What is an email scam?
An email scam is any message designed to deceive recipients into handing over credentials, confidential business data, or even transferring money.
Today’s email scams are increasingly sophisticated. Scammers are using a combination of technology and psychological trickery, often taking advantage of busy or stressed people and ineffective safeguards.
What are the consequences of email scams for businesses?
The fallout from an email scam can be swift and severe:
-
Financial losses, immediately from theft or over the longer term form lost business.
-
Operational disruption, from locked-out customers, hijacked email threads, and lengthy investigations.
-
Reputational damage, shaking the trust of customers and investors.
-
Compliance costs from regulatory fines or lawsuits, especially when sensitive PII or credentials are exposed.
According to the FBI’s Internet Crime Report, more than 21,000 business email compromise (BEC) incidents were reported in the US in 2024, resulting in financial losses of $2.8 billion.
Five common email scams targeting businesses
1. Business email compromise, or BEC attacks
A BEC attack is a type of phishing where the scammer impersonates an important person, such as a vendor or a senior executive at the victim’s company.
The scammers often spend weeks studying a company and its activities, waiting for a moment when they can catch employees off guard. For example, when the company is on the cusp of closing a major deal.
Then they strike. The victim receives an email requiring an immediate response. If there’s any delay, the victim will be in trouble. If they fall for it, large amounts of money can vanish fast.
For example, in 2019, the Toyota parts supplier Toyota Boshoku Corporation lost $37 million to a BEC scam. Posing as a business partner, a scammer instructed the company’s finance department to amend a set of bank details so that a money transfer was diverted to a fraudulent account. The losses were serious enough to affect the company’s financial projections for the year.
2. Spear phishing
Spear phishing emails target specific people with personalized messages. The scammers can create these messages using information exposed in data breaches or publicly available on social media. For example, references to the victim’s work or colleagues.
The email might ask the recipient to download an attachment, update their credentials, or click a link to a fake website.
For example, the US Inland Revenue Service has warned accountants and tax professionals about email scammers posing as potential new clients. If they respond, the scammer sends a follow-up email with an attachment or link that installs malware to gather their email credentials or allow the scammer to access other systems on their device.
3. Impersonation, or email spoofing
In an impersonation or email spoofing attack, the fraudsters use a forged sender address so that the email seems to come from someone important inside or outside your organization.
The forged address might use a subtle variation of the real domain name with one or two characters altered. For example, jane.doe@cornpanyname.com. These variations can be hard to spot, especially when people are busy, under pressure, or reading on small screens.
For example, in 2016, an employee at Crelan Bank in Belgium transferred around 70 million euros to a scammer in another country. The scammer had spoofed the email address of the bank’s CEO.
4. QR code phishing, also known as quishing
In QR code phishing, or quishing, the scam email includes a QR code that installs malware or takes you to a fake website that harvests your login details.
Using QR codes instead of malicious attachments or links can help emails pass through security filters.
According to the BBC, QR code fraud in the UK increased by almost 14 times between 2019 and 2024.
5. Microsoft 365 phishing
The Microsoft 365 suite, used by more than 2 million organizations worldwide, includes stalwart apps such as Excel, PowerPoint, and Word.
Scammers have found ways to hijack official Microsoft 365 messages. For example, in one scam, the victim receives a Microsoft billing notification. This is sent from a real Microsoft.com domain and has genuine Microsoft branding. However, the scammers add the victim’s billing details and a fake helpdesk number.
The notification confirms a purchase of Microsoft 365 licenses. It invites the victim to phone the helpdesk if they want to query the transaction.
When the victim phones the fake helpdesk, the operator asks them to install a support app, which is spyware. The operator then pretends to refund the purchase. Finally, they ask the victim to sign into their online banking to check that the refund has been paid.
It’s unclear how the scammers hijack real Microsoft messages. One theory is that they use trial versions of Microsoft 365 to generate the notifications. Another is that they use compromised Microsoft 365 logins. Whatever the case, this example illustrates how sophisticated today’s email scams have become.
How to stop email scammers
To stay safe:
-
Educate your employees: Run regular security awareness training so that everyone knows how to spot potential phishing and scam messages.
-
Upgrade your tools: Deploy advanced email security and set up domain-based message authentication, reporting, and conformance (DMARC).
-
Monitor credentials and PII: Real-time monitoring for compromised credentials and personal details is now a must-have.
Cyber threat intelligence (CTI) solutions such as Cybercheck help you to stay safe by continuously monitoring for exposed credentials and personal data.
At Cybercheck, we scan forums across the open, deep, and dark web where cybercriminals buy and sell stolen data. If cybercriminals are trading information about you or your organization, we immediately alert you. That means you can change passwords, block cards, and act to shut out the attackers before they make you their next victim.
With vigilance, the right tools, and a culture of security awareness, you can protect your business, your customers, and your reputation.
