It’s critically important for all consumers to be on the lookout for email phishing attacks, particularly since email impersonation scams can be incredibly complex and well-executed.
Take, for example, the recent email scam that affected at least 50 freelance writers and journalists seeking employment from Atlantic Media.
The life of a freelance writer is not an easy one, especially as writers begin their journey and need to build up a network of editorial contacts by pitching story ideas. Realizing this fact, cybercriminals impersonated editors of Atlantic Media to send out fraudulent emails and job offers to writers.
Atlantic Media General Counsel Aretae Wyler released a statement Thursday to warn people about the scam.
“Across the last few months, individuals posing as our editors and senior leaders have sent fraudulent job offers to unwitting freelancers or jobseekers looking to work with The Atlantic,” reads the online statement. “The impostors have created numerous misleading email accounts, including gmail addresses in the names of editors, gmail addresses that include the Atlantic’s name (e.g., email@example.com), and addresses employing fake domains (e.g., @atlanticmediagroup.net). The aim of the scam is to obtain personal information such as social security numbers, addresses, and bank account information from the intended victims.”
The cybercriminals went as far as conducting fake job interviews by phone, and sent employment agreements, direct deposit details, and tax forms to their victims in order to steal private information.
“Most spear phishing campaigns try to fool employees into giving up sensitive information with fake emails purporting to be from someone specific within the organization by spoofing their email address and mimicking the language, behaviors, and processes used in the day-to-day operations of the company,” says Mike Wyatt, director of product operations at RiskIQ. “In this case, threat actors pretended to be editors from the Atlantic reaching out to potential freelancers, which is more difficult to combat as the potential employees are outside of the Atlantic’s network.”
Because of this, Wyatt says, there is not much Atlantic Media can do in terms of blocking these types of email scams.
“All they can do is report the abuse to the email service and warn potential victims that this is happening,” he says.
Dylan Tweney, head of communications at ValiMail, says that one recourse could be strict email authentication.
If Atlantic Media set up email authentication with enforcement, they could tell staff,
freelancers, and readers that they should only trust email from atlanticmedia.com or theatlantic.com. Enforcement on both domains would be essential, as scammers would just exploit the one that
“Without that level of enforcement though — which they don’t have — their best recourse is to warn people, which is exactly what they’re doing,” says Tweney.
Atlantic Media is asking any scam victims to email FraudAlert@AtlanticMedia.com.