By Kayla Matthews, Freelance Writer, ProductivityBytes.com
Due to the importance of email for people’s personal and work lives, you probably can’t imagine being without it for a day — or even a few hours. Unfortunately, hackers know how today’s society relies so heavily upon this form of communication, and they continually orchestrate vulnerabilities that could make your account dysfunctional or steal valuable data.
Here are six email-specific cybersecurity risks to put on your radar:
- Secret Shopper Email Scams
Secret shopping can be a legitimate way for people to make money on the side. They visit stores in their area and follow simple instructions provided by the company that test store employees. For example, some shoppers have to ask for certain products and see if workers urge them to purchase upgrades.
Usually, secret shopper hopefuls provide their details to companies and wait for assignments. However, there’s an increasingly common email scam that preys on victims with unsolicited messages.
In one case, a college student received a secret shopping “job offer” in her inbox despite not contacting the company first. The business promised to pay her $300 per week if she did what it asked. Then, the student received materials through postal mail that asked her to buy two $500 Walmart gift cards, scratch off the back to reveal the claim codes and take pictures of them. The envelope also contained a check for $1,355.
She was supposed to deposit the check and then buy the gift cards within 24 hours. However, the Better Business Bureau (BBB) warns that this is a version of a scam that started through postal mail and then moved to the email realm. The organization says the checks usually bounce, although sometimes not until weeks later. Then, the victim never gets payment for the gift cards, but the scammer has the codes to use them.
The BBB also says it’s suspicious if any companies overpay the person meant to receive the funds, as in the example above. Moreover, it’s a red flag if a business asks the person to wire money.
- Business Email Compromise (BEC)
A business email compromise (BEC) happens when a cybercriminal hacks an email account and poses as a position of authority. The targets for such attacks are often high-level executives or department managers.
Often, the messages are plain-text and do not have attachments. However, they aim to get sensitive data such as account details, and the sender usually acts as if they need the information for business reasons, such as for accounting purposes.
According to a 2019 report from the Agari Cyber Intelligence Division, BEC attacks increased more than 60% over last year. The research also showed that about one-third of attacks targeting senior executives use display name impersonation, appearing as if the email came from an individual the recipient knows.
However, even when a BEC scam includes some familiar components — such as the name of an individual or company — they still have other warning signs, like non-company email domain names.
- Generic Phishing Attempts
Some scammers send generalized scam emails meant to address a broad audience. They usually have some branded components, such as a graphic header, but may include typos or grammar errors. It’s also common for generic phishing attempts to capitalize on urgency. Lottery scammers frequently use misleading tactics when they insist a person needs to confirm their details quickly to claim prizes.
Since these phishing emails want to address as many people as possible, they typically don’t include recipient names. Instead, the greeting may say something like “Dear valued customer.”
In other cases, people get phishing emails that say they’re locked out of their accounts unless they provide information within a certain amount of time. One thing you can do after receiving suspicious emails is to contact the company directly through a method other than email to verify the authenticity.
Ransomware is a kind of malware that allows the hacker to gain access to your email and shut you out of it unless you pay a specific amount. It’s common for ransomware to be installed on your machine after downloading an emailed attachment, although it can also happen after visits to malicious sites.
The Malwarebytes Labs 2019 State of Malware Report mentions that there were 5,948,417 ransomware attacks in 2018, which is a 26% decline over 2017 numbers. The researchers clarify that, despite the drop, ransomware remains a significant concern. The situation is even worse for companies that don’t have their data backed up. Unfortunately, paying the ransom doesn’t guarantee restored information.
- Bitcoin Investment Email Scams
Some cybercriminals operating via email also set their sights on bitcoin enthusiasts. In March 2019, cybersecurity researchers in the United Kingdom uncovered a bitcoin email investment scam that stole victims’ passwords and other credentials once they downloaded a malicious attachment. The people who came across the vulnerability believed the malware potentially had a keylogging component that made it easier for hackers to get valuable data.
- Tax-Related Spear Phishing
Spear phishing is similar to a BEC, but it’s sometimes associated with multiple people from one department at an organization instead of just one high-level individual. The Internal Revenue Service (IRS) published content advising tax preparation professionals and others to watch out for spear phishing and be wary of any emails from senders posing as IRS representatives.
A common feature of these IRS spear phishing emails is that they ask accounting professionals to provide tax or banking details. However, one thing to remember about IRS correspondence is that the organization does not engage with individuals via email or social media to request personal information.
Staying Diligent When Using Email
There’s no foolproof way to avoid all email vulnerabilities. However, if you avoid downloading unusual attachments and don’t respond to emails that ask for sensitive details without investigating them further, those precautions go a long way.
About the Author
Kayla Matthews, a cybersecurity journalist, has written for sites like Security Boulevard, the National Cyber Security Alliance, Information Age and more. Matthews can be reached via Twitter @KayleEMatthews or on ProductivityBytes.com