PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name "Perspectives From the Campus Series”, we invite experts -- immersed in the pursuit of educating their students -- to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In the latest installment of this series, David Dungan, who serves as the Executive Director at the Center for Security Services and Cyber Defense at Anderson University, shares his expertise as it relates to the growing issue of email scams - including the tactics cybercriminals use to try and steal our personal and financial information and the steps we can take to protect ourselves.

By David Dungan

If we can agree that sending and receiving an email is one of the most effective and beneficial ways to communicate with one another (that’s ever been created...), it probably explains as to why it’s become a primary tool for cybercriminals to steal our money, credentials, and other sensitive information.

In 2020, people ages 21 and under lost roughly $71 million, and since January 2020, businesses have collectively lost $3.1 billion to business email compromise (BEC). Not only have email scams resulted in financial losses, but it has also resulted in identity theft and damage to the reputations of many companies. What’s more, it’s caused us to experience a collective lack of trust in using email to communicate with one another.

Tactics Involved with Email Scams

Attackers use various kinds of tactics within email scams: impersonation, email spoofing, malicious links, and fake invoices. Attackers often impersonate a third-party vendor, a customer, an employee, or a CEO to establish trust with the victim, or create a sense of urgency in an impersonation attack. This typically causes the victim to act quickly without considering that the email may be a scam.

Malicious links are links created to distribute malware like ransomware. Once the victim clicks on the link, they can be redirected to a spoofed website that the attacker created, recording the victim’s credentials if they input their login information, or downloading malware onto the victim's machine.

Invoice scams are when attackers send fake bills for goods or services that the victim never ordered. The victim may not look at the details of the invoice and pay it, potentially exposing confidential banking information. Instead of the money going to the real third-party vendor, the money is sent to the attackers.

How to Spot Email Scams

There are numerous tactics used to decipher email scams from legit emails. Follow these “red flags” to help you decipher the difference:

• The email claims that you must log into a website, or your account will be closed, with a link to an attacker-controller website.
• The email claims that your payment or personal information is invalid, and it must be sent to the attacker either through email or on a website.
• It attached invoices for a payment that you know you did not make.
• It conveys a sense of urgency or confidentiality.
• It claims that you could receive a government refund and asks for sensitive data such as a social security number, address, and banking information.
• It requires you to submit private data to obtain free products, coupons, or money.

How to Protect Against Email Scams

You can protect yourself and others from email scams by educating employees on the tactics used by scammers, installing email filters and email defenses, updating operating systems, and installing security software enforcing MFA (multi-factor authentication), as well as backing up data, and installing firewalls that contain web isolation technology.

As email scams continue to increase, it is important to use these practices to avoid becoming a victim of these attacks. You can also utilize an email provider that has fraud prevention built into the system.

There are also a wide range of free resources, best practices and tips that can help you stay safe, such as the Federal Trade Commission and CISA (Cybersecurity Infrastructure and Security Agency) offers an easy-to-use guide for recognizing and avoiding email scams that includes everything from get-rich-quick schemes and health and diet scams to important information on how the scams work with real world examples that you might have already seen in your inbox.

Remember, too, that it’s OK not to click on any link, especially if you’re not sure about the source, the offer or what someone is asking you to do. Cybercriminals are relying on you to act on your feelings -- such as curiosity and the desire to please others -- to get what’s yours and that’s true whether you’re at home, at work, or at school.