Home » Nefarious Business Email Tactics

Nefarious Business Email Tactics

Phishing, spoofing and scams -- how to be aware of nefarious business email tactics.

What You Don’t Know Can Hurt Your Business

Spammers have always had to be creative to get the information they want to exploit. You’ve probably heard of phishing and spoofing. Emails that look like a company or business you use or are familiar with are

all in an attempt to trick you.

Below are just a handful for you to keep an eye out for and not fall victim to. Then, if they land in your inbox — you’ll know right out of the gate to just hit DELETE!

The Google Doc Invitation

You may have experienced this latest trickery — an invitation to view a Google Doc. A very legitimate looking email invites you to login at a very impressive fake Google login page and to view the doc.

What caught my eye was the email was addressed to [email protected] That was enough for me to hit delete right then and there. Google jumped on this one and supposedly had it shutdown within an hour. But how many logins did the preptrators get in the interim?

So with similar requests, always give it a once over to ensure you recognize the email address making the request.

The Unpaid Invoice Trick

yea , we finally did it.
here is the bank confirmation:
bofa_card_statement_support.doc
now f*** off and try not to contact me again or else.

On June 6, 2022 at 3:25 AM, [email protected] wrote:
did you send the money? i need the proof

The above uses profanity and a threatening tone to get you riled up enough to hopefully not stop and think before you click on the attachment. The Subject: and supposed previous email from you reflect your company’s email address to make it appear more authentic.

Remember faking the use of your email address is the easy part. All they have to do is type it, and don’t worry. It doesn’t mean they’ve accessed your email system. In addition, displaying your address in the To or From fields is just a matter of email software settings. So don’t panic.

The Fancy Company Overcharge Trick

Who the f*** are you and why is there a charge from xxxxxxxxxxxx.com on my card? Here you can view my statement, get back to me asap.

bofa_card_statement_XXXXXX.doc

Thank you
David Smith

If you do eCommerce of any kind, this will catch your attention. Did I incorrectly charge a customer?

In this example, I’ve received numerous versions where the Subject: field notes different legitimate big-name consulting companies to add to the effect. In one case, the company’s website changed its homepage to state, “…we apologize, the emails were not from us. We were hacked.”

Once again, using profanity and noting your business website domain to get you to click on the attachment.

The Legal Threat Trick

WTF is this?
I got it in my mail today.
subpoena_from_support.doc

my lawyer will call you tomorrow.

Yours,
Christopher Stephenson
Phone: XXX-XXX-XXXX
Fax: XXX-XXX-XXXX

Supeona!? Attorney?! Click on that “doc” to see what this is about! Don’t fall for it. What surprised me with the above is the phone numbers seemed to belong to real people of a different name. I feel sorry for them…

The We Can’t Deliver Your Package Trick

Dear Customer,

Your parcel was successfully delivered February 15 to the UPS hub, but our courier cound not contact you. Please check the attachment for complete details!

Yours faithfully,
Seth Jones,
UPS Senior Delivery Manager.

Most businesses get UPS deliveries regularly. If you expect a package, you could react and open the attachment. UPS doesn’t send notices like this, just hit delete. Instead, log into your UPS account to check your shipments.

The You Have an eFax Trick

You received a new eFax from 222-555-1212

Do folks still use faxes? I used eFax back in the day and wasn’t aware enough folks still used it to warrant a phishing email.

Everything in the email looked legit—all the eFax links when moused-over showed efax.com. The trick here is the link to go download the eFax. When you mouse over the link, the first part shows efax.com — but if you move your mouse over to the end of the link, you can see the phishing site you would go to!

The Business Complaint Trick

Subject: ID 8d6ba737-775e8bdc-f95f16f3-1b460259 – CompanyName Complaint

This message has been generated in response to the company complaint submitted to CompanyName. (CC01) The complaint for the above company was accepted on 16/06/2022.

Please check attached documents for more information. The submission number is id: 8d6ba737-775e8bdc-f95f16f3-1b460259. Please quote this number in any communications with CompanyName.

Of course, as a business, you’ll jump if you think a complaint is lodged against you. You want to know what’s in the complaint and click on the link before thinking this through. In this case, mousing-over the company’s link showed a .uk domain.

I do not do business outside the USA, so I knew this was a fake. But, if you do business globally, you may jump to click on the phishing link. Don’t.

Compromised Contacts

Another worth mentioning is an email from a known contact — with all their contacts in the To: field, including yours. The content is a single statement about a site or link for you to visit. You can safely assume they have a virus. In that case, as a courtesy, let them know they’ve been compromised and to update their virus software and then scan their system ASAP.

Don’t Trust ANYTHING

The above are just a few examples of some of the trickery I have seen recently. Spammers will keep trying to make their emails look legit by mimicking sites you visit or playing to your emotions. Don’t fall for that trap!

It is easy for a one-woman show like myself to know that some of these emails just don’t apply to my business. But imagine if larger companies with tons of folks with company email addresses have one of these land in their inbox.

If you are unsure and want to check out that attachment, scan it first with your virus software. Making your IT department aware also may assist them in protecting the network from future similar communications and blocking whoever is responsible.

Your best approach is not to trust any email you don’t expect, sounds too good to be true, does not recognize the sender, or has an unusual communication style. And refrain from clicking on any attachments or links in these emails.

Do me a favor and share this post with others and those in your organization so we can help others to be aware. The more onliners know about these tactics, the less effective they will be!

Share the knowledge!