Fraud Wise: How Fraudsters Use Email to Trick Victims

Episode ID S2E05
May 19, 2021

More emails are being sent every day than ever before. And, unfortunately, more and more of the emails we receive might be socially-engineered attempts to commit fraud. Fraudsters can use several tricks to commit email fraud including spoofing, hacking, and masking. Learn how to detect and protect yourself against these scams. 


Hello, this is CoBank’s Fraud Wise, helping you avoid becoming a victim of fraud. I am Jamie Fiedor, senior financial crimes specialist,  and today I will be discussing email impersonations.

More emails are being sent every day than ever before.  And, unfortunately, more and more of the emails we receive might be socially-engineered attempts to commit fraud.

First, let’s talk about social engineering.  Social engineering is essentially a con game, when a criminal tries to trick a victim into doing something, or sharing private information that the criminal can then use to his or her advantage.  This can happen in person, on the phone or via email, which is what we’re talking about today.

One social engineering email approach is spoofing, which is when the criminal creates a fake domain name (the part AFTER the “at” sign in an email address) that closely mimics a legitimate domain.  For example, the criminal can replace a capital “O” in a legitimate business name with a zero.  At first glance, few recipients will notice the discrepancy.

Once the criminal has created the fake domain, they can create associated email addresses, even using real executive names.  The people who receive these emails are likely to believe they’re legitimate … because people generally tend to be trusting, and both the sender and the domain will look very similar to what they expect to see.

And what can the criminal do in these emails?  Any number of things…like pretend to be the CFO asking accounting for a wire transfer that will actually go straight to the criminal’s account, a money mule or a consumer fraud victim.

So, spoofing uses fake email accounts associated with a falsified domain.  In a hacking attack, malware is installed on your computer that delivers keystroke information that will enable the criminal to access the victim’s actual email account.  This is much more likely to occur with email accounts using public domains like Gmail and Hotmail. 

And again, once the criminal has access to your email account, they can send a message that requests a funds transfer … or tells a customer that there’s a new payment account … or send an email to the entire contacts list requesting a donation for a health emergency.  What’s especially scary is that these emails are actually coming from the legitimate email account … they’re just not being sent by the legitimate email account holder.

Even more insidious are masked emails, which use software to hide the email address.  To the recipient, the sender’s email address is obscured, but the message seems legitimate.  Unfortunately, not everyone can be a technical genius and investigate the internet tags and headers that show the actual email account sending the message.  But, if you respond to the email, the real email address will usually show up in the reply so you can tell if you’re at risk.

Protecting against spoofed emails requires individuals to become a little less trusting and to carefully examine both the email address and domain.  Even if they look legitimate, consider whether the email message itself seems questionable.  For example, if an email from the CFO arrives asking for a wire transfer, is the language and format of the message similar to what the real CFO has used in the past?  If anything seems off, especially when personal information or a financial transaction is involved, it’s always better to confirm the request… and best to confirm with a phone call you initiate, to a phone number you’re familiar with, not one that’s provided in the original email message.  

Other red flags include instilling a sense of urgency, or a sense of secrecy.  Again, when you have any doubt, confirm an email request using a different communication method, and encourage your employees to do the same.

Some public email providers will send suspicious log-in alerts to an alternate email address.  If you receive one of these alerts, take it seriously.  Contact the provider and change your password immediately. 

And finally, always opt for dual authentication when it’s offered by any internet service …it’s an extra step, but better safe than hacked.   

This has been CoBank Fraud Wise helping YOU avoid becoming a victim of fraud.