There are many beastly people out there trying to lever money out of your wallet and the levels of sophistication of their phishing scams can bea really eye opener. And it affects you equally as much in business as it does in your personal life.
We recently learnt about a garage that got done for almost £20k. Managing the service side is fine – take a customer’s car, do the work, invoice, get paid … and hand car and keys back to customer – simples! The problem was when they started offering to sell cars (for those of us who don’t want to get dragged in to the tedious process ourselves) in return for a modest commission.
On this occasion, the car sold and as soon as they had been paid by the new owner, they received an email from the vendor instructing them to pay the net funds to a different account (same name). Suspecting nothing (and knowing no better), the £18,500 was duly transferred – job done … or so they thought.
Two days later the original owner rang asking where his money was. I guess you are ahead of me here: they were a victim of the all too common “spear phishing”. The account they transferred the money to had been recently set up (at one of the high street banks) and, one assumes, sufficient identity checks made which proved satisfactory. Money in; and within a matter of hours the account had been cleared out – bye bye £18,500. Thousands more of our pounds in the hands of a fraudster – and no recourse. That is very painful for any small business – and it could so easily be you.
And it is not just unsuspecting small business owners that are being “speared”. Anyone who regularly handles large sums of money (accountants, investment houses, lawyers – the list goes on) is being heavily targeted.
This bit might surprise you. The level of sophistication can be mind boggling.
This is the account of one of the partners of a leading Commercial Law firm in Swindon:
“Only last month I received an email from one of my fellow partners telling me to transfer significant funds to a specified account. Thinking this a bit odd I printed the email out, walked the 5 metres to my colleague’s desk, placed the email in front of him and asked him why he had sent this email rather than ask me face to face; of course he had not sent it. All the more interesting because the email looked perfect in all respects – the style and sign off were spot on; as were the sender’s details (checked by hovering over the “From” details).
“It was only because I was sitting opposite him that I immediately challenged the request. We were the targets of spear phishing and frighteningly close to making a very expensive error.
“This is a fundamental issue that worries the hell out of me. Virtually every law firm we have spoken to have received fake instructions – not just one, but many – by email.”
I hope these 2 real accounts make it crystal that this is a clear and present danger – a danger to us all.
This is a here and now issue – here are some words from Norton, the internet security people about spear phishing:
The latest twist on phishing is spear phishing. No, it’s not a sport, it’s a scam and you’re the target. Spear phishing is an email that appears to be from an individual or business that you know. But it isn’t. It’s from the same criminal hackers who want your credit card and bank account numbers, passwords, and the financial information on your PC. Learn how to protect yourself.
Email from a “Friend”
The spear phisher thrives on familiarity. He knows your name, your email address, and at least a little about you. The salutation on the email message is likely to be personalized: “Hi Bob” instead of “Dear Sir.” The email may make reference to a “mutual friend.” Or to a recent online purchase you’ve made. Because the email seems to come from someone you know, you may be less vigilant and give them the information they ask for. And when it’s a company you know asking for urgent action, you may be tempted to act before thinking.
Phishing Scam: Using Your Web Presence Against You
How do you become a target of a spear phisher? From the information you put on the Internet from your PC or smartphone. For example, they might scan social networking sites, find your page, your email address, your friends list, and a recent post by you telling friends about the cool new camera you bought at an online retail site. Using that information, a spear phisher could pose as a friend, send you an email, and ask you for a password to your photo page. If you respond with the password, they’ll try that password and variations to try to access your account on that online retail site you mentioned. If they find the right one, they’ll use it to run up a nice tab for you. Or the spear phisher might use the same information to pose as somebody from the online retailer and ask you to reset your password, or re-verify your credit card number. If you do, he’ll do you financial harm.
So, now at the very least, you are aware of the danger; so what can you do about it?
In 2 words – be vigilant.
Here are some further thoughts:
- Be very suspicious of last minute changes
- Do not criticise anyone on your team for being too cautious – you can never go too far
- Put a robust process in place for validating any new payment details, no matter how small the sums involved. This should include phoning to check (using the contact details you already have and not the ones in the email – obviously!!)
I am shocked by the prevalence, not to mention audacity, of this crime and sincerely hope this article is in time to prevent YOU becoming another, somewhat poorer, statistic.
Please feel free to share your own experiences (whether in private or professional personas); we will then publish a follow up.
Forewarned is forearmed. Be careful, be cautious.