Have you ever almost clicked or actually clicked on a link because you thought it came from someone you know? Have you ever almost taken action based on an email you received that you thought was from your CEO? Don’t feel bad – it happens more often than you might imagine. And scammers are becoming very clever about how they go about trying to trick you into wiring money, divulging usernames and passwords, or clicking on links that introduce malware or lock up your system with ransomware.
Spoofed Emails Succeed by Playing on Fear
Spoofed email is one of the biggest security risks to businesses and government organizations of all sizes, and it’s all too common for the spoof to be successful. Unfortunately, spoofed email is successful because it is designed to play on the fears of the email recipient. An employee in your accounting department may receive an email that looks like it came from the CEO, stressing that they forgot to pay an important invoice and to get it done immediately. An executive assistant may receive an email from a “help desk” stating that her email has been shut down for security reasons and she needs to verify her account. The fear instinct may cause employees to act before they are able to think it through and proceed with caution.
Spoofed Emails Get More Sophisticated and More Costly
Because most consumers and email filters have learned to recognize mass spoofed emails as spam, cyber criminals have refined their methods. Spear phishing – a form of spoofing in which the email targets a specific organization and appears to come from someone within the organization who would have logically been one to send the email – has become the most common method of defrauding an organization. The cost is outrageous, with corporations losing an estimated $1.6 million from phishing scams.
Improve Email Savvy
To avoid email spoofing and phishing scams, organizations must enhance their training efforts, advising employees on how to best manage their email. It is essential to provide ongoing training. Recognizing spoofed emails can’t be something you talk about during onboarding and then never mention again.
- Teach employees how to recognize a faked “from” address and how to expand header information.
- Teach your staff how to hover over links to verify where it is going to send them without actually clicking on it.
- Encourage employees to double-check in person with a sender, especially if the request is for money or account information. A quick phone call to a colleague may save you thousands or more.
- Implement policies that require two people to be involved with any payments or wire transfers.
Improve Email Security
Email security needs to be prioritized by every organization. Small and large businesses are targeted, as are healthcare facilities and government agencies. In addition to implementing a hosted email service that prevents much of the spoofed email from even landing in the inbox, as well as ensuring your compliance with standard security protocols like Sarbanes-Oxley and HIPAA, consider implementing a sender policy framework that makes it less likely that spoofed email will work.
thinkCSC is committed to helping organizations improve security and compliance. If you have been the victim of spoofed emails or would like to learn how to protect your organization from email security attacks, contact thinkCSC for more information.