Home » Nefarious Business Email Tactics

Nefarious Business Email Tactics

UPDATE 05.04.17: You may have experienced the latest trickery — an invitation to view a Google Doc. A very legitimate email invites you to login at a very impressive fake Google login page and view the doc.

What caught my eye was the email was addressed to [email protected] That was enough for me to hit delete right then and there. Google jumped on this one and supposedly had it shutdown within an hour. But how many logins did the preptrators get in the interim?

What You Don’t Know Can Hurt Your Business

Spammers have always had to be creative to get the information they want to exploit. That’s not what surprised me as of late. Surprising to me was the use of profanity and underlying code hacks I have not seen before.

Below are just a handful for you to keep an eye out for and not fall victim to. If they land in your inbox — you’ll know right out of the gate to just hit DELETE!

The Unpaid Invoice Trick

yea , we finally did it.
here is the bank confirmation:
bofa_card_statement_support.doc
now f*** off and try not to contact me again or else.

On Feb 6, 2017 at 3:25 AM, [email protected] wrote:
did you send the money? i need the proof

The above uses profanity and a threatening tone to get you riled up enough to hopefully not stop and think before you click on the attachment. The Subject: and supposed previous email from you, reflect your company’s email address to make it appear more authentic.

The Fancy Company Overcharge Trick

Who the f*** are you and why is there a charge from xxxxxxxxxxxx.com on my card?
Here you can view my statement, get back to me asap.

bofa_card_statement_XXXXXX.doc

Thank you
David Riley

If you do eCommerce of any kind this will catch your attention. Did I incorrectly charge a customer?

In this example I’ve received numerous versions where the Subject: field notes different legitimate big name consulting companies to add to the effect. In one case the website of the company name used changed their homepage to note “…we apologize, the emails were not from us. We were hacked.”

Once again using profanity and noting your business website domain in an attempt to get you to click on the attachment.

The Legal Threat Trick

WTF is this?
I got it in my mail today.
subpoena_from_support.doc

my lawyer will call you tomorrow.

Yours,

Christopher Stephenson
Phone: XXX-XXX-XXXX
Fax: XXX-XXX-XXXX

Supeona!? Attorney?! Click on that “doc” to see what this is about! Don’t fall for it. What surprised me with the above is the phone numbers seemed to belong to real people of a different name. I feel sorry for them…

The We Can’t Deliver Your Package Trick

Dear Customer,

Your parcel was successfully delivered February 15 to UPS Station, but our courier cound not contact you.
Please check the attachment for complete details!

Yours faithfully,
Seth Goff,
UPS Senior Delivery Manager.

Most businesses get UPS deliveries on a regular basis. If you are expecting a package you could just react and open the attachment. UPS doesn’t send notices like this, just hit delete.

The You Have an eFax Trick

You received a new eFax from 212-335-7155

Do folks still use faxes? I used eFax back in the day and wasn’t aware enough folks still used it to warrant a phishing email.

Everything in the email looked legit. All the eFax links when moused-over showed efax.com. The trick here is the link to go download the eFax. When you mouse-over the link the first part shows efax.com — but if you move your mouse over to the end of the link you can see the phishing site you would go to!

The Business Complaint Trick

Subject: ID 8d6ba737-775e8bdc-f95f16f3-1b460259 – Company Complaint

This message has been generated in response to the company complaint submitted to Companies House.
(CC01) Company Complaint for the above company was accepted on 16/02/2017.
Please check attached documents for more information.
The submission number is id: 8d6ba737-775e8bdc-f95f16f3-1b460259
Please quote this number in any communications with Companies House.

Of course as a business you’ll jump if you think there is a complaint lodged against you. You want to know what’s in the complaint and click on the link before thinking this through. In this case mousing-over the company’s link showed a .uk domain. Being I do not do business outside the USA I knew this was a fake out. But, if you do business globally, you may jump to click on the phishing link. Don’t.

Compromised Contacts

One other worth a mention is an email from a known contact — with all their contacts in the To: field including yours. The content is a single statement about a site or link for you to visit. You can safely assume they have a virus! In that case, as a courtesy, let them know they’ve been compromised and to scan their system ASAP.

Don’t Trust ANYTHING

The above are just a handful of examples of some of the trickery I see going on lately. Spammers are going to keep trying to make their emails look legit by mimicking sites you visit or playing to your emotions. Don’t fall for that trap!

It is easy for a one-woman show like myself to know that some of these emails just don’t apply to my business. But imagine if larger companies with tons of folks with company email addresses have one of these land in their inbox. They might want to check out that attachment instead of deleting or confirming with whomever would be responsible.

Your best approach is to not trust any email that you don’t expect, sounds too good to be true, that you do not recognize the sender or has a communication style that is unusual. And never, ever click on any attachments or links in these types of emails.

Do me a favor and share this post with others and those in your organization on so we can help others to be aware. The more onliners who know about these tactics the less effective they will be!

Go ahead and share!