Reduce exposure to spear fishing

Spear phishing is alive and well and hackers are targeting our business community in sleepy Victoria, BC. Hackers lurk in the shadows targeting local businesses. They watch and wait for the most opportune time to prey upon them. 

Recently a manager’s email account of a well-known, and professional Victoria-based business with 50 employees was spoofed. The so-called “manager” emailed human resources and requested a change to their banking information. The hackers addressed the HR manager by name. And impersonated an important employee while submitting what appeared to be a standard request. The manager has changed banks in the past. When this change occurred, information was updated for direct deposit — not a big deal. 

While the hacker was successful in getting information, luckily where he went wrong, he failed as he missed a single digit on the bank account. Therefore, the hacker never made the switch, and the attempt was not completed. Some internal due diligence also uncovered that it was not the manager who requested the change to begin with. 

Immediately after this attempt, the business developed a new HR policy stating that such requests need to be made in person only. 

I am a fan of the double-double check for any user requests from admin password changes, payroll, HR, equipment or facilities. Users send requests via email or writing to their direct superior or counterpart (communication trail) who confirms it back via phone or otherwise and then sends it on noting confirmation, and then that approval gets sent to the appropriate department, and then the “actioning” department again confirms via another method other than email with the requester. 
 
—Werner Baron, Centralized Services, Smart Dolphins IT Solutions 

In this video, cybersecurity instructor Sonya Goulet explains the business impact of a successful email phishing campaign. 

According to Trend Micro, 91 per cent of cyberattacks and the resulting data breach begin with a spear phishing email.

Trend Micro

What you need to know when it comes to spear phishing

Small to medium-sized businesses in Victoria are being targeted. Don’t think for one minute that you are not in the spear phisher’s sights. 

Humans are still the weakest cybersecurity link. Every employee needs cybersecurity training. You can have particularly good IT and still fall victim to scams like spear phishing which can have a devastating fiscal impact on your business. Offer annual training and make it part of the HR process when you are onboarding new employees. Be sure that any employees who have access to your business bank accounts (or your client’s information) are well-trained. 

Put policy in place if you have not already done so. Review all your financial procedures. Make sure that each process is a rigorous one that cannot be manipulated. 

When possible, have “human-to-human” communications during the process. Where that is not possible, have a multiple-contact process that cannot be manipulated from the same device. 

Finally, financial procedures should include recording of how these approvals were managed: dates, times, how they were conducted. In human-to-human situations, a physical signature or initial should be required. If fraud occurs, this is helpful 

  1. to demonstrate due diligence for any insurance claims, and
  2. to identify where the process failed so it can be revised to avoid a repeat.

 

Spoofing | Tricking or deceiving computer systems or other computer users. This is typically done by hiding one’s identity or faking the identity of another user on the Internet. E-mail spoofing involves sending messages from a bogus e-mail address or faking the e-mail address of another user. Since people are much more likely to read a message from an address they know, hackers will often spoof addresses to trick the recipient into taking action they would not normally take.

KnowBe4

Victoria Hair Salon scammed via email and Instagram 
 
A publicly disclosed case of at least two employees choosing to allow an email message to be clicked on cost a Victoria, BC hair salon reputational damage and down time on their Instagram account which they use as their primary marketing tool. One of their customers lost $2000. The salon owner, Natalie, claims that the email message was so convincing that cyber-trained staff chose to click on the email.  
 
Apparently, the alleged hacker offered an escalated level of marketing to be available to the salon on Instagram. The feature — marketed with a blue check — was offered and is apparently, a legitimate upgrade available from Instagram.  
 
A verified badge (blue check) is a check that appears next to an Instagram account’s name in search and on the profile. It means Instagram has confirmed that an account is the authentic presence of the public figure, celebrity, or brand it represents. 
 
The Natural Hair Salon’s Instagram account was hacked, and the subsequent offering of an investment scheme looked appealing. A loyal customer, trusting the salon, invested $2000 in the scheme, which is now gone. 
 
Instagram failed to respond for several weeks, according to Natalie. She alleges that the perpetrator continues to operate on Instagram.  
 
Once she took to traditional media and reported the scam to CTV, who broadcasted a report on the scam, did Instagram respond. She was also interviewed on CFAX 1070 radio. 
 
It was then that Instagram re-enabled the account. 
 
The salon’s customer is permanently out the $2000.  
 
The entire scenario was avoidable.

Interested in cybersecurity awareness training?