A phishing attack CAN happen to you and cost you thousands.
We all know about phishing attacks. But this week two incidents struck pretty close to home and made me realise how vulnerable we’re becoming as the scamsters get even smarter.
Incident #1 – an email supposedly from ME!
One of my team Sharon got a nice chatty email from me, asking her to make a Faster Payment for me. Because it sounded like me and even had my email footer (very scary) she replied to ask what I needed. Even though the email address said it was mine, her reply went to the fraudster – once they knew they’d engaged her they told her much the transfer was for.
Now as Sharon doesn’t work for me, she wouldn’t be transferring money for me anyway, but you can see how someone could very easily just follow through on that.
Which leads me to the second incident which we heard about just yesterday.
Incident #2
Identical situation, except this time it was supposedly from the Chief Exec of a business to the finance manager, asking them to make a payment of tens of thousands. This time the payment got made and the money is thought to be lost.
Was our security breached?
You can imagine, I went a bit nuts at the IT Department (Techy Sean) wanting to know how it happened. He’s pretty anal about our security and checked everything – no, we definitely weren’t hacked.
The scammers are getting sneaky
The obvious scam emails are from people we’ve never heard of, usually in terrible English, asking us to transfer our lives away on the promise of long lost inheritances.
These ones are much cleverer. They’re doing their research and finding out your email address (pretty easily done) and researching on your website and social media profiles to find out the chain of command, ideally who is in finance and who the boss is. Then they send an email supposedly from the boss to finance, asking them to make large payments. And the tone is friendly and day-to-day. They say that they’re going to be tied up in meetings but the payment is urgent and needs making immediately.
This is going to cost businesses millions
So in just two days I came across two phishing scams totalling £66k. Just imagine the scale of this and what it could cost.
It’s so important that if you never take any notice of another word I ever say, please do something about this RIGHT NOW!
What can you do to prevent it?
- Immediately put a procedure in place that NOTHING gets paid without an approved purchase invoice or order. Authorisation, procedures and controls have NEVER BEEN MORE IMPORTANT.
- Put dual authorisation procedure in place with your bank so that more than one person needs to log in and authorise payments.
- You make it clear that there are no exception to these new rules and empower your finance team to enforce them no matter what.
- Make sure every person in your business knows about these emails.
What about the other phishing tactics?
Unfortunately many businesses are up against staff who continually click on things that infect their machines. Sean has a word for these users – THE STUPID PEOPLE! But these people could cost you a small fortune so the message needs repeatedly drilling into them.
Your IT people should be all over this but again I would reinforce to your teams that no one should EVER click on an email attachment if they don’t know the sender.
There are of course loads of other more subtle attempts to get us to open attachments on emails and click on spurious links that will take us to the arms of the fraudsters.
SO what can you do if you’ve been caught out?
Get in touch with your bank immediately and the police too. It’s always possible that the accounts used to transfer the money into are being flagged or watched if they’ve had reports about fraudulent transactions. You should also report all frauds or attempted frauds to Action Fraud http://www.actionfraud.police.uk/
If you’d like to find out some more about phishing then this article is pretty useful https://en.wikipedia.org/wiki/Phishing
This isn’t supposed to be a blog about security, it’s not exactly my area of expertise, but please do check with your IT department or IT provider that your security is as up to date as possible. It won’t stop this sort of scam but it will protect you against the hackers. And please make sure you’re backing up regularly and your data is safe.
Hi Serena
As you say, it’s a rapidly developing area and business need to be aware that in addition to the sensible risk management mentioned above, insurance products are starting to appear to cover this sort of cybercrime.
I would be happy to discuss this with any of your clients.