Please make a payment of [ ] to the details below. I will send you the expenditure details for proper coding when I am done with my meetings today. Please arrange the payment for value today and let me know when it is done. Regards.
This letter to a financial officer of a tech company doesn’t sound too out of the ordinary, does it? Most official business correspondences start like this, but this isn’t a legal business correspondence. This isn’t a legal money-sending; rather, this is a phishing scam email from someone who will bilk thousands of dollars out of an innocent, novel tech startup in the UK. Having been notified of these phishing scams two weeks ago, hoaxers are getting thousands, if not millions, out of unsuspecting companies.
What is a phishing scam?
A phishing scam is what happens when someone spear-phishes someone else. To spear-phish someone is to strike at the heart of that person by becoming a well-informed hoaxer who knows what it takes to get that individual to let his or her guard down. With the latest phishing scam, hoaxers are not only learning how to write official business correspondence (which, to a hoaxer, could be a copy-and-paste job from a letter they obtained illegally, or a result of past experience with corporations) but also how to disguise an email so that it’s hard to distinguish from legitimate correspondence. For example, content monetization company Skimlinks has been a direct target in phishing scams: “The email asked my financial controller to pay an invoice that was attached for a five figure sum immediately…she noticed that the email from my CFO did not come from our domain (skimlinks.com) but from a very, very similar domain (sklmlinks.com), and the rest of the email which included a forwarded email from me had been faked,” said Skimlinks co-founder Alicia Navarro.
In the case of Navarro and Skimlinks, the hoaxer(s) took the first “i” and replaced it with a lowercase “l” so that, at first glance, one can hardly tell the difference. Not only did hoaxers know the domain name of Skimlinks (and how to slightly change it without publicity), but they were well aware of email addresses of higher-ups in the corporation and used former emails to copy and paste text into a new one so that it would sound familiar.
How can you avoid a phishing scam?
You can avoid a phishing scam by using common sense and by not sending anything via email or over the internet until you talk to the person in question. First, as with the phishing scam email above, the letter ended abruptly with “regards” and did not leave a name, number, email, or contact address of any sort. This is the first red flag.
Next, even if contact information is left at the end of an email, if the individual is a colleague within the company or an associate that has been doing business with the corporation for a while, call the individual or business and have them verify the details before sending the money. If the business says that they never sent the correspondence, keep the email and inform the police of the crime.
Last but not least, have some filters in place that catch phishing scam emails. Fortunately, for Skimlinks, it did have filters in place that caught the email before the company discovered some of the details were wrong. Startups in general, however, tend to have their internet guard down – making them easy prey for scammers. Whatever you do, it is wise to invest in internet security, identity theft protection, and fraud prevention as much as you can. It is just as important as your business is. Think of phishing scams and scammers as the ruining of your business: if they send enough fake emails that your startup doesn’t catch, and you send thousands of dollars or pounds or currency to these scammers, you’ll eventually run out of money and no longer have your business. Investing in internet security, banking protection, and so on will prevent your business from dying quickly later on.