One Successful Phish Can Kill Your Business

by Steve Yates

The ITS Connection Online Newsletter

The FBI documented $26 billion in business email compromise losses in the three years leading up to July 2019. That's just what was reported to them. How much loss could your company take before it had to lay off staff or close down? $50,000? $100,000?

Let's discuss how email phishing (trolling for victims) works and how your staff can spot red flags.

Phishing Email Example

From: Janet Smith <jsmith-acme@gmail.com>
To: Jack Jones <jackjones@acme.com>

Jack, please send me your cell number and wait for my text. I need you to get an assignment done ASAP.

Some email clients will even hide the "jsmith-acme@gmail.com" address and just show Janet's name. If Janet is the CEO or another officer, and Jack doesn't pay close attention, he could end up texting with someone else and following their directions. At that point, "Janet" may request an emergency wire transfer. Often company officers' names are listed on the web site or findable on LinkedIn.

Better yet, if they have compromised someone's email account, they can send directly from that account, and hide or reply to responses.

If the company domain name lacks SPF or similar email protections, the hacker can just fake the From address directly!

Phishing Red Flags

Request Gift Cards

"I'm in a meeting and forgot to get everyone a thank-you gift! Can you get ten $100 iTunes cards for me?"

Invoice Payment

"As you can see from the attached document we have a new client ready to make a large one-time purchase. This is highly confidential, please do not discuss with anyone! Just complete the payment as described so we have enough product on hand."

Another common tactic is to scare the reader by sending a fake invoice for a service, to trick them into calling and providing their personal info to "verify their identity."

Wire Transfer

Bank wire transfers are immediate, and if the crook immediately transfers funds out, probably not recoverable.

Changing Payment Instructions

"Hi, this is Jane from Wholesale Supply. We changed banks and I forgot to tell you! Please immediately change your automatic payment to the new instructions below so your company doesn't fall past due!"

Payroll Information

The thief may send a form to confirm W-2 information such as Social Security numbers.

Unexpected Attachments

Generally attachments that aren't expected should be viewed as suspicious. If in doubt, ask if it is legit, preferably not by replying to the email.

Urgency

Thieves often request a task be completed as soon as possible, discouraging verification.

Poor Grammar

Stilted diction or poor grammar, by non-native-language speakers, are still a good indicator, though this may tail off somewhat as hackers polish their skills.

Phone Numbers In The Email

Thieves will "helpfully" list a toll-free phone number in emails and on fake web sites. Don't trust it, look up the actual phone number on the company web site (not in a search engine!).

How to Prevent Phishing

  1. Multi-factor authentication blocks 99.9% of password hacks
  2. Educate staff
  3. Verify money transfers directly
  4. Involve your IT consultant to install anti-malware software and maintain email security

 

April 2022

Send this article to a friend!
Subscribe to The ITS Connection

Related articles