The CEO of a large corporation receives an urgent email from the Internal Revenue Service requesting information and alerting the company about a possible unclaimed tax refund. He is busy and gets hundreds of emails daily, but he figures since it’s tax time this IRS request must be important, so he quickly forwards it to the CFO to take care of. The CFO receives the email, sees it is from the IRS and appears to be requesting information, and sends it on to the accounting and finance department with a note asking that it be taken care of immediately. The first thing the accounting specialist who retrieves the email from the department’s email inbox notices are the names of the CFO and CEO in the email headers. He scrolls down to click on the IRS link and fills in the corporate tax ID number, account numbers, and other information the IRS is requesting on the simple form that pops up.
Unfortunately, the original email didn’t come from the IRS, and it wasn’t an innocent request. Instead, it was a fraudulent “phishing” email aimed at tricking corporate personnel into sharing private financial information about the company. When the accounting specialist filled out the information , it immediately fell into the hands of cybercriminals.
What Happened?
This corporation became the victim of “phishing,” a type of cybercrime. A phishing victim receives an email on his or her computer or device that looks like it is from a legitimate organization, such as a bank, credit card company, government agency, or retailer. The email contains a link that takes the user to a malicious website or installs malware on the computer, which then infects the computer (and potentially the entire network if the machine is connected to one) with a virus.
In many cases, phishing scams play on people’s emotions or fears to encourage them to click on the link or send personal information. For example, one type of phishing scam involves an email stating “There is a convicted child predator living in your neighborhood,” and contains a link and the name of a legitimate organization. The link actually takes the user to the organization’s website, but in the meantime, malware is being installed on the user’s machine. Scams like this play on deep emotions and use phrases like “your local area” or “near your home” to lure you in. Don’t let yourself get played by these criminals. Avoid clicking on anything that arrives in an email you didn’t specifically sign up for or request via the organization or company itself.