Cybercriminals are impersonating your boss—here’s how to tell

Caroline Delbert • 

Internet security research
sashk0 // Shutterstock

For any number of reasons, you’ve likely clicked on your spam email folder from time to time. In doing so, you may have noticed that spam messages have grown more and more sophisticated over time. These days, spam emails often invoke real-life events such as pharmaceutical class action lawsuits or clergy abuse scandals as a way to lure more clicks.

These same scams have now taken to impersonating company bosses: Business email compromise scams are a huge problem with $43 billion lost and more than 240,000 incidents from 2016 to 2021 globally.

As phishing attempts that target business emails become increasingly difficult to identify, Twingate researched helpful ways to verify whether communications you’re receiving are really from coworkers, professional contacts, or your boss. These include some simple checks, such as making sure the email address is one you trust, or that a linked page really goes where it claims. The forthcoming tips also include more subtle forms of awareness, like asking yourself if your boss really uses language the way you see in the message or whether they would actually misspell your name—or theirs.

The best way to prevent these phishing scams in the long run is to continuously hone your gut instinct and be cautious when it tells you something smells fishy. When in doubt, hop on the phone, the company Slack channel, or your email and politely check with colleagues to be sure the message you received is real. Maybe your boss is on the go and typing too fast without paying close attention to typos, and they’ll appreciate your attention to detail.

fizkes // Shutterstock
fizkes // Shutterstock

Check the sender information

Some forms of scamming are very sophisticated, but most phishing attempts are not particularly elaborate. One of the easiest ways to prevent phishing attempts from succeeding is to pay attention to the sender.

If you’ve ever looked in your email’s spam folder, you’re already semi-versed in doing this at least some of the time. Sometimes, a message looks like it might be something real—but when you click, you see that the email address is just a string of numbers or other nonsense instead of your bank. It’s easy to cross-check a phone number using websites that list known fake numbers in your local area code. But the best thing to do is to stay wary of numbers you don’t recognize. Legitimate colleagues calling you can leave a voicemail.

Zero Trust Security: A Complete Guide to Remote Access Security

Canva
Canva

Proofread the grammar

In some forms of spam, grammar mistakes are part of the draw: Scammers want to select out the most vulnerable people, which often includes those with less education or literacy. But when it comes to phishing scams, scammers want to seem as close as possible to the people they’re imitating. For this reason, look out for messages that immediately sound like they’re not quite right. Maybe your boss sounds weirdly informal, they’ve misspelled your name or your department, or their characteristic long email signature is missing.

Listen to your gut and tap into your inner copy editor.

Canva
Canva

Watch out for unsolicited attachments

This one can be tricky because exchanging attachments is often a big part of the workflow. But you know when you’re waiting for the newest departmental report from a certain person or a PDF of the latest sales numbers.

Be especially wary of any attachment that comes from more of a personal-seeming message. Scammers can load malware into almost anything you can download to your computer, and attachments are one of the easiest ways into your system. In the same vein, be cautious when downloading software updates. In all of these cases, ask your IT office to help you make sure the update is legit.

Zero Trust: Implement Least-Privileged Access in Minutes

Potapovpaladin // Shutterstock
Potapovpaladin // Shutterstock

Preview any links before clicking

You may already be doing this behavior without realizing it’s a best practice for cybersecurity.

When someone sends you a link, hover your mouse over the text in your browser to show a status bar at the bottom of the window. This preview bar will show you the real URL. This is smart to do, but sometimes it isn’t enough—scammers can “mask” URLs by using lookalike domains that redirect to malware download sites and more. But this one-step check will help prevent a lot that can go wrong when you receive a random link, allowing you to filter out obvious imposter sites.

vinnstock // Shutterstock
vinnstock // Shutterstock

The sender is requesting too much information

When scammers ask you to “repeat” information like your login credentials or credit card information in the body of an email, that’s a form of hacking known as social engineering. It’s the same as if someone walked into your office and found all your logins written on a Post-It stuck to your computer monitor (another thing you should never do).

If someone emails you from your boss’s name but is asking for private information, call or message the boss to make sure it’s legit. Another tell is if the sender asks for something your boss would already know, like your building’s alarm code.

This scam has a unique quality in that the request may appear benign and may, in fact, mimic something a co-worker naturally asks you for. If you have coworkers who regularly ask for this sort of information via email, consider asking your IT group to share with your colleague some best practices for sharing personal or financial information.

Plex Media Server: Free Remote Access without Port Forwarding