Email scams have been around for as long as email itself. We’ve all heard about the fortune that a Nigerian price wants to give us, however over the years email scams have evolved to be much more sophisticated. Instead of a poorly written email full of spelling mistakes which screams “scam!”, offenders now use highly sophisticated techniques such as the following common types of email scams:
- Email Phishing Scams
- Virus Email Scams
- Fake Invoice Scams
- Email Spoofing and Information Gathering Email Scams
Phishing scams generally impersonate a trusted person, company or entity and aim to gather valuable information.
As an example, a phishing scam email may impersonate Facebook. The victim receives an email which appears to come from Facebook and may state something along the lines that their Facebook account has been logged in to from an unknown device and the person should immediately change their Facebook password. The email will look very legitimate and will have a button to regain control of your Facebook account. Once the button is clicked, it will look like you are on the Facebook login page, however it is not legitimate and by entering your username and password, you have just sent you details to the scammers. Obviously, it is much worse if the scammers have successfully impersonated your internet banking provider!
Other typical phishing scams may be that your Netflix account has incorrect payment details and you need to update them. Again, by following the prompts you will be sending your payment details to the scammers. Scammers are known to impersonate trusted brands and companies and go to extreme lengths to ensure their designs and emails are as close to the real thing as possible.
Virus Email Scams
Viruses, worms and malicious programs can create havoc for a victim. The scammers will commonly impersonate a trusted source and will likely add an attachment to the email. The attachment may look like a bill or invoice, however it is actually a program waiting to be run on your system. Malicious software is capable of all different types of damage: some may infect your computer or phone with a key logging virus, which watches everything you type into your keyboard. If you log onto your net banking, access a cryptocurrency wallet or email account, then the scammers may be able to see all the information you type!
Other viruses may completely damage your system, deleting files or extracting files. If files within a business are extracted or deleted, this can cause serious problems!
Fake Invoice Email Scam
This is the most common type of email scam that we see, and it is targeted at businesses.
It is not very difficult for scammers to obtain some general information, which reveals to them that one company supplies products to another company. They may gather this information through phishing scams, viruses or hacking of the company’s systems. Once they have this general information, such as upcoming due invoices and the name and email address of the accounts person, this information allows them to launch a sophisticated fake invoice scam.
Generally, the offenders send an email to an individual within a company impersonating a legitimate business contact of the company. For example, if a construction company normally uses another business for part of their services, such as installing blinds and curtains, then the offenders may impersonate the supplier (the blinds and curtains business), tell the construction company that they have changed bank accounts and ask for future invoices to be paid into the company’s new bank account.
Of course, the email wasn’t sent from the real supplier. The supplier has not changed bank account details and has no idea that their invoices are going to now be paid into a bank account controlled by the offenders. Only once the supplier’s invoice is overdue and they start to wonder where their payment is, do they contact the business and follow up on the overdue invoice. At that point, the construction company would likely tell them that, as per their request by email, they have updated the payment details in their system and the invoice has already been paid.
Commonly, scammers have figured out the correct email address and name of the supplier’s actual accounts person. Then they impersonate the accounts person by spoofing an email from their address or by registering a domain which appears to be very similar. For example, if the supplier’s email address is firstname.lastname@example.org, the scammers may registered the domain and email address, email@example.com. The scammers own the new domain, which looks almost identical. The only change is a one-letter difference: an “s” is missing. The construction company is obviously not going to be closely examining the details of every single email address they receive and thus falsely believes they are communicating with their normal supplier.
Scammers will go as far as to mimic the real company’s email signature, put links to the correct website and add in the company’s correct telephone number. The email looks exactly as it usually would, with only one minuscule difference, making it very hard to spot.
Email spoofing and information-gathering email scams
Email spoofing is when a scammer sends an email with an impersonated sending email address. Unlike the example discussed in the fake invoice email scam above, the scammers email appears to be sent from the correct email address. Let’s say firstname.lastname@example.org is a friend of the victim. The scammers are able to send an email to the victim using a forged sending email address which is exactly Bob’s address, email@example.com. The recipient has no idea that the email is not actually from Bob.
The scammer may have chosen a different return path behind the scenes, meaning that when the victim hits ‘reply’, the reply email address used is NOT firstname.lastname@example.org, but an email address controlled by the scammer. The scammer may request personal information, login details or request a payment.
Even information that does not seem very important may actually be more valuable to a scammer than you would think. For example, an information-gathering scam may be used to collect information to then launch a more sophisticated email scam.
Cybertrace has extensive experience in investigating email scams. We have developed unique techniques and tools which assist our team in identifying the scammers.
If you have fallen victim to an email scam, contact us today to discuss how we can help you.