So how can you protect yourself from inadvertently sharing information that results in you being scammed out of your hard-earned cash? Here are some specific things to look for in email based scams.

1.      Check the sender’s email address

Anyone can choose the name to display when sending an email. So even though an email says it’s from Xero it may not be. There’s an easy way to check, click on the information in the top of the email and you can see the email address the email has been sent from. Look closely at the spelling of the website or email address – does it look close but not quite right? Have they added a ‘1’ for a ‘l’ or extra prefixes or characters. If you don’t recognise it, assume it’s spam and contact the legitimate company.

2.      Watch for mistakes and generic greetings

Some emails from scammers contain obvious spelling and grammar mistakes. They also often use generic greetings such as “Dear Sir/Madam”, “Dear Customer”, “Dear Friend” or “Hi [first part of your email address] rather than your name.

3.      Suspicious links

Most scam emails contain links that take you to ‘dummy’ websites – websites that look like the real thing but are actually the scammers way of obtaining your information. This could be your login details for banking or asking weird questions such as the street you grew up on – all to have those details on hand when they pose as you. Unless you know the sender of the email, assume the email is spam. If you’re unsure, you can go to your browser and go to the company’s website and contact them.

4.      Verify independently

If you receive an email to verify a change or update and you didn’t expect the email (or do something directly moments before to trigger the verification) call the company and verify the request – preferably with someone you already know.

5.      Develop a process for a adding or changing supplier’s bank account details

Do you have a policy or procedure when loading new suppliers or requests for updates of bank account details? One of the most recent scams is to intercept an invoice and change the bank account details to the scammers. To the paying company, the invoice is legitimate and they assume that the company has updated their bank account details, so they make payment to the new account. Only later when reconciling, do they find out that they’ve paid it to a scammer’s account.

To combat this, create an extra verification step in your process when approving new suppliers and/or changing bank accounts from existing suppliers. One one to do this is verbal confirmation, so giving the company a call. Be wary of using the number on the invoice as this could have changed too and you could inadvertently phone the scammer, so use existing contact details to call the business and confirm the change.

6.      Watch Nigel Latta’s “You’ve Been Scammed” on TVNZ.

This series is available online at TVNZ and goes through the different scams to help prevent you becoming a victim.

7.      Turn on Multifactor Authentication in your email account

Turn this on for all mailbox logins to protect yourself. It’s a case of when rather than if you’ll credentials will be harvested and it’s almost impossible to get cyber risk insurance without this in place.

8.      Considering taking out Cyber insurance

As the scams get more sophisticated, some banks are not covering the loss so it may be time to consider taking out a cyber insurance policy. Most insurance companies offer cyber insurance to protect against loss of data and potential loss of funds from a scam. Discuss this with your insurance broker to determine the best policy to protect you.

More technical things to do

These can sound quite technical but they work in the background to protect you and your business. Your IT company will know what these mean and will be able to set these up for you.

9.      Implement advanced Sandbox filtering for malicious URL’s (links) and attachments

This means that any links or files attached to an email are pre-detonated in a virtual environment to see what they do before they get to your mailbox! Most people have some traditional spam filtering in place but if you have whitelisted certain clients and suppliers to ensure you always get their messages, BE WARNED - this can mean if a bad guy takes over their mailbox and then you’re at risk of getting malware delivered direct to your inbox.

10.  Implement Sender Policy Framework (SPF) & Domain-based Message Authentication, Reporting and Conformance (DMARC) rules on your domain name

These rules are quite tricky but without them in place or some other means to protect your VIP’s it means that it can your staff, customers and suppliers could be tricked into communicating with a scammer and it can be very difficult for individuals to pick this up. Just recently the NZ Govt Security and Communications Bureau has made this a mandatory requirement for the NZ Information Security Manual that all departments must abide. These rules also have a great side benefit of protecting your brand and help ensure your marketing & invoice emails don’t end up in the destination junk folder!

If in doubt, treat it as a scam

Unfortunately, scammers are becoming cleverer all the time and putting more effort into making websites and emails look like the real thing. Remember banks and other institutions will never ask for your account number, name, address or password in an email. Always err on the side of caution and treat anything suspicious as a scam. Don’t take the risk as become the scammer’s next victim.