Business Email Scams: How to identify and prevent them

Business email scams are common and dangerous. Learn the types of scams and how Fastmail’s business solutions prevent them.

If you run a company and have an email address, you could be targeted by people trying to scam your business. Losing money to scam operators is on the rise, particularly since the onset of the pandemic when regular operations were significantly disrupted.

Risks of a Compromised Business Email

A business email scam is where someone impersonates one of your suppliers, or one of your staff members, to get money. The scams vary in sophistication from simple traps to schemes involving specific information about your business.

Fastmail’s automated defenses help prevent spam and scams, but it’s best to arm yourself with knowledge so you can spot anything that slips through the cracks. In this post, we’ll cover different kinds of scams, discuss how you can stop them, and present actionable steps you can take to ensure you’re protected.

Common types of Email Scams

Phishing

What is phishing? A phishing scam is where someone tries to get your login details.

What phishing looks like:

• You’ll get what appears to be an urgent email from someone impersonating a particular service like a bank or your email provider saying your account has been locked or that you need to review a high-value transaction.
• The email will link to a login page that looks very similar to the real service, though with a slightly different URL, where you’ll be prompted to enter your username and password. This information will be sent to the hacker and you’ll either be diverted to the actual service website or soothed with a message like, “Thank you for taking action!”
• The attacker now knows your login, enabling them to pretend to be you.
• This is also known as clone phishing if the email is nearly an exact copy of that service’s existing emails, making it difficult to spot when you’re looking at the email content alone.

Gift Card Scams

What are gift card scams? Gift card scams are when someone tries to get cash from you using relatively untraceable gift cards to transfer money.

What gift card scams look like:

• You’ll receive an email like one of the following:
• Someone saying they’re trying to organize a presentation for a vendor.
• Someone claiming to be from an institution like a tax office saying you have fines.
• Tech support for a major company requesting to be paid to fix a problem on your computers.
• Someone telling you that you’ve won a prize but to claim it you need to pay shipping fees or some equivalent first.
• You’ll be prompted to enter your card number and PIN. And they’ll often ask for a specific kind of gift card or particular denominations.

Identity Fraud

What is identity fraud? Identify fraud is when someone impersonates someone you know, like a coworker or one of your vendors, in order to receive money.

What identity fraud can look like:

• Someone impersonating a member of the finance team claiming they have an urgent request from the CEO to transfer funds between accounts otherwise a critical service will be cut off. The impersonator will often say they’re not at their desk to attempt to convince someone else to update bank details in the payment system.
• The identity thief pretends to be one of the business vendors and sends an email saying they’ve changed their bank details. Subsequent payments to that vendor will be funneled to the thief until the real vendor asks why they haven’t been paid.

Whaling or CEO Fraud

What is whaling or CEO fraud? This occurs when someone impersonates the CEO or other executive staff in order to gain access to the organization or its finances.

What whaling scams and CEO fraud look like:

• CEO fraud is a sophisticated kind of identity fraud scam where the attacker has done research to impersonate their victim and understand who they’re targeting. It’s called “whaling” because senior staff holds power and access to information and money. They’re the “whales” of the business.
• The attacker pretends to be the CEO and sends an urgent email, typically short to reduce possible detection through a difference in writing style, to someone else in the business.
• The attacker could employ a longer strategy, just asking for more information about vendors or employees so they can gain access to another business. Or, they might be more direct and ask for a financial transfer.

How Common Are Email Scams?

As of December 2021, spam mail accounted for 45% of all email traffic. That’s a lot of spam and scams clogging up our inboxes!

Business Email Compromise (BEC) scams are the costliest type of cybercrime right now, as reported by the FBI’s 2021 report from their Internet Cyber Crime Center. Money lost to cybercrime was reported at 6.9 billion USD in 2021, of which BEC alone accounted for 2.4 billion USD. And these are just the losses that have been reported.

According to Scam Watch, the amount of money lost to scams of all kinds in Australia nearly doubled from 2020 to 2021 and is on track to double again in 2022.

Email scams are clearly proving effective for attackers, so it’s likely they’re here to stay.

Preventing Scams on Your Work Email

Here are some simple steps to be aware of to help you avoid falling for scams.

Good business processes save you

For high-risk activities, such as transferring money or updating banking information, ensure that two people review and approve each activity.

You should also always double-check the requested update directly with the person or organization via another channel that’s harder to impersonate, like a phone call or video chat.

This prevents human error even during normal day-to-day work and doubles the number of people watching out for fraudulent behavior.

Urgency requires extra care

Attackers use urgency to trick you into bypassing the usual protections that businesses put in place to prevent fraud. Following your regular processes, even if it’s urgent, will help you avoid fraud and reduce the number of accidental errors.

Be cautious when clicking email links

If there’s a link prompting you to log in or verify something, don’t use it! Go to the other site’s website directly in your browser and log in using its normal flow.

If the email is legitimate, you’ll likely still be able to log in and take the requested action. If the email is a scam, you’ve saved yourself from handing over your credentials to the bad guys.

If you’re still unsure, contact the customer service team for that website to ask if the email is real.

Gift cards are for gifts

No legitimate organization will ever request payment via gift card. If someone tells you to pay via gift card, you know it’s a scam.

Protect the information you put on social media

Be mindful about what you put online. A skilled attacker will do their research so they can claim they know you or impersonate you more effectively. It’s even easier to scam you If your social media account has recent information about where you’ve been, who you’ve seen, and what you think.

A scammer can pretend they’re the CEO if they can use details that we think of as private. Whether it’s a networking event, or a fun run, or a kid’s graduation, these all help someone pretend to be you.

Offers too good to be true

Whether it’s an unclaimed inheritance, a lotto award, or a prize (for a competition you don’t remember entering), if it’s too good to be true, it’s not real. Even if you just need to pay a small sum upfront to proceed, scammers get rich from these small amounts the more people they scam.

Four Ways Fastmail Can Help Protect Your Business from Email Scams

We’ve covered some standard practices you can implement to protect yourself. Now, let’s look at four ways Fastmail stands out when it comes to avoiding business email scams.

1. Use our web interface or mobile apps. We flag mail we believe is a phishing scam, so you know not to click any of the embedded links.
2. Use a security key or authenticator app to protect your account with 2FA. Even if your login and password are compromised through a successful phishing scam or from sharing your credentials on another site, an attacker still can’t get into your account.
3. Make use of our shared email folders. Multiple sets of eyes can view any requests to finance departments, along with subsequent replies. In the event of a scam, this allows you to take action quickly and increases the likelihood that you’ll get your money back.
4. Use our sidebar on the web. The people tab lets you see other mail from this person and helps identify a CEO impersonator using a lookalike domain. If they’re a scammer, you’ll notice because you won’t have received an email from them before.

Attackers are always developing new strategies to create a successful scam. Fastmail’s deliverability and anti-abuse team works tirelessly to stay current with the latest trends. We attend global email industry conferences multiple times a year to share knowledge, tools, and techniques.

Need increased security for your business email? Try Fastmail for free!