Would you take the risk of paying an invoice without checking its validity? Dont risk your career, think twice before you pay that invoice. The FBI reported in January 2015 that nearly $215 million had been stolen from businesses in the previous 14 months through phishing or hijacking of email accounts. So what is phishing? It is defined in various ways, but here are some examples of phishing emails that threaten your business:
You receive a fishy-looking request to click on a link that is “interesting”. These emails are normally sent to thousands of accounts. Clicking on the link may download malware to your PC that saves information you type into your PC, including usernames and passwords to websites and company applications.You receive an email that appears to be an official communication from your bank. It can include your personal or business name, instructing you to click on a link to complete some urgent task. This link brings up a fake website that looks very much like the bank’s. When you enter username and password, this information is saved by cybercriminals to use later, transferring money from your account.
You receive an email from your boss, asking you to execute a wire transfer to a reputable firm.
Hold on, should I be suspicious of that email from my boss? Well, yes. Always think twice before you pay that invoice or transfer funds!
In a post earlier this year we highlighted the Scoular case where highly targeted phishing emails can be, The Scoular Co. lost $17.2 million in June 2014 as a result of phishing. Details of the case illuminate some of the warning signs of a phishing attack. Scoular has international business interests, and wire transfers are frequently used. So it did not raise a red flag when Scoular’s controller received an email to wire $780,000 to a Chinese bank. The email purportedly was sent by the CEO (it wasn’t). The money was to be wired to a real bank, Shanghai Pudong Development Bank. The controller transferred the money.
The next day he received a second email to wire $7 million dollars and to contact his auditing firm for details on sending the money. He then received those details (unsolicited) in email fashioned to look like it came from the auditors.
One of the emails read, “I need you to take care of this. For the last months we have been working, in coordination and under the supervision of the SEC, on acquiring a Chinese company. ... This is very sensitive, so please only communicate with me through this email, in order for us not to infringe SEC regulations.”
The third and final email received three days later requested an additional $9.4 million. During the investigation of the affair, the controller told the FBI that he “’was not suspicious of the three wire transfer requests’ because there was an element of truth to all of it”. Needless to say, the controller was fired from Scoular.
Also last year Ubiquiti Networks, a Silicon Valley computer company, reported it was scammed of nearly $47 million by cyber criminals. This criminal fraud involved "employee impersonation and fraudulent requests from an outside entity targeting the Company's finance department."
Phishers are preying on human nature. They collect information about your business from many sources:
In the case of Scoular, the phisher knew the name of their auditors and was aware that the company was pursuing interests in China. Phishers tend to start small and then escalate their requests with each success. Their first request in the Scoular case was for $780,000; their last was for $9.7 million.
As reported by Krebs Security, an employee at another company requesting anonymity received an email requesting a wire transfer of $315,000. She thought the amount was higher than normal, and the email sounded more formal than she would expect from her CFO boss. She did a little checking and found that “the message had been sent from a domain name that was one look-alike letter different from her employer’s true domain name”. The account used to send the email was also not the CFO’s. She did not wire the money. This employee still has her job.
Trust your first impressions of the email and consider the following:
If the message is suspicious, there are some steps you can take:
What is the easiest way to check if an email represents phishing? Use another communication method such as the telephone or snail mail. But do not use the address or telephone numbers in the email. Google the real company website or obtain the real phone number from online white pages or yellow pages. Otherwise, you could be contacting the phishers!
Use advanced spam and malware protection that provides phishing protection. A solution like SpamTitan will block phishing emails before they reach your network.
In addition, the FBI recommends the following:
Try SpamTitan to block these spam and phishing emails from ever reaching your users inboxes. Sign up for a FREE SpamTitan trial today.
Sign-up for email updates...
Call us on USA +1 813 304 2544 or IRL +353 91 545555Contact Us