Simple Scam Emails Do Most Damage

By:  |  Category: Blog, Security Thursday, August 30th, 2018  |  No Comments

Emails scams don’t have to be complicated to be effective. In fact, new research reveals the more simple and straightforward the better.

According to a new report released by Barracuda Networks, almost 60% of business email fraud is simply a plain text message (not a malicious link) and is shockingly effective when the words and context appear authentic.

It’s often a message that appears to have been sent from a cell phone. It’s usually from a boss or someone in authority.

“The attack is simply a plain text email intended to fool the recipient to commit a wire transfer or send sensitive information,” Barracuda said in its report. Phishing email, on the other hand, typically tries to get you to click on a malicious link.

The problem is, bogus text emails are difficult for email security systems to detect because they are often sent from legitimate email accounts and don’t contain suspicious links, Barracuda states.

Businesses are a Target

It’s no surprise hackers are looking for any way to slip in the back door, but this simple email scam involves walking right in the front door with targeted social engineering.

Fraudulent emails are common in so-called Business Email Compromise or BEC, where attacks have resulted in billions of dollars lost to fraud over the last few years.  According to the FBI, More than 78,000 BEC complaints have been made globally between October 2013 and May 2018, with over 41,000 victims in the United States.

Business email fraud, as defined by Barracuda in its report, works like this: Criminals first get access to a business email account, then imitate the owner’s identity, and then target employees, customers or partners who have access to company finances or payroll data and other personally identifiable information.

One of the most common attacks attempts to trick a recipient into doing a wire transfer to a bank account owned by the attacker, according to Barracuda, which compiled statistics for 3,000 randomly selected BEC attacks in its report.

The attacks sometimes (about 12% of the time) attempt to establish rapport with the target. For instance, the attacker will ask the recipient whether they are available for an urgent task and then, in the majority of cases, will ask for a wire transfer, Barracuda said.

These emails are very simple. One actual email – with the names changed to protect the victim – that Barracuda cited said this:

“Hey Joe,

Are you around? I need to send a wire transfer ASAP to a vendor.


Another bogus email said:

Subject: Invoice due number 381202214
I tried to reach you by phone today but I couldn’t get through. Please get back to me with the status of the invoice below.

Don’t get duped

“Wire transfers should never go out without an in-person conversation or phone call,” said Barracuda.

And if a request is coming from a high-level executive like a CEO, the request should always be confirmed because, in many cases, it’s unusual to receive a personal email from senior executives.

Based on the report’s results, about 43 percent of the impersonated senders were the CEO or founder. C-suite positions like CEO or CFO can provide valuable context when attempting to dupe payroll staff, for example, into handing over sensitive information.

If you need assistance with your cybersecurity services, consider giving EnhancedTECH a call at 714-970-9330 or contact us at [email protected]

Leave a Comment
Read previous post:
1 in 50 Emails are Malicious

A recent study by Mimecast of 10,072,682 emails, exposed 203,000 malicious links that had been cleared as "safe" by security...