The number of security issues and malware risks that your company must contend with continues to grow every year, but one of the most potentially devastating threats that your business faces is surprisingly low-tech in nature. Spoofed emails don’t rely on complex ransomware or sophisticated keystroke loggers. Instead, your company’s bank account and sensitive information are at risk simply by your employees attempting to perform their job duties. Training your team to spot spoofed emails is key to avoiding falling victim to common scams.
Examples of two common types of spoofed email scams played out in recent weeks. The first, an instance of the CEO fraud, involved an Internet criminal passing himself off as the head of a small Kansas construction company. The fraudster pretended to be the CEO of Cornejo & Sons and emailed the finance department of Sedgwick County to request $566,000 in payment. Because the county actually owed the construction company money for services rendered, they submitted payment as directed–only to later find out that the payment request hadn’t come from Cornejo & Sons and the construction company never received any funds.
A similar scam aimed at a Wyoming hospital system sought to obtain employees’ W2 forms. In this case, the Internet fraudster posed as an internal executive at Campbell County Health and requested the W2 files for all staff from the hospital group’s finance department. The finance department complied, exposing the hospital’s 1,300 employees to potential tax return fraud.
No longer completely confident that your employees won’t fall victim to one of these commonly spoofed e-mail scams? Luckily, there are steps that you can take to train your staff to spot a spoofed e-mail. Conducting training sessions to alert your employees to the existence of such scams is an important first step. Putting in place internal practices to verify the veracity of any request before responding will also help your employees understand how to deal with any potential scam emails that your business receives.
However, some employees don’t understand the real threat that accompanies spoofed emails until they have actually been the recipient of a fake request. For this reason, some businesses choose to initiate a simulated attack to reveal to their employees firsthand how easy it is to become the victim of a spoofed email. Some services exist that make it easy to carry out a pretend to attack. Some of these services such as PhishMe allow you to target the attack to match the real threat each of your employees is likely to face, such as an email sent to marketing asking them to provide their SharePoint credentials. Experts assert that it is fundamental to follow any simulated attack with further training as your employees will be particularly receptive to in-depth lessons on avoiding spoofed emails after falling for your staged attack.