back to article Feel the shame: Email-scammed staffers aren't telling bosses about it

The number of UK companies on the receiving end of business scams involving email has risen by nearly two-thirds – 58 per cent – in the last year, new data from Lloyds Bank has revealed. Stats from the bank showed the average loss from so-called "business email compromise" (BEC) frauds has reached £27,000. IT workers are …

  1. IneptAdept

    Tech Savvy Millenials

    This is the problem, just because they can use facebook, twitter and insta they think they are tech savvy....

    But they are no more tech savvy then the 80 year old lady next door, they are not savvy otherwise they would not post all of their data to facebook, twitter and google.

    Tech Savvy means they know something of technology, and they really dont,

    They know how to use a tool, like a telly or a radio....

    None of them could trouble shoot networking issues, email issues, printer issues etc etc

    They have a functioning knowledge / not an understanding knowledge

    1. Anonymous Coward
      Anonymous Coward

      Re: Tech Savvy Millenials

      I'm a millennial (based on the wikipedia definition, anyone aged below ~38 and above ~18 is) and could troubleshoot all of the issues you listed. Sweeping generalisations about groups are stupid, there are idiots in every generation but currently it's popular for millennials to be the whipping boy. 30 years ago, Generation X were referred to as "slackers" by the Baby Boomers so I'm sure in 10-20 years, Generation Z will be getting it in the neck instead.

      As for the article, I'm really not suprised that millennials are the ones most often successfully targetted. They are amoung the youngest in the company, meaning the most naive and lowest down the food chain. If you were a scammer, you'd target the weakest link.

      1. EJ
        Pint

        Re: Tech Savvy Millenials

        "Sweeping generalisations about groups are stupid..." <Step 1. makes complaint about sweeping generalizations>

        "They are amoung the youngest in the company, meaning the most naive and lowest down the food chain..." <Step 2. makes sweeping generalization>

      2. Nick Kew

        Re: Tech Savvy Millenials

        Sweeping generalisations about groups are stupid, there are idiots in every generation

        With you so far - and upvote for the core of a good point. Please be consistent, and don't lose sight of that when it's some other poor buggers taking undeserved flak.

        but currently it's popular for millennials to be the whipping boy.

        Not really. It's just that you tend to notice negative stereotypes much more when they're directed at your own cohort.

        Generation X were referred to as "slackers" by the Baby Boomers

        Huh? Who the **** told you that?

        As for the article, I'm really not suprised that millennials are the ones most often successfully targetted.

        The article didn't quite say that: rather that one in ten of you has fallen victim or knows someone who has. That could easily just be down to different patterns of communication (you younger folks more often get to hear of cases), and different interpretations of "someone you know".

      3. a_yank_lurker

        Re: Tech Savvy Millenials

        @AC - Though sweeping the core is correct. The implied assumption is someone who grew using a computer as a tool understands how they work. Other than being able to use some applications the majority of all users do not understand how a computer works. If they have to troubleshoot a problem they are DOA (dead on arrival).

    2. adnim

      Re: Tech Savvy Millenials

      More interface savvy.

      A browser interface or desktop window full of configuration options. Regardless of device, they know where to click to make things work.

      Ask them how it works, what it does and at what layer the options they set operate. I suspect that most would not know.

      I used to be young and sharp and thought I knew everything.. Now I am old and on the verge of becoming wise.

      1. adnim

        @adnim - Re: Tech Savvy Millenials

        "Now I am old and on the verge of becoming wise."

        That or deluded.

        1. Nick Kew
          Coat

          Re: @adnim - Tech Savvy Millenials

          Not deluded. You were already deluded, so you're not on the verge of becoming that. Like the rest of us, really.

          Gosh, is that really the time?

    3. This post has been deleted by its author

    4. expreg

      Re: Tech Savvy Millenials

      "None of them..."

      An absurd comment, but the argument has already been stated.

      I'm definitely tired of hearing "He's a kid, they're geniuses with computers!" though. Of course, that's being thrown on to Gen Z now as well. "I let my son fix it, he's good with computers" is usually an ominous warning of things to come.

      1. onefang

        Re: Tech Savvy Millenials

        'I'm definitely tired of hearing "He's a kid, they're geniuses with computers!" though.'

        That only works with twelve year olds, once they get older they stop being computer geniuses.

