Increasing numbers of small and medium businesses are being targeted by criminals using email fraud to steal money.
If you log-in to online banking, you might have seen a message like this…
“Fraud check: Did the request to make this payment come from an email? If so, make sure you verify with the sender it was actually them via a different method (e.g. phone - on a known number, instant message). Fraudsters are now impersonating contractors, suppliers, creditors or even senior management to request a new payment or change in account details.”
As these criminals get more sophisticated, it’s getting harder for technology to identify fraudulent emails.
Instead, we need to become more aware of what fake emails look like, and how to act to minimise the risk of losing money to these criminals.
Usually, you’ll receive an email from someone whose name you recognise. They might be a supplier or a colleague. The email will include a request for payment, either an invoice attached or details within the email body. You make the payment, only to realise that the email sender was not who they said they were and you’ve paid the money into the criminal’s account.
From Names & Addresses
You receive an email with the ‘from’ name of someone you know (for example, Robert Smith). David works in marketing and is often raising invoices and purchase orders.
‘Robert’ asks you to organise payment of an attached invoice.
On a desktop email provider like Outlook, you can double-click on the sender’s name in an open email to reveal the email address. Alternatively, you can right-click and select ‘Open Outlook Properties’ to view their details.
In a cloud-based provider like Gmail, hover over the sender’s name to view their email address.
When you reply to the email, make sure the reply address is the same as the ‘from’ address, or at least the same domain. For example, if the initial payment request came from [email protected] but the reply address is [email protected] make telephone contact to confirm the recipient is correct.
In Outlook you will see the reply address in the ‘To’ field in a new email. On mobiles, you need to tap on the name to see the email address in full.
Make sure the bank details in the invoice or payment request match those that you have on record. If this is the first payment you’re making then you should confirm the details over the telephone, and if you can’t get confirmation over the telephone question the payment.
Language, Tone and Style
You get an email from someone you’re in regular communication with, but something feels off. The tone of the email, the language they use, the sign-off isn’t how they usually communicate with you.
Do they use a formal ‘Kind regards’ instead of their usual ‘Cheers’? Does the email contain the normal company signature including the logo and links to the website?
If your company uses a purchase ordering system, make sure the invoice or payment request references a PO number, and that it’s the one you expected to see. If there’s any doubt, check your accounts or with your finance team to ensure the PO number listed on the invoice matches a request for the same services at the same price.
Is it expected?
Would you expect to receive a payment request at all? And if yes, would it be for the services described in the invoice?
Is the invoice for services that you’re not sure you’ve received? Is it for an item that you have no knowledge of?
If in doubt, check with a colleague and then double-check over the telephone with the person who has made the payment request.
Technology and computer users must work together
Anti-virus and spam filters will help to keep some fraudulent emails out of your inbox, but your technology can’t stop every scam. Use the tips above to avoid paying your hard earned money to a criminal. If in doubt, always request to speak to the sender via telephone, video chat or face to face, to confirm that the payment request is legitimate.
Speak to our IT support team about your anti-virus and email configuration settings to make sure your technology is working as hard as possible to protect you from email fraud.