Running from 12-16 August, the ACCC’s annual Scams Awareness Week aims to minimise the impact of scams on the community by raising awareness and promoting education about ways to detect and avoid scams.
The week provides an opportunity for Australian government agencies, businesses and community groups to work together to raise public awareness to reduce the impact of scams.
In this spirit of collaboration, we asked the leaders of MailGuard and XCentral for their advice about the dangers of falling for an email scam, how to look out for one and what businesses can do to protect themselves.
Our guests are Craig McDonald, CEO, MailGuard, and Angus Mansfield, Managing Director, XCentral.
Why is it critical today for professionals to be cyber-savvy and security conscious, to prevent being victims of an email scam?
Angus: “Email scams continue to be a big problem for businesses of all sizes. Our teams are constantly sending and receiving emails, it’s a huge part everyday work, so it’s a powerful tool for criminals who want to slip under the radar to attack a company. To give you an idea of the scale of the problem, it’s been reported that fraudsters have already walked away with over $58,121,800 million from scams in Australia this year. That’s from the 86,872 cases that were reported to the Australian Competition & Consumer Commission, and because underreporting is so prevalent, the actual figure is probably much higher.
It’s key to be cyber-savvy today, and know how to identify a scam email from the real thing because if a cybercriminal can get you or any of your colleagues to click on a link or open an attachment in a malicious email, they can quickly get access to the company’s data, including financial transactions, passwords and file storage systems. This makes it easier for them to commit financial fraud, extort money from your company, compromise data or to steal your IP.”
Craig: “We see criminals developing increasingly sophisticated email scams that are often a combination of social engineering, with email spoofing or malware. My team at MailGuard see a rise in multi-staged, well-planned email scams. For example, poor spelling and grammar in email scams is less common, because most scammers are using original logos and content to trick you into clicking their links, or they’re compromising legitimate accounts from cloud services like MailChimp to deliver their threats. Cybercriminals know what people are looking out for, and they’re coming up with increasingly creative ways to avoid being detected. They're doing what all good marketers do, running A/B tests optimize their campaigns to improve click throughs.
These scammers are opportunistic too, tapping into local trends and happenings. For example, as tax time approaches for Australians, email scams will tend to rise as requests for tax submissions and sensitive financial information escalate. Around this time, cybercriminals are more likely to imitate CFOs and finance professionals.”
What type of scams are most prevalent in Australia? Which ones should we be on the lookout for?
Craig: “The most common type of email scam that we see involves spoofing popular, well-established, trusted brands. We call it brandjacking.
Essentially, brandjacking is a kind of fraud; scammers exploit the trademarks of well-known companies to deceive their victims and gain their trust. In a typical brandjacking scam, criminals create email templates that look like messages from big companies like Netflix or Microsoft, or closer to home perhaps Telstra or Commonwealth Bank. They’ll send them out to millions of recipients knowing that most will have a relationship with one of the brands. So when the scam messages show up in inboxes people feel safe opening them, because they look like legitimate emails they get every other day.
Some common brandjacking formats are fake invoice notifications, bill scams or requests for account verification.”
Angus: “Another common type of email scam that we’ve noticed our clients being attacked by is a phishing email scam.
Phishing is a tactic used by criminals to harvest the login credentials of their victims.
A phishing attack typically starts with a brandjacking email, as Craig has described above, which purports to be a notification from a well-known company like a bank or other service provider.
A phishing email will contain some sort of message that induces the recipient to click on a link to a fake login page set up by the criminals behind the fraud.
The login page will look and behave like a real online portal, but its sole purpose is to collect the victim’s username and password so that the criminals can exploit their account.
Some phishing scams involve a second page which will ask for the victim’s credit card details or other detailed data like addresses, phone numbers and bank account credentials.
With this information, scammers can access your accounts, or they might use the information to stage follow-on attacks like BEC scams and CEO fraud attacks.”
Craig: “Oh absolutely, BEC and CEO Fraud, or whaling attacks, are scams that professionals should definitely be wary of.