    5. goldcd

      Re: Tech Savvy Millenials

      To be fair, I've never actually met a millennial who self-proclaimed they were "tech savvy"

      Seems to be the older ignorant demographic who just assume they are, as they seem to have their noses buried in their phones all day (yes, I generalize :))

  2. Anonymous Coward
    Anonymous Coward

    Testing the staff

    I work for a company who deliberately send spoof emails to staff to see who opens them so they can berate us.The IT dept are the worst offenders of all departments, I like to think it's all of us winding up the guy who does it, Personally I check the url's with whois to find that they're registered to us and check the email header and once I'm sure it's an internal one I'll cut and paste it into a browser window just to mess with their figures.

    1. Mahhn

      Re: Testing the staff

      That's to bad. We do this testing every few months to ensure we are training people well enough to understand the way hackers try and fool them, and how to report the Emails to us.

      If they don't take the expected action, there is no berating, it's all about making sure we are keeping our people informed enough that they know when they are being phished and how to respond. We change our training to make it more useful as needed. For the benefit of securing employment for all of us. If the company goes down, everyone in it is boned. Don't bone your fellow employees. - our phishing test emails always come from outside. Free Pizza if you fill out this form lol.

      1. Anonymous Coward
        Anonymous Coward

        Re: Testing the staff

        My place too. We are always told to ignore external domains yet we have to use external domains in the course of our work. Nobody keeps an easily findable list on the Intranet and new ones that we are supposed to use appear from time to time without any formal announcement.

        There is an phishing button in Outlook which acts immediately on the currently shown e-mail without any confirmation. You can quite easily hit it by accident, after the third time I did that I removed it.

        We are spammed with spoof phishing e-mails to the extent that I now recognise the spoof domains and just delete emails from those domains. We are supposed to use the phishing button on spoof e-mails to show how good we are at recognising spam and get an e-mail back patting us on the head, but obviously that is not an option if the phishing button just pisses you off to the extent you remove it.

        1. Anonymous Coward
          Anonymous Coward

          Re: Testing the staff

          "My place too. We are always told to ignore external domains yet we have to use external domains in the course of our work. Nobody keeps an easily findable list on the Intranet and new ones that we are supposed to use appear from time to time without any formal announcement."

          Same here. The PR/Comms folks recently sent out an e-mail telling people not to click on links in e-mail if they didn't know where it came from...

          ...using a bit.ly link to a page on the intranet.

          SERIOUSLY? WT ACTUAL F?!

        2. billdehaan

          Re: Testing the staff

          My place too. We are always told to ignore external domains yet we have to use external domains in the course of our work. Nobody keeps an easily findable list on the Intranet and new ones that we are supposed to use appear from time to time without any formal announcement.

          A few years back, IT sent out a near-hysterical email to the entire company. It stated that there was an extremely serious exploit in URL handling, and until this was addressed, until no circumstances were employees to click on unfamiliar links, none whatsoever.

          Naturally, the second paragraph followed up with "if you wish more details on the exploit, go to www.microsoft.com/blahblah".

          Yes, after about 100 words of why you should not click on links, they followed up with a link to click on.

          Of course, this is the same IT that in one company newsletter announced the IE was required and Firefox and Chrome were banned on page 3, and then in the second story on page 7 stated that IE was no longer to be used, Firefox was required, and Chrome would not only be blocked at the gateway, disciplinary action would be taken against anyone who installed it, and finally on page 9 in the third story listed the schedule for the Chrome rollout schedule.

          IT's number one complaint in the most recent survey? That they don't get any respect from the rest of company. Imagine that.

      2. MrMerrymaker

        Re: Testing the staff

        To bad, or not to bad? That is the question!

    2. billdehaan
      Thumb Up

      Re: Testing the staff

      I work for a company who deliberately send spoof emails to staff to see who opens them so they can berate us.

      Mine did the same. It was hilarious.

      Although the intent was to show upper management that the peons didn't understand the IT issues involved, it actually showed the reverse.

      IT sent out an email purporting to be from the parking authority, saying each user (identified by name) owed something like $70 for a month old ticket about parking illegally in the building (identified by address). So, it already had a great deal of personal info. It concluded with a spammy "click here to see the photo the officer took of your car" link.

      The idea was to see how many people "foolishly" clicked on the link.

