A fresh malware-dropping email scam has hit inboxes this week, just in time to catch our busy SME owners facing the Christmas-time frenzy.
Email security software company Mailguard discovered the scam this week, revealing in a blog post a “large number” of emails purporting to be from energy provider Energy Australia.
The email is well-crafted, appearing to be an invoice from the company asking recipients to pay a significant amount, around $700. However, instead of trying to nick users’ banking details or straight up scam funds from recipients, the cybercriminals attempted to drop malware onto users’ systems.
On clicking the “view bill” button, users are directed to a fake Energy Australia website which was reportedly registered especially for this scam and is relatively similar to the actual Energy Australia website. The fake website is ‘energyau[dot]com’, where the real website is energyaustralia[dot]com.au.
Once reaching the website, a fake bill is downloaded to recipients’ computers in a zip file, which Mailguard reports contains a malicious JavaScript file, or malware. The exact intention of the malware is unknown, but it could be used for anything from logging users’ keystrokes or stealing and locking up data.
In a statement, Energy Australia warned its customers to be vigilant with email scams like this one, with a spokesperson saying such emails “can appear very convincing and customers should take care with any email that requests them to click a link”.
“One indicator of potential scam emails is the sender. EnergyAustralia’s electronic bills to residential customers are sent from noreply@billing.energyaustraliaonline.com.au. If you receive an email from a different address that says it relates to your EnergyAustralia bill, please do not open it or click any links it contains,” the spokesperson said.
The company also advised users to report the fake email to the Australian Competition and Consumer Commission’s ScamWatch, and then delete the email from their inbox.
November and December see heightened risk of scams
Busy periods such as Christmas and tax time are prime times for scammers.
Experts have told SmartCompany that SME owners should be wary about both email scams and ‘Business Email Compromise’ (BEC) attacks, which use social engineering to trick staff into paying fake invoices or bills.
While taking the approach of regular staff training and cyber security awareness can go a long way to preventing cyber compromise in a business, Combo founder and IT expert David Markus believes it’s time for business owners to install business-level antivirus and email filter software, saying “hope isn’t a solid strategy”.
“Business owners should be putting the right things in place, which means the right antivirus and the right mail filter. That keeps these things filtered out, and even if it gets to users, the payload will be stopped,” he told SmartCompany.
“You can avoid that cost in your business by doing staff training but the risk is huge – you’ll just be hoping staff don’t inadvertently click on something after lunch.”
Markus believes scams similar to the recent Energy Australia impersonation are becoming more prevalent, and more professional by the day, claiming they can now fool anyone bar “the most cautious of observers”.
“They’re starting to look like genuine corporate emails when a few years ago the language in them was very poor,” he says.
“The people running these scams are getting more and more sophisticated because there’s now millions of dollars involved – it’s a real legitimate organised crime event.”
A study from August into BEC scams revealed 749 cases were reported in 2015-16 in Australia, and 243 cases in just the first quarter of 2016-17. The attack most commonly involves “impersonating a high-level employee in order to change invoice details or request immediate funds transfers”, the report revealed.
A further report from Mailguard in June revealed a 400% increase in email scams in the two weeks leading up to tax time, with chief executive Craig McDonald warning business owners to stay extra vigilant around busy periods.
“Most businesses have heavier commitments around closing out the end of financial year, and if you’re going to try and trick someone, it’s best to do it when they’re the busiest,” he says.
Business security expert at Sophos, David Sykes, also told SmartCompany at the time that businesses should refrain from getting “click happy”, and should think critically about the email in their inbox.
“You click on something in your inbox that you were half expecting, and that’s it, you’re compromised,” he said.
“There’s a saying in the security industry: Assume you’re being compromised and work back from there. Unfortunately, businesses have got to assume they’re being targeted, so satisfy the email or invoice is legitimate before you process it.
“Don’t get click happy and jump on the hyperlink.”
Never miss a story: sign up to SmartCompany’s free daily newsletter and find our best stories on Twitter, Facebook, LinkedIn and Instagram.