Email fraud – how to protect yourself and your business

Circulation of rogue email invoices to commit fraud is a growing problem whether you are using cloud or server based accounting systems and every type and size of business is being targeted. Whilst you are likely to be already aware of this issue, this fraud has spread way beyond banks and we’re now seeing people cloning brands such as Xero in order to commit fraud.

If you suspect you’ve received a phishing or malicious email, and it looks like a Xero generated email or uses Xero’s logo, do not click on anything in the email. You can forward it to [email protected]. You can also read more security advice from Xero on their dedicated Security Page.

In the meantime, here are some examples to show how you may be targeted:

• via bogus email accounts masquerading as the real thing used to send out fraudulent but realistic invoices often only identifiable by a spurious bank account.
• with a phishing email to gain access to information like your usernames and passwords, credit card details, and bank account numbers;
• Or a bogus invoice email containing links and/or documents that deliver malicious software to your PC, such as ransom-ware or password stealers.

How it works:

• A fraudster will send an email that looks like it’s come from a trustworthy source, but is in fact attempting to trick you by getting you to click on a link that will infect your computer; follow a link to a fake but convincing looking website that will steal your login details; or open an attachment that will infect your computer.

They rely on individuals being busy processing data in the hope that the email is opened and the link is clicked. If you’ve fallen for the scam, the cyber criminal may be able to steal or extort money from you, or use the information they gain access to for other attacks.

To better protect yourself and your business, it’s important to not only be aware of these scams, but ensure your team are aware and understand how to combat them.

Common hallmarks of a bogus email:

• Incorrect spelling or grammar. Whilst nobody is perfect and genuine senders can make mistakes, emails with basic errors can be a dead give-away, particularly poorly constructed sentences and grammar.
• The email you’ve received could have an almost identical email address to the genuine sender. For example, the difference may be as small as a change in email domain from @company.com, to @company.co
• The URL they want you to click on is different from the one displayed — if you are suspicious, DO NOT CLICK ANY LINKS, simply hover your mouse over any links in an email to see if the actual URL is different.  The real URL will be displayed at the bottom of your browser window.
• The email may ask for personal information that they should already have, or information that isn’t relevant to your relationship with that company.
• The email calls for urgent action. For example, “Your bank account will be closed if you don’t respond right away”. If you are not sure and want to check, then go directly to the sender and ask them. Avoid forwarding it to them though as you are just passing the problem to someone else who may click on the link as they’ve received it from a safe source.
• The email says you’ve got an invoice from a company you don’t deal with, or have a parcel waiting that you didn’t order.   This is again in order to get you to click a link or open an attachment.
• There are changes to how information is usually presented. For example: an email is addressed to “Dear Sirs” or “Hello” instead of to you by name; the sending email address looks different or complex; or the content is not what you would usually expect.

You may also be interested in our video interview with Nick Kellaway, Head of IT Security Specialist AVR