Cybercrime is accelerating at an alarming pace, both in terms of numbers and sophistication. One of the most common cyberattacks is through email.
A phishing or scam email typically looks like it is coming from a legitimate source. Cyber criminals can make their email address appear to come from a familiar domain. The email will have one objective in mind — to get you to share private information or money. This can be accomplished by enticing you to simply reply to the email or click on a link — which can infect your computer with a virus. Here are a couple of examples:
1) An email arrives from your IT service saying you need to immediately update your password or your account will be shut down. You just need to click on the link to do so. What should tip you off so you don't fall prey?
• The sender's address might be from a familiar domain, but it is likely not from a familiar address. For example, an email to my firm from IT@rowling.com could appear legit, but we don't have an address like that in our domain.
• The sender has no name or is from someone who wouldn't typically send an email like this.
• The request is out of the ordinary. A password change notice would typically come straight from your computers when logging in.
• The format of the email is out of the ordinary. Sometimes emails like these will include misspelled words or bad grammar.
• No matter what, you should never be asked to click on a blind link.
2) In my firm, an email was sent by a client requesting a wire transfer. The email had the client's business address and appropriate footer. It also referenced personal information that the client would know. In this case, we called the client for confirmation and discovered it was a scam. What lessons could be learned from this?
• Never transfer money or execute transactions without verbally confirming the identity of the client.
• The request for the wire transfer was to a foreign account. This should automatically ring a warning bell.
• The client's accounts needed to be flagged for possible fraud and the client should consider changing email accounts and passwords.
The bottom line is that every email should be viewed with suspicion. When in doubt, contact the purported sender by phone — and don't click on the link! Advisers can test their employees on this by sending fake phishing emails. Talking about this issue is important; showing employees in practice is critical.