How to protect your startup from email scams

Date:

Share post:


Despite years of claims that the “death of email” is fast approaching, the decades-old communication method continues to thrive in business. In particular, the business of hacking.

An email containing a link that looks legitimate but is actually malicious remains one of the most dangerous yet successful tricks in a cybercriminal’s handbook and has led to some of the largest hacks in recent years, including the 2022 breach of communications giant Twilio and last year’s hack of social media platform Reddit. 

While these emails are sometimes easy to spot, be it thanks to bad spelling or an unusual email address, it is becoming increasingly difficult to identify a dodgy email from a legitimate one as hackers’ tactics become increasingly sophisticated.  

Take business email compromise (or BEC), for example, a type of email-borne attack that targets organizations large and small with the aim of stealing money, critical information, or both. In this type of scam, hackers impersonate or compromise someone familiar to the victim, such as a co-worker, boss or business partner, to manipulate them into unknowingly disclosing sensitive information.

The risk this poses to businesses, particularly startups, can’t be overstated. Individuals in the U.S. lost close to $3 billion in BEC scams last year alone, according to the latest data from the FBI. And these attacks are showing no signs of slowing down.

How to spot a business email compromise scam

Look for the warning signs

While cybercriminals have become more advanced in their email-sending tactics, there are some simple red flags that you can — and should — look out for. These include an email sent outside of typical business hours, misspelled names, a mismatch between the sender’s email address and the reply-to address, unusual links and attachments, or an unwarranted sense of urgency. 

Contact the sender directly

The use of spear phishing — where hackers use personalized phishing emails to impersonate high-level executives within a company or outside vendors — means it can be near-impossible to tell whether a message has come from a trusted source. If an email seems unusual — or even if it doesn’t — contact the sender directly to confirm the request, rather than replying via any email or any phone number provided in the email.

Check with your IT folks

Tech support scams are becoming increasingly common. In 2022, Okta customers were targeted by a highly sophisticated scam that saw attackers send employees text messages with links to phishing sites that imitated the look and feel of their employers’ Okta login pages. These login pages looked so much like the real deal that more than 10,000 people submitted their work credentials. Chances are, your IT department isn’t going to contact you via SMS, so if you receive a random text message out of the blue or an unexpected pop-up notification on your device, it’s important to check if it’s legitimate.

Be (even more) wary of phone calls

Cybercriminals have long used email as their weapon of choice. More recently, criminals rely on fraudulent phone calls to hack into organizations. A single phone call reportedly led to last year’s hack of hotel chain MGM Resorts, after hackers successfully deceived the company’s service desk into granting them access to an employee’s account. Always be skeptical of unexpected calls, even if they come from a legitimate-looking contact, and never share confidential information over the phone.  

Multi-factor all the things!

Multi-factor authentication — which typically requires a code, PIN, or fingerprint for logging in along with your regulator username and password — is by no means foolproof. However, by adding an extra layer of security beyond hack-prone passwords, it makes it far more difficult for cybercriminals to access your email accounts. Take one security step even further by rolling out passwordless technology, like hardware security keys and passkeys, which can prevent password and session token theft from info-stealing malware.

Implement stricter payment processes

With any type of cyberattack, a criminal’s ultimate goal is to make money, and the success of BEC scams often hinges on manipulating a single employee into sending a wire transfer. Some financially motivated hackers pretend to be a vendor requesting payment for services performed for the company. To lessen the risk of falling victim to this type of email scam, roll out strict payment processes: Develop a protocol for payment approvals, require that employees confirm money transfers through a second communication medium, and tell your financial team to double-check every bank account detail that changes. 

You can also ignore it

Ultimately, you can minimize the risk of falling for most BEC scams by simply ignoring the attempt and moving on. Not 100% sure that your boss actually wants you to go out and buy $500 worth of gift cards? Ignore it! Getting a call you weren’t expecting? Hang up the phone! But for the sake of your security team and helping your co-workers, don’t stay quiet. Report the attempt to your workplace or IT department so that they can be on higher alert.



Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

OneRail’s software helps solve the last-mile delivery problem

Last-mile delivery, the very last step of the delivery process, is a common pain point for companies....

Bill to ban social media use by under-16s arrives in Australia’s parliament

Legislation to ban social media for under 16s has been introduced in the Australian parliament. The country’s...

Lighthouse, an analytics provider for the hospitality sector, lights up with $370M at a $1B valuation

Here is yet one more sign of the travel industry’s noticeable boom: a major growth round for...

DOJ: Google must sell Chrome to end monopoly

The United States Department of Justice argued Wednesday that Google should divest its Chrome browser as part...

WhatsApp will finally let you unsubscribe from business marketing spam

WhatsApp Business has grown to over 200 million monthly users over the past few years. That means there...

OneCell Diagnostics bags $16M to help limit cancer reoccurrence using AI

Cancer, one of the most life-threatening diseases, is projected to affect over 35 million people worldwide in...

India’s Arzooo, once valued at $310M, sells in distressed deal

Arzooo, an Indian startup founded by former Flipkart executives that sought to bring “best of e-commerce” to...

OpenAI accidentally deleted potential evidence in NY Times copyright lawsuit

Lawyers for The New York Times and Daily News, which are suing OpenAI for allegedly scraping their...