You may think your personal activity on social media has nothing to do with your company, however, nothing could be further from the truth.
Let us share a true story with you: names and finer details have been changed to protect those involved.
CEO of Delivering IT, John, was at the airport looking forward to his family holiday in Cyprus. Sitting in the airport lounge, he ordered a gin and tonic, took a photo of it, and posted it on to Facebook saying: ‘starting the family holiday off right – Cyprus – here we come!’
A couple of days later, Susan, Head of Accounts & Finance at Delivering IT, received an email that looked as though it was from John. It went along these lines:
Hope all is well back in England. Cyprus is wonderful, sunny, around 25 degrees – can’t keep the kids out of the pool! Thanks for holding the fort so I can relax!
I forgot to pay Auto Accessories for some new jump starters I’ve ordered for the fleet and I know the Fleet Manager is keen to get them. Can you transfer £10,000 to (followed by account details)?
Thanks and sorry to drop this on you.
All the best
The email address looked as though it came from John’s work account, the company did have a fleet of cars, vans and truck for delivering their computer hardware, so the request seemed legitimate. Susan paid the money.
When John returned from holiday, he raised the query as to where the £10,000 had gone and the fraud was discovered.
So, how did this happen?
1) Hackers spotted his post on Facebook. In his bio, it mentions his company’s name, so now the hackers know John is CEO of Delivering IT and is away on holiday to Cyprus.
2) Googling the company produced the website, complete with the Meet The Team page listing all the department heads and their email addresses. Now the hackers know what format the company addresses follow. They know Susan is Head of Accounts & Finance and they have her email address.
3) They created a new email domain that followed the company format (because John’s email is listed too), but perhaps with just an extra letter or number somewhere, something easily missed by the unsuspecting. For example john@deliveriingit instead of john@deliveringit.
4) Susan had no reason to be suspicious so didn’t pay much attention to the email address. She saw the email, followed the boss’s request and paid the money.
5) Hackers took the money and disappeared into the ether.
And that was it. Simple.
So, how do you protect yourself from this type of impersonation phishing attack? The starting point here is the post on Facebook. Our advice would be to not use social media, but if you must, ensure your privacy settings are as high as possible, set to Friends Only, not even Friends of Friends – you may be careful about the Friend requests you accept, but can you guarantee all your other contacts are?
Do not accept Friend requests from anyone you do not personally know. Apart from potentially giving hackers access to personal information they can use against you hackers can also hide malicious code within requests. Once you accept the request, that downloads onto your computer. This could result in a number of things: hackers gaining control over your computer and locking you out (ransomware), monitoring your keystrokes to gain access to your banking and credit card information, plus all your other emails and passwords for every account you ever log into – the list goes on.
Set up a code word between you and your key staff members so that, should a money transfer request be made, the code word must also be provided to authenticate the request. Obviously, this code word should be kept secret and no written record of it be made anywhere!
Educate staff so they know to look out for anything slightly out of the ordinary. It was unusual for John to ask Susan to transfer money in this respect but then, he’d been busy before he left so it didn’t seem unusual to Susan that he may have forgotten to do it.
Install an email security package that monitors for new email domains. There are email security systems that would have automatically picked up the extra letter/number in John’s email address and quarantined it, so it would never have reached Susan in the first place. These types of systems also have the ability to screen out spam email, so, rather than staff wasting a significant amount of time deleting junk from their inbox, only genuine work emails arrive.
Think your staff can spot phishing attacks? Think again!
In March 2019, West Sussex County Council sent out fake phishing emails to 886 staff. Some were sent by a third party, with offers of free iPhones or requesting them to change their bank details. One was supposedly sent by the Council telling staff to reset their work passwords. Now for the scary bit: out of 886 recipients, 611 people opened the emails in spite of glaringly obvious errors within them. Even worse, 285 clicked on the link it contained. 200 clicked on the link from the ‘Council’ even though ‘Sussex’ was misspelt. These links could have contained ransomware or some other form of malware that could have infected their entire network within a few minutes, locking everyone out until a ransom was paid. If they had the right email security in place, these emails would never have made it into their inboxes in the first place.
Remember, 91% of all cyber breach occurs directly as a result of phishing. Taking into account the enormous and irrecoverable damage to reputation, downtime due to loss of access to systems plus crippling fines from the ICO, can you really afford not to have an email security system in place?
About Westtek Solutions
At Westtek Solutions, we make sure your technology works for your business and not the other way around. We have built decades of experience operating as the Technology Success Partner of choice for many of the UK’s leading independent recruitment agencies.
We pride ourselves on the level of service we give to our clients to save them time and money and keep their critical IT systems secure and robust.
If you’re looking for a proactive Technology Success Partner that offers strategic consulting and technical support services to help you maximise productivity, contact Westtek Solutions on 020 3195 0555.