By JOE BALSAROTTI
Gotta love the tech industry. We make up names for everything. The newest name to come to the forefront is spear phishing, since misspelling “fishing” makes it sound more futuristic, I guess.
Seriously, scams and outright theft in the digital world have become a sophisticated criminal enterprise. Whereas just a couple years ago, scammers would spam millions of email addresses hoping to reel in a handful of people, now thieves are researching companies, their staff, their suppliers and their customers in extremely targeted attempts to fool people into either giving up their user names and passwords or outright attempts to get money transferred.
Emails purporting to be from your bank, your brokerage, your suppliers or your clients –
recreated complete with company logos and fonts – claim there was a problem with their systems and all you need to do is reenter your credentials via a link they provide. That link takes you to a fake website, again, recreated to match the legitimate one down to the smallest detail. It’s a fake website just waiting like a spider for some person to let his or her guard down, just once, and enter personal info. Once it’s done, scammers quickly use those credentials to access the legitimate site and either spend the limit within seconds, redirecting shipments to a place of their choosing, or sit with the info for months – waiting for the right moment to take control of business dealings that can easily add up into six or even seven figures in a matter of hours. We’ve received warnings of targeted attacks from both our vendors and major clients. They’ve seen evidence of pinpointed attacks of even the smallest businesses.
Another common scam now is the thorough research of spear phishing, in which an email will show up in the inbox of an employee with authorization to transfer funds, supposedly from the boss’s boss, asking for money to be transferred to an account. Usually there is some supposed catastrophe or a “once in a lifetime” deal that will slip away if the money is not transferred immediately.
Luckily, any business with even basic security procedures in place should catch these attempts. After all, no money should ever be transferred to a new account without multiple cross-checks. However, once again, all these crooks have to do is catch the newbie – or someone having an off-day – and the money is gone. I know of two clients who have been targeted with these attempts. In both cases, a bank employee did not follow procedure. In one case the account number was mistyped, so what would have been a disaster was averted. In the other case, the bank involved had to make the client whole since the employee did not follow any of the verification procedures that were in place. Still, in both cases, there was a considerable amount of wasted time and a lot of stress that shouldn’t have befallen these businesses in the first place.
Besides educating staff about these threats, businesses that regularly transfer money should consider using a separate domain (and separate email addresses) that are not connected to the company’s everyday domain name when sending financial data and requests. Also, all emails that contain account numbers, usernames or other such information should be encrypted. Office 365 has this capability, as do several third-party services such as Bracket from Mailprotector. Also, no funds transfer should be initiated without a second type of verification. For example, if the initial request comes in via email, the verification should be by telephone.
The same applies to attempts to snatch employee data. Like the scam I outlined above, this time the scammers pose as someone needing to verify employment info or say they’re from the employee’s bank and are trying to troubleshoot why the employee’s direct deposit didn’t go through. Once these scammers get the SSN and/or bank account info, employees will be dealing with cleaning up identity theft. And if it gets traced back to the employer, look for the lawyers to circle. I had a relative who was scammed by the opposite version of this. She was contacted supposedly by her employer’s HR office to verify bank info for a direct deposit. The result? Scammers redirected her paycheck to their account. The employer’s failure to verify that it was indeed my relative who initiated the change – and failure on my relative’s part (as the employee) to hang up and independently call the HR department to verify the action – led to the success of this scam attempt.
As owners and managers of small businesses, we are very juicy targets to these scammers, who are usually overseas and have significant resources. Using information specific to a business owner, scammers try to find a soft target such as an employee who is distracted, new, not well-trained or just doesn’t follow procedures. Simple searches of company websites, press releases, LinkedIn and the like provides a treasure trove of information that these scammers can use. Fake emails, texts or voicemails ask the employee to transfer money to a supposed new bank account, pay a new vendor in advance to get a project moving or impersonate the identity of one of the business’s long-time vendors, which just so happened to have changed its remittance information today.
Joe Balsarotti is President of Software To Go and is a 40-year veteran of the computer industry, reaching back to the days of the Apple II. Keep up with tech by following him at Facebook.com/SoftwareToGo or on Twitter @softtogo