      The thing is, we're an Exchange based shop. And the "spam" message arrive, not via the external internet gateway, but internally as an Exchange message. That meant it was sent from an internal source. Who would have that authority? Well, the actual parking authority would. Secondly, the spam email's "click here to see the photo" had a url that pointed to an internal server, by name, within our network.

      Something like 45% of the users reverse engineered it, and reported it to IT. Some even escalated it higher, as it looked like our IT infrastructure had been compromised.

      Of course, quite a number of us backtraced the internal machine reference to see if it had been breached, with many checking out the URL in sandboxes and virtual machines.

      IT's response to all these probes was to say that "45% of users clicked on the link!" to upper management. When asked by upper management "how many of those were done by people who reported it was a scam, who were attempting to reverse engineer it?", IT sort of shuffled their feet and had to admit they had no idea. They were also forced to admit that maybe they should have not sent it internally with valid Exchange credentials, since if those are compromised, people clicking on links is the least of our worries.

      In the end, they were forced to admit that, yeah, the entire exercise was pointless. But at least they learned that the user base was more savvy than the IT department...

    3. GnuTzu

      Re: Testing the staff -- The Best Testing

      We've got a great program where I work. No berating--just a training page. Berating doesn't really help, but those who click the phishing link need the training. And, Outlook has a great big red phishing button in the ribbon to report phishing, and so the statistics we get compares those who click the phishing link to those who click the report phishing button or do nothing. We also mark the subject line of emails coming in from the outside as EXTERNAL.

      I'd love to hear if anyone's got better features.

  3. My-Handle

    Cause and effect...

    One question is: are IT staff more susceptible, or are IT staff more targeted? I imagine it wouldn't be all that effective to call or email a factory line worker or a shop assistant to try and get them to change some details in a portal system that they probably don't even have access to. I can very well imagine a help desk person getting a call from someone saying that they're a supplier complaining of 'an issue on their end', but I can't think of many other places in a company that would be the destination of that kind of call.

    Just food for thought.

    1. MrMerrymaker

      Re: Cause and effect...

      If a scammer had any sense they'd target IT staff, but I don't drive and yet I'm inundated with calls about alleged car accidents, so one doesn't presume intelligence on the behalf of the scammer mindset.

  4. disgruntled yank

    data, or survey data?

    "with more than one in 10 falling victim or knowing someone who'd been a victim"

    1. onefang

      Re: data, or survey data?

      "with more than one in 10 falling victim or knowing someone who'd been a victim"

      Yeah, I was wondering if they got to "one in 10" by counting people twice. You get counted the first time by falling victim, and got counted the second time by telling someone that also responded to the survey.

  5. Tom 35

    Wasting time

    I had some scammer who registered a domain that looked like ours, had an older version of our email signature, and knew a few staff names. Sent me an email "from the boss" to wire $5,000 to "a supplier".

    Replied back.... Done.

    Then acted stupid for a whole series of back and forth. I BCC'ed my boss, he was laughing his arse off. Some of the scammers emails ended up in our employ manual.

  6. adnim

    Plain text

    does not suit some, especially marketing people.

    I often hear "but I like to see the pictures" when I advise that using Thunderbird and plain text view saves bandwidth and reveals true (unless they are shortened)* urls.

    *One should NOT click on a shortened url in an email as a default action.

    I think that humans come a close second to cats as far as curiosity is concerned.

    It is one of our greatest strengths and a big weakness.

    1. Doctor Syntax Silver badge

      Re: Plain text

      I often hear "but I like to see the pictures"

      I once got an email from the Co-op which consisted only of a picture of text. This is the touchy, feely, all-inclusive Co-op, right? I pointed out to them that not only was it a daft waste of bandwidth, that by default anyone with any internet security sense doesn't open pictures and that it would discriminate against blind recipients because text to speech wouldn't work. I think it was probably the last that did the trick; the other two would be over the heads of marketing.

      1. John Brown (no body) Silver badge

        Re: Plain text

        "I once got an email from the Co-op which consisted only of a picture of text."

        We get those all the time from our own HR and Marketing. We're an IT solutions company and should know better. :-(

    2. Tom 35

      Re: Plain text

      I like knocking stuff off my desk too.

  7. The Oncoming Scorn Silver badge
    Childcatcher

    Can't Brain Today, I Has Der Dumb.

