How Corporate Emails Can Fight Scammers
Email phishing scams are on the rise in the United States, causing a reported loss of 1.86 billion dollars in 2020.
Although consumer education reduces harm and police investigations help make the cost of running these scams more difficult, some simple systems can be implemented by companies that can make these scams much harder to implement.
One such system is to send time-sensitive One-Time-Passwords (OTPs) instead of links when requesting users to verify sensitive actions to their account.
This, plus improved language in the email will both reduce the effectiveness of phishing attacks over email, as well as train uses to be wary of emails that contain links.
As an added bonus, using OTPs instead of links increases the interoperability between web applications and mobile applications, and helps to keep the user inside a branded experience.
Why It Works
Sending OTPs instead of links trains the user not to click on links in emails. In doing so, users are likely to use Google or other trusted channels to connect with company websites and not click through to phishing websites that can steal their credentials.
How the Scams Work
These scams often work when a scammer emails a victim. The email looks like a legitimate email from a company or government service such as Amazon, Chase Bank, or the Social Security Administration. This email includes:
- Branding that resembles the company or service.
- A perceived threat, such as a payment or order that is being processed or an unwanted action that will be taken on the account.
- A remedy, such as logging in to cancel the action or provide personal information.
- A link that routes to a fake website resembling the company or service.
Links in the email bring the user to a web site that looks like the company or government service. The website is fraudulent and steals the sensitive information provided by the user, such as credentials or other sensitive information. The scammers can then use this information to perform any action in the account, such as making purchases, stealing money, downloading spyware, or signing up for other services using the victim’s identity. The website may even instruct the user to download spyware to continue mining the victim’s computer for sensitive information.
Scammers make these these emails and websites look like real company emails and login pages so they can weaponize the trust-building created by years of company branding.
Some Examples of Dangerous Emails
This one from Amazon contains a link that lets a user deny a login attempt and then sign in to their account.
If the user wasn’t trying to log in, they may assume someone is trying to hack their account and provide sensitive information in the process of attempting to protect their account.
This one is from Instagram, when a user signs in from a new device.
If the user hadn’t logged in from a new device, they may click the “secure your account here” link and enter sensitive login information into a phishing website.
The only other requirement for this scam is for the scammer to create a website that resembles the corresponding company’s login page. If the user enters their login and password or other sensitive information, they may not even know that they’ve compromised their account.
How to Disarm the Scam
The trick to disarming this scam is to train users not to click on links in the email.
Depending on the type of action a company wants the user to take, they can encourage the user to:
- Enter a One-Time-Password
- Log In and take a specific action
- Take no action
The email should contain instructions for logging into the website if necessary, including a text reference to the website for the user to copy or search.
Example: Enter a One-Time-Password
This type of email may be triggered by a sensitive action such as a forget password request or when signing in on a new device, or verifying the user’s account.
It should include:
- An explanation of the attempted action
- A time-sensitive code and how to use it
- What happens if the user takes no action
Here is an example from LinkedIn when signing into a new device:
This email should also include the text “Never share this code with anyone, ever,” to improve security.
Example: Log In and Take a Specific Action
This type of email may be triggered when there is a change to the user’s account or a change to features on the website.
It should include:
- Instructions for accessing the website
- What happens if the user takes no action.
Here is an example of such an email:
Example: Take No Action
This email is a variation of the Log In Email, but with a default action of no action. This type of email is sent when a user should be alerted to a change to their account that they may want to block or undo.
It should include:
- Instructions for accessing the website
- What happens if the user takes no action
Here’s an example of such an email:
Why This Works
These emails all have something in common. They don’t include a clickable link or button. Users are unable to click a phishing link.
If the user is already logged int and presented with a OTP input, the user must only copy and paste the OTP back into the website without ever leaving branded environment of the website or app. Note that mobile apps must maintain access to the OTP input as the user switches between apps.
If the user must log into the website, the user to copy and paste or search for the company if necessary.
For added measure, these emails could contain the text “Example Company will never ask you to click a link in an email,” to reinforce the idea that clicking email links are not safe.
The more companies that implement these changes, the more likely users will be trained to feel uncomfortable clicking links in their emails. As users begin to distrust links and buttons in their emails, phishing emails will become less effective as users will use trusted channels to access company websites.