Whaling attacks typically involve a criminal posing as a C-suite executive in a personalised email demanding urgent action from a subordinate. People tend to think of cybercrime as being high-tech, but CEO fraud uses relatively simple tactics. Unlike ransomware attacks or spyware, CEO fraud doesn’t rely on clever software to be effective; it uses psychological cues and deception to de-fraud victims.
In CEO fraud, instead of hacking code, the scammers hack social networks, relationships and company structures. The cybercriminals who perpetrate this kind of fraud collect information about CEOs and other executives, or hack into their email accounts so they can assume their identity. Once they have enough information to imitate a CEO, the fraudsters will leverage their authority to persuade another person in the company to do their bidding, such as making an unapproved financial transfer.”
What are some red flags users should be on the lookout for with regard to email scams?
Craig: “Firstly, generic greetings, such as ‘dear customer’ is a huge tell-tale sign of an email scam. Legitimate notifications normally address the recipient by name directly. Emails that employ bad grammar, misuse punctuation and include poor-quality or distorted graphics should also alert you of their lack of authenticity.
Besides this, emails with obscure sending addresses should set alarm bells ringing.”
Angus: “Emails that have a sense of urgency , like saying “ensure this invoice is paid by 10am” are also often malicious. They normally include an instruction to click a link to perform an action. I always tell my clients to hover over the links to see where they’re really being directed.”How can you protect your business from these types of email scams?
Angus: “To successfully confront the explosive growth of email-based fraud, we often advocate a ‘defence-in-depth’ approach.
We recommend that businesses start to invest the time to ensure their strategy has a security component. Now is the time to strengthen security defences so that costs over time are reduced. We are working with more and more clients on their security strategy and solutions. Our work encompasses: email account monitoring, threat detection, security assessments, penetration testing of systems, Multi-Factor Authentication, building secure platforms, migrating clients to the cloud, and staff training.
Staff training is not to be under estimated.
The goal is to give team members a functional understanding of how to avoid potential threats. By educating teams about how cybersecurity works, a company significantly improves their frontline resilience. Every person in a company doesn’t have to be an IT expert, but everyone should have a basic understanding of the threats like malicious emails that they are likely to encounter on a daily basis. There are several means of providing this information to your team. I’m thinking about workshops, meetings, guest speakers, running cross-functional teams, and offering plenty of resources on your intranet, like weekly cybersecurity updates. You can refer to external resources as well. MailGuard’s blog,for example, is regularly updated with the latest email threats that are popping up, along with thought leadership articles on the current cyber landscape and how to navigate it.”
Craig: “Building on those points from Angus, I encourage adopting a strategic, multi-layered approach, so companies fortify their defences by layering their email security solutions. For many businesses, their main line of defence against spam is an on-premise antivirus solution. While this static, one-dimensional defence does offer protection, it also requires constant updates to remain effective against evolving cyber threats. Between updates, this single layer is vulnerable to brand-new threats, like the zero-day or fast-break malware attacks that we talked about earlier.
To truly shut out these threats, best practice is to combine an on-premise antivirus solution and cloud-based email security solution from different security vendors. Using the same vendor for both would likely leave your business vulnerable to unknown viruses.
For example, while most firms will have native security from their email hosting provider, like Google or Microsoft, since we know that 9 out of ten attacks start with an email, it’s also prudent to employ an additional layer of cloud email security with a solution like MailGuard that is a specialist at stopping advanced, zero-day threats. Not even Google or Microsoft would claim that they can stop every threat, so just like with our home security, we should be adding another layer to protect against advanced email-borne threats.
It is also important to engage with IT providers who have a track record of security solutions. Businesses should be using multi-factor authentication, limiting access to systems including for regular account maintenance, firewalls, website blocking, and encryption of critical data.”
If you’d like to chat more about choosing the right email security solution for your clients, then don’t hesitate to get in touch. Our partner program offers a range of benefits that can help both with your business as well as your clients’.
Talk to us
MailGuard's partner blog is a forum to share information and we want it to be a dialogue. Reach out to us and tell us what your customers need so we can serve you better. You can connect with us on social media or call us and speak to one of our consultants.