Phishing – Why So Many Victims Of Email Fraud Take The Bait

Phishing or Spear Phishing/Impersonator emails are fraudulently engineered emails, designed to deceive a recipient into giving away information or money to a sender they believe to be legitimate.

They differ from typical spam emails, as they are sent from legitimate email accounts and don’t contain malicious links, allowing them to bypass your spam defences.

Most Frequent Forms of Deception:

  1. HTML Trick – branding and graphics of legitimate companies are replicated to convince you they are real, e.g. company logos, email footers, branding or electronic signatures.
  2. Personalisation – they’ve researched you, or someone/organisation you know and trust.

Like most companies, we have received phishing emails in the past, so we can sympathise when our customers fall victim to them. We’ve identified a recent spate of phishing emails targeting various, different businesses in similar ways.

Below we have highlighted how this organised criminal activity works and demonstrated just how easy it is for cybercriminals to engineer phishing emails and for their victims to be decieved and take the bait.

Email 1

This is an email sent from a cybercriminal who is impersonating the owner of a company. They have disguised the email display name to appear as though it is actually from the owner convincingly.

The victim’s Outlook recognised the display name, even though it was a fraudulent account, and assigned the contact information to the fraudulent email account, tricking the receiver.

What’s suspicious?

  • No subject line.
  • The sender does not address the recipient, and they have sent to a department rather than the responsible individual.
  • Signs off using ‘their’ full name.
  • No email footer, e-signature or company branding.
  • The impersonator asks a question that the real sender would know the answer to, and is building trust by not directly asking for something straight away.

Email 2

The accounts employee has responded to the phishing email, not realising it is an impostor.

They have also given away their first name in the sign-off.

Email 3

Within 10-minutes, the impersonator has responded, and asked the employee to process payments to fraudulent accounts.

Emails 4 & 5

Within less than an hour, thousands of pounds is voluntarily paid to an unknown cyber-criminal.

What If This Happens To You?

The chances of you or your business being targeted in a phish threat, more than once, are almost certain. The level of threat will vary every time.

Should you ever be suspicious of an email at work, contact your IT support provider immediately, but do not forward them the email – they will have ways of investigating and taking action.

Your Data, Your Responsibility

If you’re a business, that makes you a target for cybercrime and phishing emails – your size, industry or where you are in the world is irrelevant.

There is no solution available to control the actions of your staff. It is your responsibility, as a company, to provide the necessary security training and outline the safest procedures regarding the distribution of information and payments.

How HBP Can Help

Cybercrime and phish threats are increasingly complicated issues and incredibly hard to identify, that’s why so many people fall victim to them.

HBP Systems has a highly trained, expert cybersecurity team with decades of experience protecting businesses from cybercrime.

The solutions and training are not straightforward, so speak to us now, and arrange a review of your current cybersecurity strategy and infrastructure, and we’ll ensure that you have the most robust defences to protect you and your staff.