    We get targeted at least once a week:

    One guy somehow gave away his account credentials (Denied very strongly that he had done so) & so the whole company got hit with requests from this one "guy" for $300 in ITunes gift cards, about 1% of the company flagged it to us (Despite the fact we had already received this request individually & into our ticket logging system).

    Just for shitz n giggles the individual then set up e-mail rules to delete all incoming mails.

    The cleaner who rarely uses a computer, clicked on a link to authorise a purchase order, despite having no purchasing role & happily put in his account credentials, he slowly admitted this within a hour or so while emptying the bins in our office. We very very quickly changed his account password I think before it was acted on.

  8. Mark 85

    ...found that more than a third are not even sure how to identify these fraudulent emails.

    It's getting pretty tough to do that when the browsers/email readers don't let you see who sent the mail and from where as it's just "from: Bob".... nothing else to be seen or found.

    1. adnim

      Thunderbird .. view emails in plain text.... And you have an option of viewing the source code/headers.

      Or you could write your own code to retrieve your emails or use telnet.

      I don't want to be insulting but writing computer programs in machine code and assembly is tough, at least for my lazy ass it is.

      Anything else takes a little effort and a modicum of thought.

      1. Pascal Monett Silver badge
        Trollface

        Effort is bad enough, but THOUGHT ?!

        Good Lord, man, you want to kill us ? We don't have time for thought, we have stuff to post on FaceBook and Twitter !

  9. Doctor Syntax Silver badge

    I'm not surprised that a high proportion of bank (and probably building society) users would fall for this. IME they are the worst for spamming customers with what are indistinguishable from phishing emails so clearly believe blindly click links to be normal behaviour.

    1. John Brown (no body) Silver badge

      "I'm not surprised that a high proportion of bank (and probably building society) users would fall for this. IME they are the worst for spamming customers with what are indistinguishable from phishing emails so clearly believe blindly click links to be normal behaviour."

      Like the current push from the Co-Op Bank to get customers to switch to email notifications regarding the legal requirement to notify customers about something or other. I've had 6 so far, all increasingly more desperate to "click the button" to switch. Each e-mail comes with the option "if you want to keep receiving these notifications in the post, you don't need to do anything". I keep choosing the option to do nothing because I like my legal notifications in writing on paper, not as an ephemeral email which can be edited. I just checked and the time between reminders is getting shorter with each one. Apparently time is running out on this offer and I need to switch now (if I choose to).

      It's not just become spam, it's approaching harassment now, especially in the spammy marketing style they are using.

  10. Shadow Systems

    I had some guy try that crap...

    At a previous employer who shal remane nameless to cover my arse, I was the PFY to our BOFH.

    I got an email claiming to be from our boss & wanting me to wire "emergency cash" to him in some foreign location.

    I cleared my throat, waited until said boss acknowledged lowly little me, & pointed to the screen with a "Sir, I'd like your opinion on this, please."

    He took one look, snorted like a tickled bull, & shoved me aside "so I can have some fun with this fucker".

    I was at a bad angle to the screen & couldn't read what he wrote in reply, but it must have been VERY wicked to have made my BOFH laugh like he was going to soil himself.

    I wish I knew what he wrote, I would have taken notes!

    =-D

    1. MrMerrymaker

      Re: I had some guy try that crap...

      It was probably boring. If it was good, you'd have been shown it.

  11. Anonymous Coward
    Anonymous Coward

    Phishy McPhishface

    For those who don't know, iTunes gift cards have replaced *coin in many ransomware scams.

    The nasty thing is, a lot of the ransomware just overwrites files thus trashing the data, with a convincing looking file name with *crypt appended to its extension. So never, EVER pay.

    Also make it a company rule that if anyone even attempts to pay, they can expect immediate sackage and shredding of their personal effects and certificates etc, human rights or otherwise.

    There is a newer variant doing the rounds that actually locks the drive using ATA commands and then charges for unlock code, as well as one that DDoS's connected USB devices so the victim can't even boot a recovery disk or even get into the uEFI in some cases.

    Fortunately the data recovery companies have figured out a workaround in many cases.

    Not that you shouldn't have a failsafe back up to one time media such as BD-R and FOR $DEITYS SAKE CLOSE THE SESSION! Tape works but BD-R is good for >50 years if stored properly.

  12. Morten_T

    @ElReg: Do you have a link for the poll/report at Lloyds, please?

    As esteemed as you are, it's better to have the source materieal when talking to clients about stuff like this. Thanks

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like