Cybercriminals could be impersonating your boss. Here’s how to tell

For any number of reasons, you've likely clicked on your spam email folder from time to time. In doing so, you may have noticed that spam messages have grown more and more sophisticated over time. These days, spam emails often invoke real-life events such as pharmaceutical class action lawsuits or clergy abuse scandals as a way to lure more clicks.

These same scams have now taken to impersonating company bosses: Business email compromise scams are a huge problem with $43 billion lost and more than 240,000 incidents from 2016 to 2021 globally.

As phishing attempts that target business emails become increasingly difficult to identify, Twingate researched helpful ways to verify whether communications you're receiving are really from coworkers, professional contacts, or your boss. These include some simple checks, such as making sure the email address is one you trust, or that a linked page really goes where it claims. The forthcoming tips also include more subtle forms of awareness, like asking yourself if your boss really uses language the way you see in the message or whether they would actually misspell your name—or theirs.

The best way to prevent these phishing scams in the long run is to continuously hone your gut instinct and be cautious when it tells you something smells fishy. When in doubt, hop on the phone, the company Slack channel, or your email and politely check with colleagues to be sure the message you received is real. Maybe your boss is on the go and typing too fast without paying close attention to typos, and they’ll appreciate your attention to detail.

Some forms of scamming are very sophisticated, but most phishing attempts are not particularly elaborate. One of the easiest ways to prevent phishing attempts from succeeding is to pay attention to the sender.

If you’ve ever looked in your email’s spam folder, you're already semi-versed in doing this at least some of the time. Sometimes, a message looks like it might be something real—but when you click, you see that the email address is just a string of numbers or other nonsense instead of your bank. It’s easy to cross-check a phone number using websites that list known fake numbers in your local area code. But the best thing to do is to stay wary of numbers you don’t recognize. Legitimate colleagues calling you can leave a voicemail.

In some forms of spam, grammar mistakes are part of the draw: Scammers want to select out the most vulnerable people, which often includes those with less education or literacy. But when it comes to phishing scams, scammers want to seem as close as possible to the people they’re imitating. For this reason, look out for messages that immediately sound like they’re not quite right. Maybe your boss sounds weirdly informal, they’ve misspelled your name or your department, or their characteristic long email signature is missing.

Listen to your gut and tap into your inner copy editor.

This one can be tricky because exchanging attachments is often a big part of the workflow. But you know when you’re waiting for the newest departmental report from a certain person or a PDF of the latest sales numbers.

Be especially wary of any attachment that comes from more of a personal-seeming message. Scammers can load malware into almost anything you can download to your computer, and attachments are one of the easiest ways into your system. In the same vein, be cautious when downloading software updates. In all of these cases, ask your IT office to help you make sure the update is legit.

You may already be doing this behavior without realizing it’s a best practice for cybersecurity.

When someone sends you a link, hover your mouse over the text in your browser to show a status bar at the bottom of the window. This preview bar will show you the real URL. This is smart to do, but sometimes it isn’t enough—scammers can “mask” URLs by using lookalike domains that redirect to malware download sites and more. But this one-step check will help prevent a lot that can go wrong when you receive a random link, allowing you to filter out obvious imposter sites.

When scammers ask you to “repeat” information like your login credentials or credit card information in the body of an email, that’s a form of hacking known as social engineering. It’s the same as if someone walked into your office and found all your logins written on a Post-It stuck to your computer monitor (another thing you should never do).

If someone emails you from your boss’s name but is asking for private information, call or message the boss to make sure it’s legit. Another tell is if the sender asks for something your boss would already know, like your building’s alarm code.

This scam has a unique quality in that the request may appear benign and may, in fact, mimic something a co-worker naturally asks you for. If you have coworkers who regularly ask for this sort of information via email, consider asking your IT group to share with your colleague some best practices for sharing personal or financial information.

This story originally appeared on Twingate and was produced and distributed in partnership with Stacker Studio.

The internet can feel packed with scams sometimes, especially for anyone who’s had their credit card or other information stolen. But most scams fall into a small variety of types that are easy to identify and avoid once you know about them.

There are only so many ways to reinvent the wheel—scammers will usually fall into a set number of categories. Twingate assembled a list of common online scams that internet users should be wary of, drawing on research from government organizations, payment processors, and tech companies.

One of the major categories of scamming is called social engineering. An old-fashioned method that still works surprisingly well, social engineering is any fraud where a human being communicates with you to obtain information in person, online, or over the phone. Scammers will use manipulative, deceptive, or psychological tactics to get someone to reveal confidential information.

