Already a customer?
Log a ticket
Menu
Scam email danger

How To Protect Your Business From Scam Email

Share on facebook
Share on twitter
Share on linkedin
Share on google
Share on email

Scam email is costing businesses millions of pounds every year, and everyone is a potential target. But there are ways to shield yourself from it and keep your business safe.


Although most of us accept spam email as an inevitable part of modern life, the scams that are often perpetrated through them can be extremely costly to the victims. But it’s not just individuals who need to be on the lookout for scam email: businesses are also a target – and, as you might imagine, a potentially lucrative one for scammers. In fact, last year, among the 2.9 million UK businesses that found themselves in the crosshairs of cyber criminals (at a total cost of £29.1 billion), phishing emails were by far the most prevalent.

And no business is immune to scam email. Indeed, the TMB team recently found itself targeted by one of these phishing attempts. We did, of course, already have ways to deal with it (more on that shortly), but it served as a good reminder to be vigilant against these kind of attacks. It also demonstrated a few techniques that criminals use, and which all businesses should be aware of.

Spear Phishing

Scam email image
The scam email we received (click to see full-size image)

The email in question was sent to the TMB finance team, and read as follows:

“Hi,

“We have still not received full payment from you. If you have any questions regarding this invoice, feel free to give me a phone call at 01384 [rest of number removed]”

This was followed by a long web link (see image), stretching over three lines. Then, at the bottom:

“Kind regards,

Sharon Smith [name changed to protect the innocent]”

A few things were going on here. Firstly, TMB does employ someone called Sharon Smith, and not only was her name at the bottom of the email, it was also in the display name at the top.

Secondly, the actual link sent to us was www.woodmill.in. Extra text in the link was added by a Microsoft feature called ATP safe links, part of Office 365 Advanced Threat Protection. This detects any web links in your emails, and alters them. If you click on one of these altered links, then instead of being taken directly to the website in question, it’s checked by Microsoft, and if anything untoward is going on, you’ll be safeguarded against it.

Microsoft’s Advanced Threat Protection makes sure unsafe links don’t catch you out.

In our case, the link presumably would have taken the finance team to a website where they could pay this apparent invoice. This would either send money to a scammer’s bank account or simply steal the data that was inputted – perhaps both.

The fact that a real TMB employee’s name was used in the email is a significant point too. Targeting a company in this kind of specific way is called spear-phishing. Regular phishing emails are more generic attempts to steal information, whereas spear-phishing requires a certain degree of research beforehand – but it’s research that often pays off for criminals.

Display Name Spoofing

Not only was the name at the bottom Sharon Smith, the display name (the name at the top of the email) was as well. This is known as display name spoofing – and it’s been linked with an astounding 91% of phishing emails to corporate inboxes.

It’s not a sophisticated technique at all, and you’ll notice the email address was completely wrong. Instead of showing Sharon’s name or the company’s domain name, it read ‘castillo5family@cox.net’.

Why would criminals use such a flimsy technique to hide their ruse?

One reason is simply because it’s easy. But they’re also relying on their victims being so swamped with emails that they don’t notice the suspicious email address. Also, many people check their email on their smartphones, and some of the most popular email apps on mobile phones only show the display name and not the email address.

Funnily enough, scammers can also spoof the email address too, if they want. In our case, it would have read something like sharon.smith@tmb.co.uk, but it would actually come from an entirely different email address. This is sometimes known as direct spoofing.

Naturally, this is a more effective phishing technique, but it’s not one you’ll actually see that often. Email and software vendors have made great strides in combatting it, using something called SPF (Sender Policy Framework) records. These check email addresses against a record of IP addresses (unique numbers that reveal a person’s location), to make sure emails are coming from who they say they’re coming from. If the information doesn’t match up, the email never gets delivered to the scammer’s intended target.

But SPF records have proven so effective that many criminals don’t even bother with direct spoofing any more. With simple display name spoofs, they actually have more chance of their phishing emails getting past businesses’ firewalls.

Fighting Scam Email

How do you protect your business from these fraudulent emails? First and foremost, you need to know how to identify phishing attempts. That way, if anything gets through your spam filters, you’ll still be able to recognise it as spam. In this case, not only did we notice that the email address of the apparent sender was wrong, we also saw the phone number was a fake. The area code was for Dudley – nowhere near any of the TMB offices. Furthermore, the link included a completely unrelated web address: www.woodmill.in.

