Email scam exploits employee fears over customer complaints

Complaints about employees have exploded during the pandemic. And cyber criminals have taken notice. 

Which is why they have started a scam that preys on exactly these fears. 

This scam consists of spear phishing emails targeting employees, which pretend to come from a manager in their company, angry over a customer complaint.

Scams like these put junior staff in particular at risk, because: 

• They are the least likely to liaise directly with higher-ups in the main company, meaning these emails would be harder to distinguish as fake and provoke elevated concern. 

• They are most commonly in first-line support where time pressure is high. 

• They are the most likely to have been threatened with complaints by aggressive callers, meaning this scenario is quite believable to them. 

Some of these emails demand the employee come to a meeting immediately, warning they're in ‘big trouble’ and should bring their coat. Others pretend they are from the ‘outsourcing team’ of your organisation, in order to specifically target roles like first-line support.

All of them have been engineered to promote guilt and panic. Implying the receiver has caused serious inconvenience to the company and higher-ups, so they act quickly without thinking. 

Them acting quickly without thinking is critical, as many of these emails display frequent errors that give them away as a scam. For example, incorrect web links and Google Drive branding on pages hosted by URL's linked to Microsoft's Cloud Service.  

So, how do you protect your employees against the threat of phishing emails like these? Here are two key areas you should target:

Ensure your employees take the time to stop and think. Make sure they know it’s a mistake to act in haste. Panic can make people ignore mistakes like spelling and grammar issues and unlikely file downloads that would be noticed on a good day. 

The most critical behaviour you can instil in your employees is to get them to double-check with you, no matter if it’s via a video call or in person, that a serious email has actually come from you.

This means you need to create a culture where everyone, including the most junior staff, feel welcome and encouraged to come to you with questions like this. If your most junior staff have to go through lengthy HR processes to even speak to you, they are less likely to feel secure reporting suspicious communications now and in the future. 

If you have established, protected channels for official communication, and a set process for dealing with complaints, then your staff will be able to smell a scam email from a mile off.

Because so many scams utilise social media, and the information you send on there is not well protected, using WhatsApp or FB messenger for serious business is not appropriate. 

If cybercriminals try to talk your staff into taking unusual steps, like downloading unexpected files, everyone, even your most junior staff will have the self confidence and knowledge not to do it. 

It helps in this vein to have one singular contact point for security reports where staff can report anything that doesn’t add up.