Spammers are increasingly relying on high-targeted messages for financial gain, tricking businesses into either transferring funds or releasing sensitive information on employees. Since the beginning of the year, Cloudmark has seen a dramatic increase in text-only, email impersonation attacks known as Business Email Compromise (BEC).
The volume of BEC prompted the FBI to issue an alert on CEO spoofing spams cautioning businesses to be wary of e-mail only wire-transfer requests and requests involving urgency. According to Cloudmark’s latest Quarterly Threat Report, losses from BEC wire-fraud attacks rose to an average of $104 million per month over the last 15 months.
Another BEC attack that gained traction this year is the W-2 scam, with more than 60 organizations falling prey to attacks targeting their employees’ W-2s. Large and small companies in industries ranging from health care to higher education to technology to manufacturing have been fooled by attackers into leaking their employees’ tax forms, with some attacks exposing the confidential information of tens of thousands of people.
How these attacks typically happen is that a member of the finance or human relations team will receive an email that appears to be from a high-ranking official, usually the CEO or CFO – with a straightforward request such as funds of W-2 data. However, they are really sending the funds or sensitive data to an outside official not connected with their organization. Due to the simplicity in executing these attacks, BEC spoofing attacks are one of the fastest growing forms of cyber fraud.
In this slideshow, Cloudmark has compiled tips for businesses and individuals on how to combat phishing attacks and prevent identity and tax fraud as financial losses.
Best Practices for Detecting and Avoiding Scams
Click through for tips business and individuals can use to combat phishing attacks and avoid scams, as identified by Cloudmark.
Implement Email Threat Intelligence
Implement email threat intelligence to help identify attack employees most at risk.
Threat intelligence about spam and phishing, such as domains and IP addresses associated with attacks, helps to detect and deflect many spearphishing campaigns. It can also help organizations to identify individuals more likely to be targeted by scammers based on their role or the number of threats they experience. Armed with this information, organizations can help raise awareness by providing education and support to users who are most at risk.
Always confirm sensitive information requests.
If an employee receives an email from the CEO or supervisor asking them to send sensitive information like W-2s or to wire funds, they should speak directly with that individual to confirm the request, either in person or by phone. The “human factor” can be surprisingly effective in detecting threats.
Use Context Analysis and Behavior Learning
Use context analysis and behavioral learning to detect unique but anomalous spearphishing emails.
Context analysis and behavioral learning can help identify emails that deviate from normal email paths and typical behaviors for a specific company, or for specific groups within that organization. By observing email traffic for a period of time, an intelligent spearphishing protection solution can create virtual maps of normal email sources and paths for the organization.
Focus on Content
Pay close attention to the content of the email.
Signs such as misspelled words or grammatical errors may be a signal that an email is not legitimate. Another warning sign is if the sender’s email address does not match the email address format of the organization to which they claim to belong.
Notify Appropriate Agencies
Notify the appropriate government agencies if you’ve been victimized.
Tax and identity fraud victims should file a 14039 form with the IRS and request an IP PIN from the government. If an individual’s federal tax form has been fraudulently filed, it’s likely the state return has also been fraudulently filed. Check with your state and report the incident to your state revenue agency. A list of resources in each state is available at http://www.efile.com/tax-return-identity-theft-and-refund-fraud/#how-to-report-tax-fraud-to-states. CEO spoofing victims should also contact the FBI and local law enforcement.
Place a Fraud Alert
Place a fraud alert on your credit file.
Individuals who have been a victim of identity and tax fraud, as well as those preemptively worried about it, can contact one of the three major credit bureaus (TransUnion, Experian, Exquifax) and request that an initial fraud alert be placed on their credit file for free. This ensures that creditors must contact the individual and confirm permission with them before opening any new accounts. Requesting from just one bureau will also place the fraud alert on the individual’s file with the other two bureaus. This alert lasts for 90 days and can be renewed.