Cybercriminals are on the hunt for a large payout, and email is big game.
Why email? We tend to forget how much sensitive information we share in our email communications during the course of our busy work days. To the hacker, that information represents opportunity.
Millions of email accounts are hacked every year. The BIG payoffs, though, come when criminals use their unauthorized access to monitor emails – sometimes lurking in accounts for months – searching for ways to redirect money into bank accounts that they control.
According to a recent FBI report, these Business Email Compromise (BEC) schemes led to $1.8 billion in losses in 2020.
Good news – one person can stem the tide of these costly financially motivated scams. What can you do to protect your organization? Read on to see how common email scams work – and steps you can take to help save your organization from a devastating financial loss.
Four Ways Criminals Get BIG $$ From Your Email
How exactly do hackers convert emails into cold hard cash? Following are examples of the four main types of fund (or wire) transfer scams that are the result of a hacker breaking into an email account:
Upcoming Transaction: A couple purchased a new home and received an email from the mortgage company confirming the account number for their upcoming deposit. The couple sent the money, but the mortgage company never received it. It turned out that the email and the account number were fraudulent – sent by a hacker who had been monitoring the ongoing email conversations between the couple and their realtor, lawyer, and mortgage company. Unfortunately, this example is not unusual – the FBI reports that real estate email scams totaled more than $210 million in losses last year.
Payroll Redirects: Criminals redirect an employee’s paycheck so it’s deposited into their own accounts. In one case, a hacker sent a request from an employee’s email account to the HR department requesting to change the employee’s payroll direct deposit to a different (fraudulent) account. The HR department did not have a process in place to verify the change, updated the account information, and sent the funds to the fraudster, not the employee.
Fraudulent Vendor Invoices: In these classic scams, the criminal monitors the email communications, finds a real invoice, deletes it, and sends an email that looks like it is from the trusted source but instead has fraudulent wire instructions. In one case, a finance clerk received an invoice in an email that appeared to be from a known vendor. The invoice was fake and so were the wire instructions. The clerk transferred money to the hacker’s account – not the vendor’s.