not rely on email making it extremely difficult for a fraudster to replicate and it will make spotting a genuine fund transfer much easier.
Some popular cloud based accounting software that support purchase orders are Xero and QuickBooks Online.
SPF and DKIM Email Vailidation – Authentication is a way to prove an email is not fake. Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) are both ways to implement email validation systems which detect email spoofing. SPF achieves this by allowing your email server to check the emails you receive are coming from a host that is authorised to send from that domain. When you receive an email that is not from an authorised server but seeming to appear to come from that servers sending domain, it will either be marked as SPAM or not delivered.
DKIM and DomainKeys embed information in the email, which makes it harder to copy (but they can also be more difficult to implement for senders and receivers).
Some scam emails you receive may not come from your companies exact domain name. For example, they may seem to come from someone within the business using a personal or slight variation on the company email not protected by SPF or DomainKeys. As there are many variations on the kind of emails you may receive the steps above should not be the only precautions taken and implementing these methods would be considered as an added security measure.
Protect yourself using services from CCCit
CCCit implementing SPF across domains and email servers we manage is something we carry out as standard. In some cases, we also recommend implementing DKIM along with SFP. Enabling spam filters as well as managing anti-virus and patching across a network are also very important in reducing the risk of being a victim of a scam, CCCit implement and manage all these areas for our support customers. We can also provide help in getting you setup using a secure online purchase order system allowing you to safely and reliably validate all purchases and transfers of company funds.
To find out more about please contact CCCit on 0117 3700 050 or send an email.