As our lives increasingly have shifted online, scammers have followed, posing as everything from fake online boyfriends to made-up charities. So the next time you get a voicemail claiming to be from Microsoft, an email that says your antivirus service is out of date, or a pop-up ad from “newy0rktimes.com,” take a few seconds and think about whether it's a genuine message before doing anything. Continue reading to learn about the most common online scams today. 

Phishing is one of the most common online scams. It’s a form of social engineering, meaning a scam in which the “human touch” is used to trick people. One offline form of phishing is when you receive a scam phone call where someone claims to be calling from the fraud department at your bank and requests your account number as verification.

With online phishing, scammers do the same kind of thing but use emails and links to fraudulent websites to fool users. In your spam folder, you’ll often see messages claiming to be from Bank of America and others. These links lead to imitation bank sites designed to capture your personal banking information.

These email messages are notorious—and the stuff of internet legend: “Hello sir, I have a huge sum to send you!” In this scam, a forlorn prince, bank manager, church reverend, or otherwise reputable-sounding stranger has a large amount of money that they need you to hold for them. All you have to do is send them several hundred or thousand dollars to cover some kind of transactional cost upfront.

Never believe any stranger who wants to send you money, and listen to your gut. If something sounds too good to be true, it is highly likely that it is a scam.

Romance scams are one of the darkest and most sinister scams because of the time investment and emotions involved. Romance scammers pretend to be regular people, often older people, who are looking for love and want to meet eligible singles in other countries. They'll build an emotional connection with their target by exchanging romantic messages and pretending to be in love.

The scam comes in when, eventually, a series of misfortunes befall the romantic partner. They might plan a visit to finally meet—but suddenly won't have money to pay for the plane ticket. Then they’re hospitalized with a mystery illness and need money to pay the bill. This continues until the victim grows suspicious of the mounting costs.

Formjacking is a web scam that works the same way as a credit card skimmer does in real life. You go to a website to place an order and enter your information as usual. The transaction even goes through and seems to be fine, except that some code hacked into the website has copied your financial data to someone else.

The owners of the website may not even realize something is happening because they don’t pay close attention to their infrastructure. Make sure the websites you deal with are secure.

Phony tech support is a form of social engineering. This scam may come as an email or a phone call, claiming that your computer has been compromised in some way and that you must call a number or visit a website to fix it.

From there, the scammer may install malware like keyboard capture software (or worse). On the phone, they may request remote access to your computer to help you. These scammers often claim to be from Microsoft or Apple as a way to establish legitimacy.

Ransomware is a kind of malicious software that is installed without your knowledge. This is usually from an email or fraudulent site, meaning it also uses phishing to imitate your bank or another institutional website. Someone calls or emails with a link that installs the ransomware on your machine. What makes ransomware different is what comes next.

The software locks certain kinds of information on your machines, like your saved documents, photos, and other files. You have to pay to unlock the data and get your files, although the FBI cautions against actually paying.

Scareware is a form of manipulative scamming that threatens users by making them believe they need new software on their machines. One of the common forms is to tell users they need new antivirus software and to offer that software from a fraudulent source.

It’s often easy to tell these websites or emails apart from real ones: Look closely at the URLs or email addresses, which usually have strange spellings or other clues that signal you’re not dealing with legitimate companies. 

Sextortion is an especially grim crime that targets minors, although it can also affect adults. Now that so many people meet romantic partners online, it’s common to exchange explicit photos. That’s also true of teenagers or even of younger children, who can find themselves in online relationships with people who ask for personal information and photos.

Once someone has this material, they can use it as a way to demand more and will threaten to share info or post photos publicly if their target refuses. Unlike the other crimes on this list, sextortion doesn’t always have financial goals.

Crowdfunding and mutual aid are becoming more common as a way for people to share resources and help others pay for medical bills and other costs, or to donate following natural disasters. Unfortunately, this well-meaning way to help others in the community has also been targeted by scammers through charity and disaster fraud. 

Scammers can make fake Twitter accounts to imitate people in need. They’ll even set up bots to make new accounts that look like your friend’s account to reply with Paypal links that redirect to the scammer. If you aren’t sure about the credibility of a group or crowdfunding page, it is always best to seek more information.

This scam is simple and it’s a variation of an age-old, real-life scam. Think of those signs you see on street corners that say, “I make $16,000 a month working from home!” When you call, these people want you to buy training materials to become a real estate agent or something similar.

The same is true of many online ads that say you can work from home and make $500 a day or some other attractive amount. The best advice is also the oldest: If it sounds too good to be true, it probably is.

This story originally appeared on Twingate and was produced and distributed in partnership with Stacker Studio.