This post is part of an IT security series we’re presenting to provide real life examples of how organizations are falling victim to modern attacks. We can preach about what attacks look like, or give them interesting names, but the fact is they have real impacts and affect real people.
I’m writing about phishing attacks. Most of these prey on human curiosity, the lure of something free, or the individual’s lack of knowledge. Part two of this series will focus on network security.
Here’s the Scenario:
This is a real-life event. We won’t be naming the organization here, but this situation occurred with a Real Estate Title company. The accounts payable personnel received an email from their president instructing them to prepare a $115,000 wire transfer. The email included the recipient and all the needed elements for a wire. Accounts Payable processed the wire and distributed the funds.
As you can guess, the wire request was fraudulent, and the company lost the 115K. By the time they found out it wasn’t initiated by the President, the funds were gone and not recoverable. For some firms, they can’t survive a fraud like this. This firm had the money, but it did cost someone their job. It also wreaked havoc with profitability and budgets, not to mention the scrutiny they got from the owners, their banker and the employees (despite an effort to suppress this information, it was known by all at the company and shortly became public). Unfortunately, this is not an extreme example.
This is a perfect example of the phishing scams that are going on right now. The email appeared legitimate because it contained enough information to make the folks in A/P act. A simple review of the email message made it obvious that it wasn’t really from the president.
- The source of the message wasn’t from within the company.
- The signature lines weren’t consistent with company standards
- A/P failed to verify the vendor and the nature of the business necessity
We’ve all received a “UPS package delivery” message, or “vendor password reset” warning. They get more creative every day. As I write this, I saw an email saying we’re delinquent on a lease payment and being turned over to collection. The interesting part, is we don’t have any leases at our firm!
Interested in learning more about how educating your users can help keep your business safe from phishing attacks? Contact us today for a consultation!
How do we combat these?
Policies
Do you have standard operating procedures regarding “questionable” email? Are they known by all? How frequently is this subject broached with co-workers? Is it part of new employee or recurring training?
- The Accounting department especially needs a system of checks and balances (two signatures, PO process, verification, etc.)
Education
What is your message to the staff? How do you teach people what to look for? Is the staff telling you when they get these? Are they following your required protocol? How do you know?
Trust but Verify
Ronald Regan used this phase with Mikhail Gorbachev after signing the INF (intermediate Nuclear Force) treaty in the late 80’s. It was a Russian proverb prior to that!
- Did you know there are tools that can simulate Phishing Attacks? Email, “Beyond the Click”, SMS, Voice, and Found media (USB drives) can all be tested.
- There are hundreds of scenarios based on what/who you want to test. Everything is highly customizable.
- If someone falls to a lure, they can be directed to a workflow engine that facilitates training and testing and notifies IT of the instance.
- Users can also report suspicious email to your help desk through some of these tools
Much of this is a social engineering fix. Not everything involves tools and capital investment.
If you would like to learn more and find out about the tools I mention above, please contact me at tim.krueger@pei.com. Our teams look forward to helping you build a more secure environment.
Tim Krueger, PEI
