EARLIER THIS MONTH, Revenue issued a warning to customers to be vigilant about fraudulent emails and text messages.
It came after the agency discovered that cyber-criminals were sending taxpayers electronic communications that purported to come from the tax authority.
These emails sought personal information from recipients in relation to a tax refund and requested their credit and debit card details. The fraudsters asked recipients to send their personal information via email or pop-up windows, something that Revenue never requests.
Impersonation of the Revenue Commissioners was not an isolated incident. In fact, it was just the latest organisation to join a list of well-known corporate names to have their identities used by fraudsters. In what could be viewed as an escalation of their modus operandi, other organisations that cyber-criminals have impersonated in recent times include PayPal, Amazon, Apple and the European Banking Authority.
The dilemma for recipients is that this type of fraud has become more and more sophisticated and convincing. The look, wording and design of fraudulent emails have evolved to such an extent that it is increasingly difficult for recipients to discern fake messages from genuine ones.
While there may have been a feeling in the past that only the very gullible or inexperienced email user was duped by the infamous Nigerian email scams, this contemporary wave of email fraud is part of a highly organised enterprise that is global in scale.
The fallout from and impact of a successful fraudulent email attack can vary in scale, from the leaking of personal and business information to the extraction of significant amounts of money from an individual or organisation.
In that regard, safeguarding against this type of attack has to be of vital importance for any business.
How to spot a fake
The first and most important step in mitigating this risk is to identify a fraudulent email.
While online threats vary and are constantly evolving, the most common one remains phishing. If you feel you have received such an email, hover your mouse over links to ensure that it points to the site it claims to be. For example, when fraudsters impersonated PayPal, they sought to direct users to a site called ‘PayPall’.
Similarly, it is also important to be vigilant of corporate logos and graphics that do not look right, are of low quality and are improperly formatted in emails. While fraudsters are becoming more sophisticated in their approach, it is also worth looking out for grammatical or spelling mistakes.
In other instances, fraudsters may use emails to alert recipients that something is wrong with their computers or computer network – for example to highlight a technical issue or to inform users that they have been infected with malware.
In other instances, fraudulent emails claim that an individual or a company is having issues with their tax affairs.
Irrespective of the approach, the goal is always the same – to trick the recipient into contacting a call centre, where they will speak to a fraudster posing as a Revenue official or support specialist. The bogus call centre staff will try to persuade them into sending payments to rectify the organisation’s tax affairs or as payment for bogus technical support.
It’s vital that business owners and managers understand that the Revenue Commissioners or companies such as Microsoft, Apple, Google and Amazon never directly contact customers to request payment or to access their computers. Equally, you should never accept a request to speak to a recognised organisation that you did not initiate yourself.
If you have any lingering doubts about contact from a company or organisation, you should go to their website, find their details and call them directly to confirm their identity.
Avoid clicking links in emails as in most cases you can manually go to the website of the company in question in your browser, log in, and get the same information that way.
The ‘slow and low’ attack
Email fraud is particularly effective when it appears to recipients that contact is originating from within an organisation. This type of fraudulent activity happens following on from what is termed a ‘slow and low’ attack.
A ‘slow and low’ incursion involves cyber-criminals accessing a company or organisation’s network and taking their time to establish key information, including:
- What members of staff have responsibility for financial matters
- Who is on the senior management team
- If the financial staff and senior managers are in regular contact
Armed with this information, fraudsters then impersonate a senior manager in the company and email the finance team to request an online payment or wire transfer to a bank account.
Due to their seniority, the recipients in the finance team will feel under pressure to transfer funds without question. This means that the company will have paid the attacker directly.
The key to defeating this form of fraud is to never send a payment or to make a transfer without independently confirming that the request is valid. If the request email appears to have come from someone in your firm, a quick phone call can confirm if it is real or not.
Never relent to the fraudster telling you that the matter is so urgent that it cannot wait for confirmation – and never believe that taking the time to confirm a company or colleague’s identity will not be appreciated.
Jessvin Thomas is chief technology officer and president of SkOUT Secure Intelligence.