Looking for Expert Advice?
We're here happy to help
Impersonation scams are on the rise and becoming more sophisticated. The phony (and relatively easy to detect) gift card solicitations—just to pick an example from a hat—haven't gone away entirely, but today's bad actors know that more savvy technology users have wised up to old tactics. Criminals have graduated from, say, impersonating your teammate or boss to impersonating customers and vendors.
An email impersonating a vendor may direct a recipient to send payments to a new bank account. Appearing to come from a known vendor contact, the sender's signature, including title and logo, can look totally legitimate. Even the sender's email address may look normal until more closely scrutinized, at which point a recipient might observe, "That’s an O, not a 0!".
Pretending to be a customer, a scammer may attempt to place a fraudulent order using a "new" shipping address. As with vendor impersonation, the email will look legitimate, and so will the accompanying purchase order. It may have all the right information, logos and approval signatures that match all the right people at that organization.
These more advanced social engineering scams are hard to protect against with technology alone, and can be executed with only a minimum of technical ability. Most of the information needed is surprisingly easy to capture because it's not often considered as sensitive as credit card numbers or other PII (Personally Identifiable Information).
This is particularly true with public entities who must be transparent about decisions and major purchases, and who regularly publish information such as bids, awards, contracts and contact information—online and largely unprotected.
The data that scammers covet includes:
Most of us know what can happen if we’re hacked. What’s alarming about these latest scams is that an organization can be 100% secure, technically speaking, having so far avoided any serious security incident, and still be vulnerable to these attacks. Any information published online or shared with vendors and partners can be used in a successful social engineering attack.
What can you do to lower your risk?
An ideal approach leverages a combination of process and technology that keeps security in mind.
Modern email solutions use data and artificial intelligence to better identify, call out and protect against impersonation scams, and they do it without on-staff experts on email security or someone that understands how to create complex filtering rules and policies.
There are many solutions that provide this type of protection but even more that do not, or do not include it, at least, in the "standard" package. Buyers might have to add a module or go with a “Premium” version. It should go without saying that marketing is often ahead of actual product development, so most email security solutions are going to tout their ability to protect against impersonation scams and include AI somewhere in the brochure, but the devil is in the details.
Until recently, sophisticated modern email protection solutions have generally required significant expertise to manage effectively, limiting their use to enterprise-tier customers. Mimecast, a Prescriptive technology partner, is one vendor that seems to have found a way to make such protection both more affordable and manageable, opening up a new level of cybersecurity protection to the middle market. We think solutions such as these are game changers.
Email is an organization's most vulnerable application and selecting the right security solution can be complicated. If you’re unsure whether your current tools are good enough, or if you need help selecting a new solution, we’re happy to help.