Fraudulent emails that are targeting businesses and non-profit organizations

There has been a recent uptick in fraudulent emails targeting businesses and non-profit organizations. The perpetrators send emails posing as a leader in the organization, usually a CEO or Executive Director, to someone in the financial department of the organization requesting a wire transfer of some dollar amount to a different state or country. The personnel details and emails are usually gleaned from the company’s own website.

While fraudulent emails are targeting businesses and non-profit organizations, they are not the only industries that are impacted. Very rarely do any of these emails mean the organization’s real email accounts have been compromised, even though it may seem like it. Typically the fraud attempts range from the simplistic, making a free address (Gmail, Yahoo, AOL, etc.) with the name of the target company’s executive and hoping the recipient doesn’t notice the strange email address, to the complex, registering an email domain similar to the target company’s domain or fully spoofing the actual email address of the executive. Due to the way email works, anyone can send an email as any address, just like we can put any return address on mailed envelopes.

There are a number of technical ways to combat these fake emails. Spoofing can be stopped by implementing either DomainKeys Identified Mail (DKIM) to securely sign each legitimate email and flag illegitimate emails, or setting up a Sender Policy Framework (SPF) record in combination with an email protection service like Spamsoap.com to block any “internal” emails that don’t actually come from your mail server. DKIM will also protect against fraudulent emails from similar-looking domains.

If these solutions sound complicated, you’re not wrong. Fortunately, there is also an easy way to prevent these emails from having their intended outcome: Verify with a second person by phone or in person before doing anything else, preferably with the person making the request. If you can only communicate by email for some reason, don’t hit the Reply button.  Make a new email and type out the person’s email address. That one step can save you thousands or tens of thousands of dollars.