How Cybercriminals Target Canadian Companies
Knowing what to look for when it comes to preventing scams is a must when it comes to protecting your business. Unfortunately, wire fraud and other types of phishing scams are becoming more common and more difficult to spot than ever.
At 365 Technologies, we prioritize helping Canadians avoid email scams by learning how to identify them before they occur. Here is an overview of what wire fraud and phishing scams are, how they work, and steps your business can take to prevent them.
What Is Wire Fraud?
Wire fraud consists of convincing a target to transfer money to an unauthorized individual. This type of scam typically occurs through email spoofing, which involves the scammer pretending to be a legitimate individual or company in an attempt to fool the target into sending money to someone other than whom they think they are sending it to. Many wire fraud scams originate in a country other than the target’s country and eventually end in the target’s money being sent outside Canada.
Business Email Compromise Scam Process
Although a target may not even realize an email spoofing scam is taking place until it is complete, the entire wire fraud scam process is actually quite complex. The process is typically broken down into four distinct steps that begin with deciding what company and individual within the company to target to receiving the funds and sending them to another account that will be very difficult for the target to trace.
Identify Target
Most cyberattacks are not random. Cybercriminals tend to do careful research to identify companies that are likely to have the funds to fulfill their requests before launching an attack, as well as to determine how to best convince the target that they are legitimate. This research can involve searching through the target’s website, LinkedIn page, and other business social media accounts to determine how to set up the phishing email to appear as though it came from a trusted source, such as an administrator, colleague, or someone within the organization or from a partner organization that the target trusts.
Email Spoofing/Phishing and Social Engineering
The cybercriminal can then draft an email that looks legitimate by studying real emails from that sender and create a fake email address that is extremely similar to that of the real sender. This email address, which may only have one letter or punctuation mark that is different from that of the real sender, can be extremely difficult to miss if a target does not know what to look for. Cybercriminals may also register a completely fake email address under the same name as a real person from your business, which means that your inbox will only show what appears to be a legitimate sender’s name.
The target will need to look a bit closer after opening the email to see if the sender’s email address is legitimate or not, as this information cannot be seen from the inbox. Although many email platforms allow you to set up a filter to detect forged emails, these will likely not be caught because the sender’s name matches that of a legitimate person in your contact list.
This spoofed email will disguise the sender’s true intention until the target has already made a mistake and it is too late to have a strong likelihood of being able to do anything about it. These phishing emails typically contain links that look legitimate but are used to obtain login credentials or other sensitive personal or company information or to install malware on company devices.
Target Takes the Bait
Most cybercriminals take the time to ensure that the phishing emails they send look legitimate enough that the target will not realize they are not real until it is too late. By disguising themselves as a legitimate person within the company, financial institution, insurance company, or similar sender, the cybercriminal is able to convince the target to enter confidential information, which will be used to allow unauthorized access to the target’s money. Although some phishing scams simply consist of the cybercriminal accessing the target’s bank account to make money on their own, the target can also send money to what appears to be a legitimate source.
The cybercriminal can make what looks like a legitimate request for money and will often even send a spoofed confirmation email letting the target know that the funds have been received by the sender. He or she may also include a fake phone number within the email that can be used to provide further fake information if the target calls to ask questions. By covering these bases, the cybercriminal creates a full process that looks real and has a better chance of successfully baiting the target into falling for the phishing scam.
Funds are Transferred Into Cybercriminal’s Account
Once the cybercriminal gains access to the target’s funds, he or she typically sends the money to another account immediately. This account is often outside the country, which makes it very difficult to trace or get funds back even if the scam is realized and reported quickly. For this reason, it is far more important to take proactive steps to learn to identify potential phishing scams and other types of email fraud than to attempt to do damage control after a successful scam.
Protecting Your Business from Phishing Scams
Because recovering your money following a phishing scam is extremely difficult, knowing what to look for to prevent scams from happening in the first place is a must. Most phishing scams tend to follow a couple of set patterns that make them relatively easy to recognize for targets who know the signs to look for, although many scammers are becoming more sophisticated and better at covering their tracks.
While modern phishing scammers are getting better at impersonating legitimate senders, their emails still tend to contain spelling mistakes, multiple typos, unusual word choice or grammar, or other errors that a legitimate sender would be unlikely to make. These emails may also create a sense of urgency that is designed to manipulate the target into complying without thinking, such as claiming that an account will be deleted if the target does not respond immediately.
Legitimate senders generally will not require an immediate response or make multiple typos. By pausing, taking a closer look at emails that contain these signs, and getting in touch with the real company or person to find out if they actually sent the email before responding, you can prevent the majority of email spoofing scams from occurring in the first place.
At 365 Technologies, we prioritize protecting companies in Winnipeg and surrounding areas from phishing and other types of email scams. Contact us today to learn more about how various types of online scams work and how to protect yourself and your business!