Email Scams Have Evolved. Follow a Cybersecurity Checklist To Stay Ahead

Email scams - they're no longer as obvious as you think they are.
1 August 2022

Phishing is one of the most popular – and costly – email scams.

When we hear of companies being attacked by hackers, their digital assets held for ransom, and the ransoms being increasingly astronomical, we tend to think of some high-level hacking outfit, with incredibly sophisticated entry points into commercial systems, pulling off a despicable cyber-heist by being very clever. Sadly, the truth is a lot more prosaic than that. Data from Google Safe Browsing proves that there are now 75 times as many phishing sites as there are malware sites on the internet – meaning the vast majority of cybercriminals are relying for access on simple email scams.

But surely, in the 21st century, we’re all too familiar with phishing scams? Surely we know not to click links from suspicious addresses? To look for uncharacteristic language in the body of our emails? To ignore potential princes with currency deals and those desperate-sounding pleas from colleagues who were robbed on holiday and need you to click to wire them emergency funds?

There’s just one problem with that: we’re human beings.

The Human Factor

Human beings are the weak link in many systems, and they obey fairly straightforward psychological rules. Hackers and scammers are getting wise to that, to the point where modern email scams are even fooling cybersecurity experts.

In 2022, when cybersecurity is a known quantity, and phishing scams are comparatively ancient, Google Safe Browsing reports that 20% of employees will click on an email link in a convincingly-worded email – and that of that 20%, more than two-thirds will go on to add their financial or security details to a phishing page. This just in: phishing hasn’t been conquered. It hasn’t gone away. In fact, it’s costing businesses $20 billion every single year.

The standard email scam has significantly evolved from those Nigerian Prince days, though. These days, scammers will do at least a little research ahead of targeting staff. They’ll scour recent LinkedIn activity, they’ll note the hierarchy of a company, and they’ll target their email scam with far greater precision than in the old scattershot days. It’s not that we as humans have grown stupider with regard to email scams – it’s that the enemy has grown smarter. They know that most people will defer to an already established role hierarchy.

So instead of “Wire me money to get my passport re-issued,” they’ll word their email scam in a more business-oriented tone. “Can you get Carole to send me the weekly sales statistics report to legitimate@email.com” is a lot more likely to get people who are below the supposed sender in a hierarchy to comply, because the context and the hierarchy lull us into a compliant mindset – and all the more likely to click on the embedded link. That’s all many email scammers need as a way into the company’s system.

They’re also able to use easily buildable chatbots where necessary, and more modern technologies like VPNs to anonymize their IP address.

Mitigation Pathways

So, how can companies – and staff – fight back against email scams in their new, 21st century form?

Rule 1: Take A Breath And Think Calmly

Before clicking to open emails, take a breath and think. Does the header look right? Does the sender’s email correspond to what you know they should be? If you’re in any doubt, don’t even click to open it – send the sender an email of your own, to the address you know, to say you’ve had a mail from them that looks a little suspicious.

Assuming you’ve opened the email, and you’re suspicious of anything about it, do not engage with the sender via the email itself – do that, and you’ve let the scammers know your email address is in use. All they have to do then is convince you, through ongoing dialog, potentially through a chatbot, to click any kind of link.

Don’t allow yourself to be immediately overwhelmed by hierarchies, requests for access (from the likes of IT), or demands for action with sudden, unanticipated deadlines – these are all techniques used by email scammers to jolt staff into a state of obedience (as well as being in their own way entirely legitimate). Stay calm, and check legitimacy by sending separate emails of your own, rather than replying to the email you’ve been sent.

Rule 2: Install Email Server Security

It sounds obvious, but you cannot spend too much on email server security, because email scams can cost so much when they ransack a company’s systems. Choose your email server security wisely, looking for modern spam filters, savage firewalls, and thorough antivirus protocols. Adding server-side web filters to the mix can also help if they interfere between the click on a link and the phishing site, and don’t let employees unwittingly go to the sites that can strip details from them, and access the company’s systems.

Rule 3: Keep Your Email Security Updated

Ideally, companies will keep all their systems updated. This is crucial because a lot of email scams rely on this not happening. The more up to date the company’s systems, the stronger and more effective its protection against email scams is likely to be.

Rule 4: Play Hardball on Password Protocols

Make sure your corporate policy on passwords is maximized to make email hacks as difficult as possible. Use password managers where possible, but make sure passwords themselves are unintelligible, meaningless, and sufficiently complex to defeat most scammers. Under no circumstances allow your staff to use their pet’s name or anything similar as their password – remember, scammers will scour social media to get these details, just in case you’ve fallen down on your password game.

Rule 5: Enforce Remote Rules

Especially during and now subsequent to the pandemic, remote working took the business world by storm. But that means you have access points to your company’s systems out there in the wild. Requiring encryption and connecting remote workers to your system via a VPN are strong measures to make sure staff are not accidentally accessing phishing sites and transferring them to your system. Again, in combination with server-side web filters can be helpful with remote workers.

Rule 6: Double-Down on Authentication

Multi-factor authentication is a way to ensure that even if a single point of entry via email is compromised, the scammers can’t simply walk straight into your systems without knowing the additional data that provides the backup authentication. Many companies these days are using random code generators to add to the complexity of that access pathway, and while it might at first seem like overkill, it’s probably worth remembering that $20 billion, and working out how much a part of that you want to pay. On the whole, multi-factor authentication isn’t that much of a hassle, right?

Take No Prisoners

The evolved email scam is in some ways a thing of criminal beauty – simple, psychological, effective, and costly. Businesses that want to survive the 2020s have little option but to do everything they possibly can to fight against it. With social media presence and interaction becoming a business must-have in the 21st century, there’s little that can be done to stop determined scammers creating a targeted spear fishing (aiming at specific individuals in a company) or even whale fishing (aiming at particular high-level staff or managers) email scam attack.

Double or triple down on the difficulty they need to overcome by installing and updating the most effective email security and web filters you can afford, use VPNs for remote staff, be strict on password protocols, and where it’s possible, deploy multi-factor authentication before potentially compromised staff can access your systems.