This week I spoke with a client who has lost over sixty thousand dollars to a scam. There is a simple solution.
Here is how this one is played – there are many variations on this scheme.
An email is sent to a senior member of the team, such as the operations manager or chief financial officer, spoofing (looking like it came from) the email address of the business owner or chief executive.
The email uses business terms to ask that a payment be made to cover a purchase or a debt that needs to be moved on quickly.
The language is typically brief and directive such as: “I need you to cover a position for me on the China project, please transfer $65,700 to the following account”. As the style of the particular business leader is mimicked, these emails can seem uncannily familiar to the recipient. Which is why they are working so well for the scammers.
In the case of my client this week, while he was away the email arrived and was processed, the payment was authorised by two members of staff and it was paid.
This is not a case of IT security failing to stop an attack. This is a carefully designed direct attack on an organisation, socially engineered to be from an authority figure to an employee who is likely to have access to funds. It is done many thousands of times a day simply by seeking an unsuspecting victim with access to transfer funds.
No amount of IT security is going to catch a spear phishing attempt such as this.
The scammers do not necessarily know the exact style or location of the business owner or chief executive; it is more the alignment of co-incidences that works in the scammers favour. They get the right message into the right inbox with the right slant at just the right time to trick the recipient into action. A slightly different email at the wrong time might be quickly identified as spam and deleted. It is the one that gets through the checks and inspections that the sender lives for. If he is sending thousands of these emails every week and only one works for a quick fifty thousand dollars or more, I am sure he is not complaining about how hard he works for his money.
A simple solution to this is to set up business rules that state no funds are to be transferred to a new destination account without a verbal confirmation from the person requesting the transfer. This could take the form of a voicemail in each direction if they are really on the other side of the world in a different time zone. It may be a nuisance but if it stops fraud for large sums of money, it is a sensible solution.
In business, when access to make payments on a company’s behalf is delegated, processes must be put in place to check and cross check each transaction.
Today, email is not a secure and trustworthy source of information as it is open to abuse in too many ways. It is a very powerful tool for sharing information and has its merits in that space but when it comes to being an authority for transactions, better solutions are still required. There are ways to ensure email is secure or to run secure person to person messaging but the overheads of this are still relatively high. A simple call to confirm payment authority before releasing thousands of dollars to a new address is simple enough. The trick is knowing when the better processes make sense and putting them in place before it is too late.
David Markus is the founder of Combo– the IT services company that is known for business IT that makes sense. How can we help?