Late last week, our company identified an email phishing scam — that might have cost us $145,000! Thankfully, we knew better than to allow this to happen. Our close call highlights the importance of constant vigilance as it pertains to avoiding email phishing scams.
Here’s how the new phishing scam works:
You receive an email from someone you know, e.g., the president of the company or division asking you to prep for a disbursement. It might ask for account balances or for the “status” of a pending payment.
You respond with the information the person you know needs.
He or she replies with instructions to wire the money to a specific bank account.
You or someone in the company wires the money to the account.
And then you kiss the money goodbye.
Why? It was an email phishing attempt, a good one, too. Email phishing scammers are getting better at making their emails look legit.
Unfortunately, this situation is rising in prevalence. Fortune ran an article last fall about a similar situation for Tom Kemp the CEO of Centrify. The attempts began in February 2014 and have continued, rising to a frequency today of about one attempt per week. In Kemp’s case, they never fell victim to the scam.
We know others that haven’t been as lucky. Many corporations have fallen victim to this scam.
However, it isn’t just mega corporations that are targets of these kinds of attacks. The fraudsters attack at the personal level, too. After our executive team discovered what happened at APR, one of our senior team recalled that something similar happened at a real estate closing to a couple he knew:
The day before closing, the couple received an email with new wire instructions from their attorney asking that they use a different account.
The couple made the requested change.
However, at closing the next day, the funds were not in escrow.
It turns out the email was not from the attorney’s office.
When the couple checked with the bank, the new account had been emptied.
People should be aware that these attempts are out there. They should also know how to avoid falling victim to them.
How to Spot an Email Phishing Scam
There are a few different parts to the sender’s information. In our case, the display name or the “from” field on the first email showed the email address for our president (although it did have some strange capitalizations…20/20 hindsight!). So our accounting team member thought it came from him and replied.
But the response went to a “reply to” address. It was a different address — and NOT for the president. It was at this point that the information began to exchange with the scammers.
To avoid this scam, check the reply to address. This reply to address is visible if you examine the email header. But of course, no one does, especially when responding to an email string that appeared to be from a legitimate address initially.
We looked into our email security system appliance to see where it had failed us. It turns out it hadn’t; it had tagged this email as a phishing attempt. Looking at our settings, however, I saw we configured it to defer these emails, which meant if the email came in the second time, the system would deliver it.
We have since changed that setting. If an email is flagged as a phishing attempt, it just gets blocked. It doesn’t get quarantined. It doesn’t get delivered. Furthermore, it doesn’t matter how many times it is sent.
Here are three essential steps to protecting yourself from this latest phishing scam:
- Pay special attention to the reply to address. When you hit the reply button, in the reply to field you will see an address inside the brackets (or on Mac’s Mail program, hit the down arrow next to the display name). Double check that this is the correct address of your intended recipient. If it isn’t, DON’T HIT SEND.
- Configure your email security appliance appropriately for your business model. In AP Recovery’s case, it was never to deliver the emails. However, this approach might not work for your business model. Whatever that setting needs to be, be sure to recognize how these emails can still filter through the system when the perfect set of circumstances come together.
- Train your team in this process. It’s essential that your users know the appropriate steps to take if they fear they might be or might have been phished. Also, as Kemp said, have systems in place internally that cross check these transactions and maintain a rigid approval process for wire transfers.
There are a couple extra steps you could take that Kemp offered in the Fortune.com article. Employing multi-factor authentication, which refers to more than one method used to verify the user’s identity for a login or transaction. He also recommended buying any domain names that are close or similar to your organization’s. For example, we might buy the domain “www.aprec0very.com” or “www.aprrecovery.com”, just so they aren’t available to scammers.
We caught this attempt before it happened to us. Others have not been as fortunate. Be sure to check the reply to address, set your email security appliances properly, and raise awareness in your team about the nature of this phishing scam to make sure you aren’t one of the unfortunate ones.
Chris Bower is the Vice President of Business Development for AP Recovery, a firm delivering straightforward audits to enhance accounts payable efficiency with over 23 years of experience in the post audit industry.