2nd May 2016
Businesses need to be vigilant against an increase in targeted, sophisticated email fraud. We have experienced a spike in in ‘socially-engineered fraud’ where scammers are using advanced methods to extract money from their victims.
We are now monitoring more than 200 emails per day within the million messages sent to our Internet Service Provider (ISP) business customers where fraudsters appear to adopt people’s email addresses and try to encourage financial transactions with the email account holder’s contacts.
Fraudsters are relentless in their use of email as a way to illegally obtain money.
Common email fraud practices, known as phishing, aim to trick recipients into believing they know the person or company corresponding with them. To prevent being caught by these scams, recipients can check the email address the message comes, which will reveal it has no connection to the supposed real sender. I’ve included some more tips below.
However, this latest method has the ability to not only trick recipients through a genuine looking message, but can also fool monitoring systems and programmes including Microsoft Outlook into thinking it has been generated by the real email address.
Fraudsters are also researching the contacts the accounts they are mirroring and their contacts to make the emails more genuine and dupe unsuspecting victims.
This could have serious financial implications for North East businesses and as a responsible Internet Service Provider we are continually creating new variables to prevent this horrendous practice from affecting our customers.
By identifying and acting on this new practice we are employing new protocols within our automated email monitoring systems, including the ability to identify the fraudsters Internet Protocol (IP) address to capture these email before they reach their recipients
Every day at Odyssey we see 1000s of phishing emails via our MailShield platform. While some are so outlandish or poorly constructed that it is obviously fraudulent, others are far more convincing.
So how can you tell a legitimate email from a phishing email? There is no single trick that will always work, but there are things that you can look out for to help keep yourself safe. We have put together five tips that will help.
- The message contains a non-matching URL
One easy thing to check in a suspicious email is the embedded URLs or clickable links. It may say com, but if you hover your mouse over the top of the link you should see the real link that will be visited (Do not click the link).
Good practice is to not click the link in the email, but instead open your browser and login from there. So, if you receive an email from PayPal with a link to an invoice, go and login to PayPal by typing out the domain www.paypal.co.uk in your web browser and logging in to check an invoice is real or not. This way you can be sure that you are indeed entering your details in to PayPal.
You should always do this when dealing with this kind of ‘Your Money or Your Life’ transactions online, e.g. anything that involves financial transactions or the entering of information that can be used to steal your identity. It’s worth noting that legitimate reputable companies will never request this kind of information via email.
- Misleading domain names
When people launch phishing scams they often depend on the victim not understanding the nature of how domains and DNS works.
An example would be the domain name login.paypal.co.uk this is a child of paypal.co.uk because PayPal is the final part of the domain, so for “login.paypal.co.uk.ca2.com” “ca2.com” is the actual domain not paypal.co.uk, which is now a child of ca2.com.
This is one of the tricks alongside misspelled domains that we see used the most to fool users into parting with login details or personal information.
- Email has poor spelling and grammar
When emails are sent from a large organisation you can be sure they have been checked for legality, bad spelling and poor grammar.
If the email appears of poor quality claiming to be from a large firm it is almost certainly a phishing email.
If you’re really unsure, then the safe thing to do is to call the company that has supposedly emailed you. If you do not know the phone number get it from there website. Do not trust the number in the email. If they are a reputable firm they will be easy to contact and verify any requests made.
- Requests for personal information
Even if an email looks official and is professionally presented, it should never be asking for personal information, passwords, credit card details, or answers to security questions.
Again, if your still unsure, open your web browser and login to the company’s official website or call them using the number from there website not the email. Do not use the link in the email.
- Keep your computer secure
Some phishing emails or other spam may contain software that can record information on your internet activities (spyware) or open a ‘backdoor’ to allow hackers access to your computer (Trojans). Installing good quality anti-virus software and keeping it up to date will help detect and disable malicious software.