An email comes in from a co-worker, usually someone higher up than you. It’s short, just a few words: “Are you available? I need your help as soon as possible.”
“Are you available” messages are a scam. Your email response will go to a criminal.
The next message will ask you to stick to email. (“I’m in a meeting”).
Then the bad guy will try to convince you to do something you will regret – click a link to install a virus, send money via wire transfer, or buy gift cards and send the info to cash them by email.
If you get an “are you available” message, there are three things to do.
- Look at the sender’s email address. If the address does not match what you expect, the message is from a criminal. Delete it.
- Attempt to reach the person who supposedly sent the message by something other than email. Call them or send a text message to confirm that they’re looking for you. If they didn’t send the message but it shows their email address, their mail account might have been hacked. Get IT support to investigate right away.
- Be suspicious. Watch further messages for typos, grammar mistakes, or phrasing that doesn’t sound like the person you think is on the other end.
Scammers visit your business website to learn names and details of the organization structure – who’s likely to be in a position to ask for company money? Who’s a subordinate who might carry that out?
More aggressive scammers will create a free fake email account to make the message look more legit – firstname.lastname@example.org, say. Criminals trying for a big score – trying to get a company to send a wire transfer, for example – might even temporarily register a domain name that is confusingly similar to the real domain, so it’s harder to spot a spoofed email address. You might not see the problem if you got a message from email@example.com. You’d ignore it if I was asking for money, of course, just like you do now, but that’s not the point. (There’s more info here about the wire transfer scam.)
In the worst case, a hacker may have gotten into the senior partner’s mailbox by fooling the partner into giving up their password. In that case, the incoming message will come from the correct email address and might have the senior partner’s mail signature. If you respond and start a conversation, you might even see details about a real transaction, discovered by reading the partner’s messages.
The message is simple and short for a reason: it minimizes the chance that you’ll spot poor grammar and misspellings. If you respond to the message in the belief you’re in a conversation with your boss, you’ll be less alert in the next few messages.
If you respond, there is an insidious side effect. The scammer is now in the dropdown autocomplete list in Outlook, with the partner’s or owner’s name. The next time you start a message, you might choose the scammer by accident. If you respond before you figure out that it’s a scam, always remove the scammer from the auto-complete list! (In Outlook, you can remove a name from the dropdown list by clicking on the X at the far right of the name in the list.)
When this scam was popular last year, the scammers were obsessed with getting people to go to a store and buy iTunes gift cards. They’d ask you to scratch off the back to reveal the codes, then send pictures of the cards and codes. I doubt if that’s still a thing this year, but tuck this away in the back of your mind: if your boss asks you to run out and buy gift cards and send him or her the codes to cash them in, perhaps there’s something wrong.
This advice isn’t for you. You are smart and good looking. A scam like this would never work against you. Instead, your job is to pass this warning on to people who are weak and poorly informed and easily fooled – more or less, anyone who doesn’t already read Bruceb News. Don’t let this happen to you or your family, friends, co-workers, or clients. Be careful out there!