Spear phishing is alive and well and hackers are targeting our business community in sleepy Victoria, BC. Hackers lurk in the shadows targeting local businesses. They watch and wait for the most opportune time to prey upon them.

Here’s one notable Victoria incident that just happened: 

A manager’s email of a well-known, professional business with fifty employees was spoofed. The so-called “manager” emailed HR requesting a change to their banking information.

The hackers addressed the HR manager by name, and impersonated an important employee while submitting what appeared to be a standard request. The manager has changed banks in the past and when this change occurred, information was updated for direct deposit – not a big deal.

While the hacker was successful in getting the information, luckily where he went wrong failed in that he missed a single digit on the bank account, so the hacker never made the switch and the attempt failed. Some internal due diligence also uncovered that it wasn’t the manager who requested the change to begin with.

Immediately after this attempt, the business developed a new HR policy stating that such requests need to be made in person only.

Spoofing | Tricking or deceiving computer systems or other computer users. This is typically done by hiding one’s identity or faking the identity of another user on the Internet. E-mail spoofing involves sending messages from a bogus e-mail address or faking the e-mail address of another user. Since people are much more likely to read a message from an address they know, hackers will often spoof addresses to trick the recipient into taking action they would not normally take.

KnowBe4

91% of cyberattacks and the resulting data breach begin with a spear phishing email. 

Trend Micro

What are the key takeaways from incidents like this? 

 

#1 – Small to medium-sized businesses in Victoria are being targeted. Don’t think for one minute that we are not in the spear phisher’s sight.

#2 – Humans are still the weakest cybersecurity link. Every employee needs cybersecurity training. You can have very good IT and still fall victim to scams like spear phishing which can have a devastating financial impact on your business. Offer annual training and make it part of your HR process when you onboard new employees. Be sure that any employees who have access to your businesses bank accounts (or your client’s information) are well-trained.

#3 – Put policy in place if you haven’t already done so. Review all your financial procedures. Make sure that each process is a rigorous one that cannot be manipulated.

When possible, have “human-to-human” during the process. Where that’s not possible, have a multiple-contact process that cannot be manipulated from the same device: for example, a text and an email and a phone call can all be made from the same device. Perhaps an email from a customer can be followed up with a phone call back to the customer on their office phone number.

Finally, financial procedures should include recording how these approvals were managed: dates, times, how were they conducted. In human-to-human situations, a physical signature or initial should be required. If fraud occurs, this is helpful (1) to demonstrate due diligence for any insurance claims, and (2) to identify where the process failed so it can be revised to avoid a repeat.

I am a fan of the ‘double-double check’ for any user requests from admin password changes, payroll, HR, equipment/facilities. User sends request via email or writing to their direct superior or counterpart (paper trail) who confirms it back via phone or otherwise and then sends it on noting confirmation, and then that approval gets sent to the appropriate department, and then the “actioning” department again confirms via another method other than email with the requester. —Werner Baron, Centralized Services, Smart Dolphins IT Solutions

Contact us if your IT or your cybersecurity culture need some TLC.