This morning, two articles about separate but related email phishing scams caught my attention. The first was a report by The Wall Street Journal that highlighted the overall loss email phishing scams are causing. It turns out, it's almost $2 billion a year. That's a staggering amount of money flowing out of the bank accounts of individuals and companies and into the hands of bad actors as a result of scammers who are growing more sophisticated.
The second was a piece that highlighted what that looks like in real-world terms. People magazine is reporting that Barbara Corcoran says her company was just scammed out of $388,700 in an email phishing attack. In Corcoran's case, a bookkeeper received an email containing an invoice that appeared to come from Corcoran's assistant.
The bookkeeper paid the invoice, but instead of going to a firm renovating one of Corcoran's investment properties, it went to an attacker using a Chinese IP address. No one realized the scam until the bookkeeper emailed the assistant back, who had no idea what had happened.
"It was an invoice supposedly sent by my assistant to my bookkeeper approving the payment for a real estate renovation. There was no reason to be suspicious as I invest in a lot of real estate," Corcoran told People.
Email phishing scams work by sending messages that appear to be from a trustworthy source, so the victim doesn't question the request. For example, you might get a message that appears to be from your bank, informing you that you need to login to verify some information. Except, when you click on the link provided, the site looks like your bank's but actually isn't.
Or, as in Corcoran's case, the email sender was able to use the real identity of a person in a position of enough authority to approve a payment that was not legitimate.
Both articles point out that this type of scam is becoming more common and more sophisticated. That means it's worth considering whether your current security processes would catch this type of attack. For example, it's probably worth considering how you accept and process invoices. Also, talk to your team about the fact that a scam email might look legit at first, so they should always pay close attention to the details.
"The detail that no one caught was that my assistant's email address was misspelled by one letter, making it the fake email address set up by the scammers," said Corcoran. That one letter cost almost $400,000.
You can bet that bookkeeper in the future will check every request even more carefully. So should you.