I attended Xerocon last week in Atlanta to learn how to leverage technology to increase efficiency for our clients. Like everyone else at the conference, I posted live updates from the event to social media and made sure my business network knew where I was and what I was doing.
Little did I know that cyber criminals were watching my every move, and tried to take advantage of the fact that I was away from my office. Here’s what happened:
While I was away cyber criminals targeted my company looking to dupe my accounting department into wiring money to them. They sent my accounting department an email that looked like it was coming from me. In that email, they instructed my team to immediately send $28,570 to a new consultant we had supposedly just hired. They provided detailed bank account info, address, etc. and told my team that I would send the backup invoice and supporting documentation at a later time.
My team thought the email actually came from me because the email address was mine. But the request was out of the ordinary, so they engaged in email communications with “me”, asking questions, getting information, etc. Little did these criminals know they were messing with the wrong company – a top-notch, accounting services company! In the end, not only did they not get a dime from us, but they also created an “aha” opportunity to share our experience with our clients and our network, and eliminate future opportunities for them to dupe anyone else.
Here’s how we survived the attack and how you too can avoid taking the bait:
- Make sure there is proper segregation of duties within your accounting department. The person sending payments out should not have access to setting up vendors.
- Establish and document formal processes and procedures for creating vendors and processing payments. Train your staff to follow those procedures to the letter. The process should include full back-up documentation and an invoice – no exceptions – even if you are the business owner/CEO. No one should have the authority to circumvent the established process. There’s a reason the process was created, and if you, as the business owner, circumvent it, your team will not recognize a scam like this if they think it’s coming from you.
- Teach your employees how important cyber security is to both your company and your bottom line.
- Empower your team to listen to their hearts and go with their gut. If something seems or feels wrong, it probably is and they should question it, even if the request or demand is coming from someone with authority.
- If the request has a sense of urgency, and demands immediate payment and action, that’s another clue. As a business owner, be careful how often you demand your team to drop everything they are doing to cut a check or send a payment. If you do it too much or too often, your team may not recognize the urgent demand as an unusual request from you.
- Train, re-train, and remind your staff about these scams so they can spot one when it happens, especially if you are going to be out of town or off the grid.
- Don’t use email to communicate internally. Use Slack or other team-messaging technology, and use it exclusively. For us, the fact that the request from “me” came through e-mail instead of Slack was one clue that it wasn’t really me.
- Phishing emails are typically written overseas by people who are not English-savvy. Look for punctuation or grammatical errors as clues, as well as unusual or fancy vocabulary that most people wouldn’t use, especially in informal and internal email communications.
- If someone on your team gets an email that looks/feels weird, have them hit “reply” and look closely at the email address that will appear in the “From” box. They will notice that the email address will be ever-so-slightly different than yours. In our case, the perpetrators added an extra “i” to my email address, which was very easy to miss.
- Don't post your email address online in public profiles on social media where it can be easily found by people you are not directly connected to. The same goes for your website, try to avoid posting staff emails that can then be used for scamming.
Think that a phishing scam can’t happen in your firm? Take a look at some recent stats:
- According to PhishMe’s Enterprise Phishing Resiliency and Defense Report, phishing attempts have grown 65% in the last year.
- Wombat Security State of the Phish says that 76% of businesses reported being a victim of a phishing attack in the last year.
- A Verizon Data Breach Investigations Report indicates that 30% of phishing messages get opened by targeted users and 12% of those users click on the malicious attachment or link.
- The SANS Institute found that 95% of all attacks on enterprise networks are the result of successful spear phishing.
- According to Symantec, phishing rates have increased across most industries and organization sizes — no company or vertical is immune.
Make sure your employees are well aware of what phishing is and that they know the necessary steps to take to avoid falling victim to one of the most common forms of cyber attacks. If you would like assistance in implementing processes and procedures within your account department to safeguard your assets, our team at a la carte solutions can help you. Just give us a call at 844.925.2227.