A real-life story of a recent phishing scam email that almost cost my company $10,000!
Phishing is an age-old cybercrime. It is the online version of being conned and has survived since the early ages of the Internet for one obvious reason: It really works. The setup is typically a bad guy that poses as a trusted entity online to steal your personal information and extort money. These scammers sit at their computers and pretend to be legitimate trusted companies or people you may know (like your bank, credit card issuer, coworker, or relative) as a way of tricking you into handing over personal information and even money.
Phishing comes in many forms, and phishing email scams are growing even more prevalent on small and midsized businesses. “Why?” you ask. You see cybercriminals typically assume smaller business owners don’t have the resources and expertise that large companies typically have to defend themselves, making them a huge target.
If you’ve always believed your company isn’t vulnerable to an outside security threat, you’re not alone – 88% of companies believe the very same thing. But the reality is that if you’re opening emails, running a Facebook page, or even just accessing the Internet, you are a target.
A Recent Phishing Scam
In fact, we were recently hit with a phishing scam. In November 2015, our comptroller received what appeared to be an email from me. When you see the email below, it looks exactly like it’s coming from me. It even includes my picture and email address.
From her perspective, it’s not unusual for me to send these types of emails to request payments for various accounts. So, my comptroller fell for it and transferred $10,000 to this cybercriminal.
But something inside her didn’t feel right the moment she hit “send”. About four minutes after she transferred the funds, she called me to confirm this request was legit. As soon as she found out I had no idea what she was talking about, she called the bank and got the transfer stopped. Just a few more minutes and we would have lost $10,000!
With so much data online, this cybercriminal was able to pull our contact information and send my comptroller an email that looks exactly like it was coming from me but from an outside email service. When she replied to the email to respond to my “so-called” request, she felt something was funny, but missed that the email return address was slightly different. Likely the funny feeling she had was her subconscious noting the wrong return address even when she wasn’t consciously aware of it. If it wasn’t for her quick action to call me to verify, that cybercriminal would have gotten away with the money transfer.
Best Line of Defense
The reason I share this openly is because if it happened to me, it can happen to you, too. Small businesses can particularly be vulnerable because they often have less resources and defenses. Even if you consider yourself cyber-savvy, you still need to keep your guard up for any new tricks and be proactive about your safety.
To help protect business from these types of phishing scam emails, here are 3 tips to get you started.
- Develop an internal process with your CFO, Comptroller and Accounting team for how you handle monetary transactions for your business. For example, after this incident occurred, we modified our policy where any money transfer requests for over $1,500 from me or any others on the leadership team must be have at least two different confirmations. For example, if the initial request comes in via email, a confirmation via a phone call or text dialog is mandatory before the request is fulfilled.
- Build a culture of security. Establish basic security practices and policies for your employees and host regular security trainings. Use these trainings to make them aware of the various forms of cyberattacks, including Phishing, malware, spyware, ransomware, and other common and emerging threats. Also, use this time to open up the conversation, show them examples of what to look for and how to communicate more with each other, and reinforce behaviors to “be suspicious” and “on guard” for attacks like this one. Include these conversations in every weekly meeting with your staff.
- Safeguard your business with a robust security team. Face it, most crime happens due to ignorance on the part of the victim. It’s just too hard to be an expert in IT when you need to be focused on your own business. The solution is to have an expert IT team who implements all the security best practices for your network, and regularly checks for faults to close any potential holes before you lose your data.
By implementing these precautions and best practices, you can help mitigate business risks associated with these types of cyberattacks and help stop cybercrime from happening to you.