Email scams can hit anyone, and in today’s technologically advanced society, individuals can never be too careful. It’s true that security is really paramount, but what about the most vulnerable members of your staff? Are you making sure that they, too, understand your organization enough to make sure they don’t get caught by a scammer?
Security breaches can come in all shapes and sizes, from hackers across the globe trying to access sensitive information, to individuals private accounts being broken into and even in the form of people who pose as other individuals to try and scam unsuspecting victims. And, unfortunately, human error is one of the top causes for a data breach. Here’s how an intern at ProServeIT found themselves a victim of email scam, and here’s what they learned from the experience.
The Email Scam: Our Intern's Story
During the summer of 2019, I was a victim of a scammer. I came into work just like any other day, but little did I know that, on this particular day, I was going to learn a very hard life lesson.
It was around 1:00 pm when I received an email from my boss. The message within the email started just like any other email he would send me. However, the request within the body of the message was unusual. The email requested that I go run an errand for my boss to buy $1,000 worth of Google Play gift cards. At first, when I saw the request I was taken aback, as $1,000 is a large amount of money for anyone, let alone a summer student!
I sat at my desk for a few minutes thinking about how I was going to purchase these cards, or if I even should at all. My boss was out of the office that week, so I thought maybe he needed the cards for a client he was with.
At the bottom of the email, it showed that it was sent from an iPad. This led me to conclude that he was using his personal iPad to send out the email, and, after contemplating the request for a while, I concluded that “what the boss says goes”, and as a summer intern student I shouldn’t question what he tells me to do.
So, I went out and purchased the Google Play gift cards. The email requested that, after I purchased the cards, I needed to scratch off the back and send my boss the activation codes, because it was an urgent matter and he needed them as soon as possible. Unfortunately, that’s exactly what I did. I took photos of the card, including the activation codes, and sent them to my boss.
I didn’t hear back from him for the rest of the day.
The next day I came into work with the receipt from my purchase, and went to my HR department to try and expense the cards I had bought the day before. Within seconds of talking to the HR department, I realized how badly I’d been scammed – I wasn’t the first person who had received this email in my organization, but I was the first one to oblige the scammer and give in to their demands. I was absolutely shaken and wasn’t sure what to do. I ran to my computer to Google what I could do to try and get my money back. After researching for a little bit, I found out that I was not the first person to fall for this scam; there were a handful of other posts on Google forum by people who had also found themselves in the same situation as me.
One of the posts recommended trying to redeem the codes, so I quickly did so. Unfortunately, the codes had already been redeemed – I can only assume they were redeemed within hours after I sent them out. My $1,000 was officially gone.
Lessons Learned from This Email Scam
As days passed after the incident, our intern kept looking back at what happened and how they could have avoided such a major mistake. Here’s a few lessons that they took away from the experience:
- Always look at the actual email address of the person sending the email. Don’t rely on just the name attached to the email. In this particular case, the scammer’s email was not even remotely close to any ProServeIT email account – it was completely different. Since our intern had thought that it was from the president of our company, they forgot all common sense and didn’t take the time to look at the email address, which would have been their first clue and would have saved them time and money.
- Does the overall tone/format of the email itself seem off? Email scams often sound stilted and forced, and often, because the scammers are often sending these messages out to several people, they are somewhat impersonal. Our intern noted that their boss’s communication seemed both forced and impersonal, completely contradictory to the way our company’s president would typically communicate.
- Question when things don’t seem right. If you’re being asked to do something that doesn’t seem usual, make sure you ask questions. Had our intern just gone to any other staff member, they would have found out quite quickly that this was a scam. Such a simple act, asking questions, but in this case, it wouldn’t have cost our intern $1,000.
- Consider whether or not to implement an internal policy around this kind of suspicious communication or purchasing requests. Having an internal policy that lays out what to do in the event of a suspicious email that seems to come from someone in the organization, and ensuring that internal policy is shared with everyone (including interns, volunteers, or other part time or temporary workers) is essential.
Our Intern’s Final Thoughts on the Email Scam
In the days following the incident, my coworkers shared with me some scams that they had come across before. I was shocked at how elaborate these scammers were and how much information they had. In each story, it was only one little detail that made my coworkers realize that the person sending the email was a scammer.
What You Can Do to Protect Yourself from Email Scams
Aside from the four takeaway lessons, it’s important to also raise a general awareness of the email scams that are out there today. Realistically speaking, your information may not be as private as you think it is, so there’s a good chance that your email address could be in the hands of a scammer.
Our intern wanted to write about their experience as a cautionary tale, especially for organizations that employ interns, temporary or seasonal workers, or others who could be targeted. It’s important to ensure that everyone in your organization has a handle on the various scams that are out there, and how they can protect themselves from becoming a victim.
Tags:
CybersecurityNovember 08, 2019
Comments