Of course, as you can see from the screenshot, our Outlook email server also detected the fraudulent display name, and it inserted a prominent message at the top to warn the user. This is not a feature of Outlook by default, but rather something the TMB engineers set up. What it does, essentially, is run a check when it detects the name of one our team. If the email doesn’t match the one on record for that person, it’s flagged as spam, and a notification is sent to our security people.

Combined with SPF records, cyber security software and team training, we’ve built an effective barrier against phishing emails. No solution is ever going to be 100% perfect, of course, but they can dramatically reduce the risk of businesses falling victim to these scams.

Final Thoughts

Burying your head in the sand is not an option, especially because it’s not just time and money at risk. If cyber criminals manage to get hold of personal information through a scam email, you might also find yourself in breach of the law.

Bearing that in mind, robust email security is not a luxury but an absolute necessity. There might be some short-term costs involved, depending on the current state of your IT solutions, but ultimately the cost of doing nothing could be much greater.

One Comment

Leave a Comment

Your email address will not be published. Required fields are marked *

Categories
Archives

TMB Privacy Policy

Why do we hold personal data?

Like any business, TMB Group has to keep personal data about staff, clients and potential customers. When you fill in the contact form on our website, for example, we need to keep a record so we can get back to you. Data is also held so we can deliver our services and so we can provide useful information, such as security update news.

What data do we keep?
Depending on our relationship with you, we’ll hold information such as your first and last names, your email address, your phone number and your postal address. We will also possibly have details about your business and those who work for you. If you’re a customer, then we may have some of your banking detail so we’re able to accept payments for the services we provide.

How is your data stored?

As a responsible IT company, TMB stores personal data on secured computer systems. Anything that is archived will be placed on encrypted drives.

We do use third-party customer management software, Autotask, which means data may be stored on their servers, but only the data we need to deliver our services. The same goes for the Microsoft services we use, such as Word, Excel and PowerPoint, which store information on Microsoft’s cloud servers. We also use Mailchimp for marketing purposes: to send emails and to manage subscriber lists.

These third parties are not permitted to share your data or to use it for marketing purposes. You can find Autotask’s privacy policy here: https://www.autotask.com/privacy-policy. Microsoft’s privacy policy for Office 365 is here: https://www.microsoft.com/online/legal/v2/?docid=43. Mailchimp’s policy is here: https://mailchimp.com/legal/privacy.

How long do we keep your data?

We will keep your data in our systems until it is no longer relevant to our business, but you can request that we remove or update it at any time. We will also inform any relevant third parties of your request.

Access to your information

The key thing to remember is that your data belongs to you. That means you can request copies of your personal data any time you like, or to access and update it. You also have the right to be forgotten, so if you ask that we delete your data, we will do so or provide a valid reason why we are unable to. We will, of course, require proof of your identity before addressing any such request.

Depending on your request, your information may be provided to you electronically. In such cases, it will be provided in a commonly used format.

Unsubscribing and deletion

Unsubscribing is not the same as a request for us to delete personal data. If, for example, you unsubscribe from a mailing list, it is necessary to keep your email address on record to prevent marketing email from being sent to you. If we were to delete that information, we would have no way to tell if you have unsubscribed. Nevertheless, you still have the right to request erasure of your personal data.

Your right to complain

If, for any reason, you are unhappy with the way your personal data is treated by us, you have the right to complain to a supervisory authority. In the UK, that would be the Information Commissioner’s Office (ICO).

Website analytics

Anyone who visits our website will automatically have data about them collected via Google Analytics. This gives us broad information about what people are doing on our website and which pages they are looking at. It does not provide us with personal information that could be used to identify individuals.

Cookies

Cookies are small text files that web browsers receive from websites. They are stored on your computer, and they enable sites to do things like remember if you’ve visited before, if you’re a customer, what your preferences are and so on. You are entitled to view our website without them, but you may lose this kind of functionality if you do so.

International data transfers

Information that we collect may be stored and processed in and transferred between any of the countries in which we operate in order to enable us to use the information in accordance with this privacy policy.

Data controllers and processors

TMB is the controller for marketing activity and personal data/special category data we hold on our own employees, but we are the processor when processing our customers’ personal data (e.g. buying a licence for a named individual).  We  may use sub-processors for processing data given to us by customers.

What we won’t ever do is sell your data. And if you sign up to our mailing list, you’ll only receive marketing material from TMB as a result – no one else.

For any questions regarding your data, contact TMB’s technical director, Richard Shuker, at info@tmb.co.uk or write to us at A1 Endeavour Business Park, Penner Road, Havant, Hampshire, PO9 1QN..