Don’t get caught by the email scam costing businesses thousands of pounds

By SpiderGroup

26 January 2016

CautionIt’s come to our attention here at SpiderGroup that a number of local businesses have fallen for an email spoofing scam that has ended up costing them many thousands of pounds.

Scammers are researching companies to find out who key staff members are, including managing directors, owners and the people in charge of finance. They then spoof the email address of the MD or an owner to impersonate them and email key finance personnel requesting a transfer of thousands of pounds into a back account controlled by the scammers. Because the emails seem to come from the managing director’s or owners’ email address a number of people have been fooled by this, leaving their companies significantly out of pocket. It can be very hard to recover funds lost in this manner making this a very serious blow to companies that get caught out.

Here’s everything you need to know to make sure your business isn’t the next one to get hit.

How email spoofing works

Email spoofing involves sending an email with a fake sender address, so a scammer could send an email with what appears to be a trusted address e.g. but when you respond it sets the reply-to address to be the scammers e.g.

This is relatively easy to do as the core protocols used for email were designed to be open and simple and very few people implement any of the more advanced protection features.

How to protect your business

There are two key measures you can put in place to keep your business safe from these kind of email spoofing scams.

SPF Email Validation – Sender Policy Framework (SPF) is an easy to implement email-validation system which detects email spoofing. It does this by allowing your email exchanger to check emails you receive are coming from a host authorised by the apparent sending domain’s administrator. If you receive an email that’s not from the address it appears to be from, your email exchanger will know to either not deliver the email or mark it as SPAM. There are other things to take into account if you do this but the effort is worth it for the increased security.

Purchase Order Authorisation – It is good practice to require a purchase order for payments made using company funds. A cloud-based accounting system, such as Xero, incorporates a purchase order system and allows you to make sure any payments or transfers of company funds are correctly authorised and properly recorded. Because such systems do not rely on email, scammers will not be able to fake this authorisation allowing you to tell whether a funds transfer request is genuine, whoever it appears to come from.

email by spidergroupStay safe from email scams with SpiderGroup

SpiderGroup offers SPF email validation as standard with our email hosting services to keep you safe from unscrupulous operators online. We can also set you up with, and provide support for, secure online purchase order systems, giving you a safe reliable way to authenticate all purchases and transfers of company funds.

To find out more about protecting your business from email scammers and spammers, call SpiderGroup today on 0117 933 0570 or send us an email for a swift response.

Stay up-to-date with all the latest IT news and tips from SpiderGroup by signing up to our newsletter.

This site doesn't support mobile landscape mode.
Please rotate back to portrait mode.