There have been increasing numbers of reports recently of CEO spoofing (なりすまし) of internal company emails that are actually from criminals looking to have the recipient send money somewhere.
A common scenario is one in which the president or some other senior executive asks an employee to send money, usually not revealing that action to other employees. The email will be fashioned to look authentic.
It now looks like I have received a similar email, spoofing me—it was a terrible job, however—as the sender sent to an alias email address I (the CEO) use only for receiving inquiries.
The immediate giveaway was that it was signed in a way I never sign my emails, but rather the way my name is written only on my physical business cards.
It asks me to start a group on LINE (an immediate “thug tell”) and tells me that there is “no need” for me to invite other people. It’s understandable that they don’t want me to invite other people, since they know that would alert others who could alert me to the scam.
I am instructed in the email to send the QR code of the group to the criminal and they will take it from there. Right.
The most disturbing thing about this is not that it is an email from a criminal—millions of emails from criminals are sent all the time—but that it clearly used a written form of my name in the signature that you can only learn by receiving my business card.
This criminally intended email was addressed to an email address that is not associated with a targeted employee, but that had been exposed in automatically harvestable form on a government website for quite some time. I removed the address from that site long ago, but it is surely in the database of cyberthugs and making the rounds, based on the spam that is collected in my spam folder on my server.
The lesson I see from this is that at least one of the persons to whom I have given my physical business card, probably recently, is a criminal. I don’t give my business card out lightly, however.
I can just imagine what happens to the many people who plaster their email addresses all over cyberspace, a very reckless strategy.
Lesson learned. I need to be more careful with even my physical business card.
My suggestions for the increased security risks these days are:
(1) Never put an email address you use for daily business emails anywhere online in a form that can be automatically harvested by criminals. Posting it as a graphic is one option, but even those graphics can be decoded by criminals.
(2) If there is a danger of some other entity putting your email address online (and advantage sometimes, of course), use only an alias email address to avoid disclosing the associated “real” email address that you normally look at and send from.
This enables you to tell where people got your email address. and that is made even easier by creating numerous purpose-specific aliases.
Never disclose an email address online that you can send from as an inquiry address, as your inadvertently sending from it can compromise it by verifying it for criminals.
(3) If possible, print your name on your business cards in a form that is slightly different from what you normally use in daily business emails.
(4) Beware of handing your business card to reception desks at trade shows and to hotel front desks. I slightly suspect that the criminal email I received was because of handing my business card over to a tradeshow receptionist. The organizations that run those trade shows for manufacturers here in Japan are not necessarily looking out for the security of the visitors to the trade shows they run for their clients. I am considering changing the email address to a new alias address on my business cards every time I order 100 or so.
Additionally, although it’s a different problem entirely, I once gave my business card to a hotel and was soon deluged by spam from the hotel group, the spam being sent from some someplace in Southeast Asia, and it took forever to get myself off the list.
The above suggestions about email aliases might not be easy unless you have registered your own domain, but with use of things like Gmail being quite unprofessional and the increasing need to interact with direct clients as a survival strategy, professional translators aiming at surviving would gain an advantage by not using free email for business.
