As we pulled the curtain on 2020, counting our losses from events that none had foreseen, with global geopolitical tensions rising, and in the wake of a global health emergency the likes of which we had never experienced, in COVID-19. It forced workforces across the globe to shift to hybrid or remote working and reflected in the IC3 2020 report summarizing the impact on U.S. citizens from cybercrime, citing “a record number of complaints from the American public in 2020: 791,790, with reported losses exceeding $4.1 billion.” Saying “This represents a 69% increase in total complaints from 2019. Business E-mail Compromise (BEC) schemes continued to be the costliest: 19,369 complaints with an adjusted loss of approximately $1.8 billion. Phishing scams were also prominent: 241,342 complaints, with adjusted losses of over $54 million. The number of ransomware incidents also continues to rise, with 2,474 incidents reported in 2020.”
Few predicted then, that 2021 could be worse. In April 2021, when the U.S. Dept. of Justice declared 2020 the ‘Worst Year Ever for Ransomware’, appointing a new taskforce to tackle the problem, despite their warnings, they couldn’t have known that we would continue to see month after month of even more damaging attacks, and that’s exactly what happened, with the Colonial Pipeline attack, followed by JBS Meats and then Kaseya. Every month since, we have seen a major new ransomware incident, often impacting businesses across the globe, and each one heralded as amongst the worst and most damaging incidents that we have seen.
The lesson is simple. Cyberattacks are escalating and no one is immune. Most incidents begin with a simple email, with an unsuspecting employee revealing credentials or clicking a malicious link. Many times, they won’t even be aware of the mistake. Once cybercriminals are inside, they have little incentive to reveal their presence.
To help raise awareness within your team, we’ve highlighted five common types of email scams that MailGuard intercepts every day. They can be phishing attacks, spear phishing or business email compromise (BEC), supply chain compromises, or ransomware, or in fact they may be a combination of all of the above. What they have in common is that they’re designed to imitate a brand or service that the user trusts. Cybercriminals can procure malicious code, like ransomware-as-a-service (RaaS) kits, on the dark web. Then, they tailor attacks to mimic major brands and institutions by using the web assets, logos and language from the websites belonging to those businesses, in the hope that users won’t spot the difference when they finally stumble upon a phony page.
1. Invoice Scams
One of the most common scams that we see, claims to deliver an overdue invoice. Often scams will mimic the most mundane and routine tasks, like processing an invoice, hoping that the recipient will click through without much forethought.
The scams take many forms, either including a link that asks the user to sign-in like with a Dropbox download, therein capturing credentials, attaching a file which may in fact be a malicious download such as ransomware, or providing a link. Otherwise, some attempt to imitate cloud accounting service like Xero or MYOB.
Some of the most treacherous invoice and payments scams, involve the cybercriminals re-submitting legitimate invoices but changing the account information so that the funds for the legitimate and approved invoice are directed into a foreign account, or by contacting an accounts payable team and attempting to change the account details via email or phone. For this reason, for any change in account details, it is best to call the business to confirm the legitimacy of the request.
2. Banking Scams
Like invoice scams, banking scams are commonplace, trying to trick users into revealing sensitive account credentials. Cybercriminals understand the value of these credentials, so they put a great deal of effort into tricking users into believing that the fake websites and emails are real. Not only do those services provide a gateway to valuable data and money, but they are also used by millions of customers daily, so the scammers only need to trick a small percentage of users and their ruse will drag in large sums of cash.
For example, in Australia four ‘big banks’ cater to the majority of the population, so scammers know they have roughly a 1 in 4 chance of reaching a legitimate customer. Recent examples include National Australia Bank (NAB), Commonwealth Bank (CBA) and Australia New Zealand Banking Group (ANZ).
3. Bill Scams
Mundane and every day is a common trait for scams, and so it should come as no surprise that cybercriminals also love to impersonate routine bills from telco’s and utilities.
We all pay hundreds if not thousands on a routine basis to keep the lights on, for heating and cooling, or to stay in touch with family and friends. These are essentials services that we can’t live without. Yet few of us spend more than the bare minimum amount of time reviewing our bills. That’s where cybercriminals step in, and their copies can be extremely convincing, like these forgeries of Energy Australia and Origin Energy bills, or this Telstra bill.
4. Parcel Impersonators
A little while back we dedicated a post to parcel impersonators. Where would we be without courier companies and home deliveries. Once a luxury, in this new age of remote work and living in isolation, now we can’t survive without home shopping and our parcel delivery pals.
5. Account Access Scams
With our now ubiquitous, new ways of working remotely, where would we be without cloud services? For that matter, the same applies to our social calendars, full of Xbox marathons and Netflix binges.
So, the final category of common scams are these very same cloud services. Online work and collaboration services like OneDrive and Outlook, or Dropbox for sharing files with colleagues, are key targets for cybercriminals to impersonate. And in our down time we are perhaps even more vulnerable to an errant click, with scammers spoofing Netflix and other cloud-based vendors.
Keeping businesses protected
Share these examples with customers and their teams as a reminder of some of the commonplace scams that can bring a business undone. Education is vital, with employees the front line in a multi-layered defence against cybercrime.
Prevention is always better than a cure, and the best defence is to encourage businesses to proactively boost their company’s cyber resilience levels to avoid threats landing in inboxes in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for businesses to fortify.
No one vendor can stop all threats, so it’s crucial to remind customers that if they are using Microsoft 365 or G Suite, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a third-party cloud email solution like MailGuard.
Talk to us
MailGuard's partner blog is a forum to share information and we want it to be an open dialogue. Reach out to us and tell us how we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.
Australian partners, please call us on 1300 30 65 10
US partners call 1888 848 282 2
UK partners call 0 800 404 8993