Accounting Internal Controls

You are here: Home / Internal Controls / What is a phishing scheme?

What is a phishing scheme?

by

A phishing scheme is conducted typically by email. However, they can occur by a text, an app, or a pop-up window. They claim to have something that needs your immediate attention. Often there is something to entice the user to click on the link or attachment that is included in the email.

phishing scheme

What would someone be phishing for?

The goal behind phishing is to gain access to your computer or device without your knowledge. They are hoping that in some way they can gain access to data that would be valuable to them.

Valuable data includes:

  • Credit card numbers
  • Bank account information
  • Social security numbers
  • Passwords
  • Access into a business computer system
  • Initiation of wire transfers
  • Other sensitive information

Personal or business data can be used, sold on the black market, or held for ransom to exploit an individual or company for money.

How can I spot a phishing email?

Phishing emails often appear to originate from a source that you know and trust and often use. Commonly used businesses are banks, Amazon, PayPal, eBay, and government agencies. This makes them more likely to get by a firewall or individual.

Email addresses can be spoofed. Have you ever received an email from yourself? Or an employee who doesn’t exist? I have on numerous occasions.

The fraudster is spoofing the account. They make the email address appear as if it is coming from a legitimate account. While the email is actually coming from a very different account.

This type of phishing scheme is referred to as a Business Email Compromise (BEC) or Executive Impersonation. This type of phishing has been responsible for more than $26 billion lost globally between June 2016 and July 2019.

phishing attack

Things that raise suspension that this may not be a real email:

  • Is the email from someone or a company you never heard of?
  • Does the subject line start with Re:____ as if they are replying to an email you sent but never actually sent?
  • Does the domain name sound suspicious (ex. @paypa|.com, @micro-softhelp.com)
  • Is the email unexpected? No individual or client let you know they were sending you an attachment, fax, or link?
  • Does the email start with Dear sir or madam? As if the person doesn’t know who they are emailing.
  • Are you cc’ed on an email with people you don’t know?
  • Does the subject line make sense with the content of the email?
  • What time did the email come at? Does the individual typically email at odd hours?
  • Are there links they want you to follow?
    • Does the link go to a website that is misspelled?
    • When you hover over the text does the link go to a website that is not the real website?
    • Are they requiring that you need to log into your bank, PayPal, or other financial institutions?
    • Do they ask you to update or validate your account or personal information?
  • Are there attachments they want you to open?
    • Are they asking you to download files?
  • Does the email have spelling errors or bad grammar?
  • Are they requesting that you wire money to an account to pay an overdue invoice?
  • Do you feel pressured into doing something?
    • Time-sensitive
    • Negative outcome if not
    • Value in clicking
    • Threatening blackmail with inappropriate content or images of you

Example of a phishing scheme

Everyone has received at least 1 phishing email. They come in all kinds of forms. If you are on the internet or check your email regularly chances are you have already seen one this week.

  • Often, I get them saying that my PayPal account needs immediate attention. Or that my PayPal account has been hacked and I need to click this link to change the password. I’ve also received ones that state that my PayPal account is about to be deactivated, or that my card on file needs to be updated.
  • I’ve also received emails from someone who has spoofed my email address so it appears that I sent myself an email. These emails state how they have taken risky photos of me off my computer and will send them out to my entire contact list if I don’t reply to them or click this link.
  • You’re an instant winner! You were number 100 on this site today and have won a prize. Click here. Have you ever visited a website only to find that you are always the 100th visitor and get the spammy pop-up?
  • I also have received pdf attachments from a xerox machine that someone sent me.
  • Notices that I forgot to pay a bill. With a company or email address that I have never done business with. With a copy of the pdf of the invoice.

The list of schemes goes on. There are a plethora of emails that get created, crafted, and reused on a daily basis.

No phishing

What should I do if I receive a possible phishing email?

  • Do not click on the link or attachment.
  • If the email is from someone you know but you were not expecting one from them. Give them a call or send them a quick email confirming that they sent you the email. DO NOT forward or reply to the suspicious email. Craft a new email to them using the email address saved in your contacts.
  • Call your bank or other financial institution and ask if they sent you an email or if your account needs attention.
    • DO NOT use the number provided in the email. Instead, look their number up.
  • Do not use links in emails to get to your financial institution.
    • Use your web browser to go directly to their web page before signing in.
  • Do not reply to the email.
    • This only encourages the scammers and lets them know that your email address is valid and being checked.
  • Report it to your email provider.
  • Report it to your IT department.
  • Delete the email.

What do I do if I think I opened such an email?

  • Opening the email is not a problem. Clicking on the link or attachment is.
  • Report it to your company IT department.
  • Engage an experienced fraud consultant.

How do I prevent such attacks from happening?

  1. Training is the best way to prevent a possible phishing scheme.
    1. Employees should be aware of what to look out for.
    2. Employees should know and follow the procedures in place for responding to:
      1. Requests that ask for sensitive information or are marked “urgent.”
      2. Emails with links and or attachments that were not expected.
    3. Practice. Give employees opportunities to recognize and report attacks.
      1. Learn from Go Daddy’s phishing simulation.
  2. Implement anti-phishing tools.
  3. Keep software updated and install patches to limit vulnerabilities.
  4. Engage an experienced fraud or IT consultant to review your system.