Many office workers have been able to work from home during the pandemic. Various systems should have been put in place for all employees to remain in contact, especially when the boss needs something. Apps and services like Microsoft’s Outlook have a variety of communications tools built-in.
Responding to a request from a superior isn’t out of the ordinary, as most of us have probably obliged in the past. But a dangerous new scam is misplacing the trust between senior management and workers.
It’s not one of the seven tech support scams making the rounds but rather preying on people’s helpful nature, commitment to their job and their use of Microsoft’s Outlook. It’s easy to fall victim, and you could lose hundreds of dollars.
Here’s the backstory
Have you ever received a non-work-related request from your boss? You probably didn’t find it strange and agreed to do it. But that is exactly what a new and very dangerous scam is bargaining on.
Microsoft issued a stern warning to Outlook users to be vigilant against any requests that purportedly come from a superior in your company. There is a new Business Email Compromise scam (BEC) going around and it’s quite dangerous.
Cybercriminals have created hundreds of fake email domains that are strikingly close to authentic companies. At first glance, it can seem legitimate. But if you take a closer look, you might be able to spot that something is amiss.
How the Outlook scam works
Impersonating your boss through fake email domains, the scammer will send you an Outlook message asking for a favor. That can range from approving payments, transferring funds, or even buying gift cards.
After conducting reconnaissance to ensure they contact the right person, the scammers send a generic email and wait for a response. If one is received, they launch into their “request.”
“In other cases, attackers skipped the generic email altogether and jumped directly to the gift card demand, using a method of generating fake replies to add legitimacy to the email,” Microsoft explained in a blog post.
What to look out for
In this case, the scammers don’t want your personal details but the value of a gift card. Unaware workers will purchase several cards with their own money and give the details to the scammers. Once that has been handed over, the criminals can do with it what they want.
“Attackers frequently used the stolen gift card codes for websites that allow them to redeem and convert gift cards to cryptocurrency or other foreign currencies. The funds generated from cashing out gift cards can then be transferred to attacker-owned accounts untraceably,” Microsoft explains.
A telltale sign that something isn’t right could be multiple typos or spelling errors. Either in the email itself or the domain name. Microsoft said, “For this campaign, attackers registered typo-squatted domains for over 120 different organizations to impersonate actual businesses.”
Here are some ways to avoid falling victim to BEC scams:
- Watch for typos – Check incoming email addresses carefully, especially when they demand financial transactions. Even a single missing character could be the difference between a real email and a fake one.
- Look for recurring subject lines – Things like “Request,” “Follow-up,” “Urgent/Important,” “Are you available?/Are you at your desk?” and others.
- Confirm before acting – Verify messages from your boss requesting money transfers, gift card purchases and any request involving sensitive company information. See them in person or call them.
- Avoid links and attachments – Don’t click on links or attachments in any suspicious emails. They could be malicious and lead to frightening results.
- Get IT involved – IT must make sure your employees know these types of attacks to begin and implement proper training. So, get them on board too!