How to Protect Your Business from the Staff Impersonation Email Scam
One of the most common scams reported in today’s small business IT support world is the impersonation of the company CEO, HR staff, or other executives/managers. These usually take the form of an initial message to an employee to spark interest, such as “Are you busy, I need your help with an important task.” The scam takes advantage of the way email “from” fields are displayed in mail clients and web browsers. Often only the name is displayed in the inbox, and closer inspection is required to see the actual email address. Since anyone can specify any “from” name when creating an email address, the scammers are free to browse the company website or Linkedin profile to find the name of an important person they can impersonate.
How can a person send an email as our CEO or an employee? Have we been hacked?
In the below example I have changed my “from” name to Steve Jobs – now any emails I send will appear in the recipient inbox as being from “Steve Jobs.” The recipient would have to open the email and check the sender email address to see the actual sender email address. The ability to change the “from” name exists in all mail platforms, so scammers tend to use a compromised email address or a random Gmail address such as xkjiduykrj879@ gmail.com
Below is how the email appears to the recipient in Gmail
A busy employee receiving an email with the CEO’s name in the “from” field and an “urgent” subject line might forget to check the sender email address and respond to the scammer. If they do respond, the most common next step for the scammer is to request gift cards – generally “as a reward for employees” or clients. They’ll ask the employee to visit a Target or Best Buy, purchase gift cards using their own credit card or a company card, scratch off the codes, and send the codes to the scammer. The codes will then be redeemed and the money will be lost.
Another common scam in the same vein can be impersonation of an employee where the scammer requests a change of bank details for their paycheck. If HR/management fails to verify the sender identity, they may change the employee bank details and route a paycheck or two to the scammer’s bank.
How can we protect against these scams?
The best protection is education and awareness combined with modern email security. Education and awareness are the most important as the scammers are always finding new ways around security. Adding phishing awareness training to employee onboarding and sending periodic reminders to staff can greatly reduce the chances that someone will mistakenly respond to a scam email.
The most important aspect of scam protection is to always check the actual email address of a sender. This can be done by opening the email and checking the text after the “from” name, or viewing sender details:
True North IT, based in Boulder, CO, helps protect our small small business clients from impersonation scams by closely monitoring email security settings and features from email providers, as well as building custom mail rules to help catch scammers and warn employees of possible scam emails.
We also review suspect emails on client request and provide email security awareness training, which is available to all of our clients. Please let us know if you are a client and would like to activate training for your staff.
Does your business need help with email security? Give us a call for a free 30min. consultation: True North IT – 303-928-1107 – [email protected]
