E-Mail Scams

In brief

Email is one of the most common means of communication in private and professional life. Despite all its advantages, it requires some precautions for use, both when sending and receiving messages. This article sheds light on the most common forms of fraud. In general, the right reflexes should be adopted. Mail servers must also be properly protected.

The most well-known scams use email as a “crime weapon” or as “bait”. They also use social engineering methods to hit their target. Human vulnerabilities are widely exploited.  

Advance fee fraud

There are several types of advance fee fraud. The “Nigerian” scam is the best known. It is very simple and effective as the criminals spread it by email. This type of scam seeks to exploit our greed. Usually, a stranger asks you to help them by making a money transfer … And offers you a big reward in exchange for your help. This scam is called “Nigerian” because it comes from Nigeria.

Other frequent variants of advance fee fraud include, for example, dangling lottery winnings or exceptional offers to bait victims.

These messages are harmless until they are answered. However, as soon as you give any type of response, you will be told that your win is within reach but you must pay a “processing fee” or legal fees before receiving your prize. 

Phishing

Phishing is a widely used technique for stealing the username and password of a legitimate user. Phishing very often uses fear of a virtual threat and urges the victim to act quickly. This is largely due to the fact that the infrastructure used by phishing users does not usually stay in place for long because the police or the host stop it as soon as the illegal activities are discovered.

Advice:

  • Never click on the links in emails that claim to have been sent by your bank. Luxembourg banks do not send emails asking you to enter your data.
  • Never enter personal information on forms received by email.
  • In general, do not reply to emails asking you to provide confidential or personal information.

Examine emails with a critical eye. Be wary when:

  • an email pressurises you by asking you to respond quickly
  • an email asks you to click on a link to access a website where you have to enter your data
  • an email is not addressed to you personally or its text is full of errors or is a very bad translation (although an email addressed to you personally is no guarantee of reliability!)

See also:

False payment requests

These false requests exploit victims’ feelings of compassion or fears. The best known are fake call-backs, fake requests for help or CEO scams.

These messages are harmless until they are answered. However, once you answer the email, you will be harassed.

Advice:

  • Never reply to this type of email. If in doubt, look for the supposed debtor in the yellow pages and make contact with them using these details rather than those in the mail.
  • Never open any files attached to these emails. These are very often infected by malware (what to do in the event of malware infection)
  • Make your staff undertake regular security awareness training and ensure they understand these types of attacks;
  • Ensure that the accounting department applies all verification procedures regarding transfers, in particular international transfers;
  • Check the digital signature procedures of these transfers;
  • Increase the monitoring level when new bank details are recorded;
  • Check the original email addresses and reply-to addresses;
  • If employees are in doubt or they receive suspicious emails, they should contact their company’s IT security department or the CERT (Government IT Attacks Alert and Response Centre);
  • Forward these emails (including the email headers) to your IT security department or CERT.

You are a victim:

If you have been the victim of such an attack, the CIRCL (Computer Incident Response Centre Luxembourg) recommends the following actions:

  • immediately contact the bank of your organisation and the bank to which the transfer was made to block the fraudulent transfer;
  • file a complaint with the local police or the judicial police service;
  • contact the CIRCL if you need technical assistance or advice about computer security incidents.

Table of Content