Wipfli Alerts & Updates: The Latest Phishing Scam Targeting Businesses
January 30, 2017
In the midst of tax preparation season, the Better Business Bureau says a clever new phishing scam is making the rounds. The malicious message looks like an email alert from QuickBooks, but it’s not. Learn more about how this latest scam works from the Better Business Bureau.
Phishing scams are not new. In fact, phishing first made the IRS’s “Dirty Dozen” list of IRS tax scams in 2015.
How Phishing Works
By way of email, those with malicious intent will contact unsuspecting persons, asking them to click a link or download a file. Generally, the end goal is to infect the user’s computer with malware or get them to submit important personal information.
What You Can Do
Understand that “spam” and “junk” filters do not catch all malicious email. Second, know what signs to look for in a phishing email. The vast majority of phishing attempts are fairly easy to recognize and avoid. Here are a few aspects of phishing emails that can help you recognize their true nature:
Look at the “from” address. Be sure you recognize it. Then take a second look at the domain name (that’s the name after the “@” symbol). Make sure it’s spelled correctly. At the office, an internal email from your coworker would display only his or her name. If it also shows the full email address, it came from the outside.
Look for a “reply” address that matches the “from” address.
Check that the message is well composed with the grammar and spelling you would expect from the sender, whether it’s your boss, your brother, or your bank.
If there is a link in the email, does it match the destination? By hovering your mouse over the link (without clicking on it), your email application will show its actual destination. Again, take a second look at the domain. Be sure it is a domain you would expect. Misspelling a domain is a very common tactic (microsft.com vs. microsoft.com). At a glance, they look the same, but one will take you to Microsoft, and the other will take you somewhere you don’t want to go.
Does the email ask you for personal information? Most organizations would never ask for personal information in an email or ask you to “reconfirm” your password and account information.
Trust your gut! If something doesn’t seem right, it probably isn’t. If you are not sure and are worried there is something urgent that needs your attention, then contact that company/organization as you normally would. Never use the email links or any information from a suspected phishing email (including the phone number!).
Email phishing works on unsuspecting people every day. Even emails that seem farfetched (“Send me $100,000 so I can give you my inheritance”) work all the time, but those aren’t the only emails that get sent. There are often crafty and well-constructed emails that require a close look to notice they are malicious. So take that second look and check before you click, download, or enter your information.
If you have any questions, please contact one of our cybersecurity experts Bob Cedergren, Jeff Olejnik, or your Wipfli relationship executive.