When it comes to phishing attacks, the key to survival lies in the target’s hands.
Watch this short video for helpful tips to reduce your company’s risk of falling victim, and scroll down for our story of surviving a phishing attack.
When it comes to phishing attacks, the key to survival lies in your hands – the Business Owner. Hackers are great at copying us – our email addresses, our style of writing, our choice of words. They use those things to trick our accounting team into quickly sending out money to them.
But the one thing they can’t copy is your behavior. Here’s what I mean. If you had a solid policy and procedure in place for outgoing payments that you, the business owner, never circumvent, your accounting staff would know immediately when an email, seemingly coming from you, is out of character.
So set some rules for your team, but be sure to set the example and follow them too!
We Survived a Phishing Attack – How You Can, Too
While I was away at an industry conference (remember pre-Pandemic conferences?), criminals tried to trick ALC’s accounting department into sending money to them. Here’s what we did (and what everyone should do) to prevent scammers from succeeding:
- Make sure there is proper segregation of duties within the accounting department. The person sending out payments should not have access to setting up vendors.
- Establish and document formal processes and procedures for creating vendors and processing payments, including full back-up documentation and an invoice. Train, retrain and remind staff to follow them to a “T”– NO EXCEPTIONS – even for the Business Owner/CEO!
- Empower the accounting team to listen to their hearts and trust their instincts. If something seems or feels “phishy,” it probably is, even if the request or demand appears to be from someone with authority.
- If a request has a sense of urgency, such as demanding immediate payment and action, that’s a RED FLAG. Practice good accounting hygiene by avoiding urgent requests to cut a check or send a payment. Otherwise, the team may not recognize an urgent demand as unusual.
- Don’t use email for internal communications. Use Slack or other team messaging technology exclusively. For us, the fact that the request from “me” came through e-mail instead of Slack was one clue that it wasn’t really me.
- Phishing emails often are written overseas by non-native English speaking people. Make sure everyone is wary of emails with punctuation or grammatical errors, as well as vocabulary words that most people wouldn’t use, especially in informal and internal email communications.
- If an employee gets an email that looks/feels weird, have them hit “reply” and look closely at the email address that appears in the “To” box. They may notice that the email address will be ever-so-slightly different than the true address. In our case, the perpetrators added an extra “i” to my email address, which was very easy to miss.
- Don’t post email addresses online where they can be found easily by people outside of your network. Use good senses on social media and ask employees to do the same.
Let’s work together to keep phishing scammers out of business!
A La CARTE Solutions is a full-service accounting and CFO advisory firm. We are working with clients to make sure their systems and protocols protect them from scams. We’d love to help you too! Please give us a call or click the GET IN TOUCH button below.