Scammers are using social media sites to research you and your company, but there are ways to fight back.
Melbourne-based insurance claims expert Allan Manning was out of town recently when his wife received an unexpected email that appeared to come from him. A project needed to be funded and “could she please process a payment urgently?”
As financial controller of Manning’s company LMI Group, his wife, Helen, promptly replied that she would arrange payment as soon as he sent her the details.
A second email purportedly from Manning followed, seeking a payment of A$42,947 and saying a tax invoice would follow shortly. The instruction was to transfer the money directly to a bank account in Cranbourne, Victoria. Helen duly complied.
Just before 5pm when Manning returned to the office, his wife casually mentioned she had processed the remittance.
“What remittance?” When they realised what had happened Manning says they were both in shock.
LMI’s chief executive officer and financial controller had been hit by what some call “business email compromise” – also known as a whaling or spear-phishing scam. The fraudster had successfully impersonated Manning and the money had been sent six hours earlier.
“At the time we were doing renovations in the Melbourne office, as well as renovations on our home and an upgrade of one of our web-based products,” Manning explains.
“The ‘project’ could have been payment for any number of things and the email looked like it came directly from me.”
By sheer luck, the fraudster had made an error in his own bank account number and the payment was stopped at Cranbourne. Manning then tried to lure the fraudster. Why not come to the office and pick up a cheque, he asked, writing as Helen.
The fraudster was having none of it. In the end, three fraudulent bank accounts were uncovered and details provided to the authorities.
10 ways to protect yourself online
Fraud experts say Manning’s situation is almost commonplace these days. He was a victim of social engineering fraud.
“It’s not about exploiting technology, but exploiting the person,” says Warren Dunn, partner in the fraud investigations and dispute services practice at EY. Dunn rates this kind of fraud as among the top three scams globally.
Dunn says the “engineering” comes in three forms, each more sophisticated than the last. The first, like Manning’s, is an email seeking a quick funds transfer. The second asks the victim to telephone external lawyers, citing the remittance as confidential; and the third form is a fake vendor emailing or phoning someone in accounts payable and asking to change a real vendor’s address and bank details. In the last case, scammers have even been known to request updates on monies coming due.
Fraudsters are researching you and your company
All this relies on the fraudster building a picture of company personnel and processes. The fraudster may start with a corporate website, but Dunn says most often they are studying social media such as LinkedIn.
“He’ll know the potential victim is the finance manager, who he or she is linked to, who clicked on that person and who these people clicked on,” Dunn says.
“Then he’ll use Facebook to find out that the person is out of the country or at a conference. That’s when he’ll strike.”
Will a cyber insurance policy cover the loss? One insurance expert, who asked not to be named, says there is confusion on this issue.
“Victims think that since the email system was compromised it’s a network attack – but that’s not always the case. The fraudster has worked on relationships rather than the system. It’s a straight crime and if someone willingly paid the bogus bill there may be a problem on the claim.”
How to combat the fraudsters
Matthew Green, a partner and technology adviser at Grant Thornton, says the solution entails combining people, processes and technology. Not only do people need to be regularly trained to be aware of these frauds, but companies must review their processes so that enough controls are in place and working.
“If in doubt, ring the CEO back on the number you have for them – not the one offered to you in the bogus email,” says Green. He also suggests ensuring “there are multiple authorisations over a certain payment threshold”.
Employees must be trained to be suspicious of requests for secrecy or pressure for immediate action. If a request to transfer funds wouldn’t normally arrive via email, it should be treated with suspicion.
Green also recommends firms subscribe to a cloud-based email filtering service such as Mimecast or SpamTitan, even if some bogus mails will get through.
“You need to train staff to look behind an email and see that it comes from a verifiable source.”
Sometimes the best way to train someone is to show them what phishing emails look like and how convincing they can be. Consider running a phishing simulator such as PhishMe or a similar product.
PhishMe launches a company-wide, fake phishing email campaign, allowing you and your staff to see how many people open the message and click the embedded link or file. When clicked, the link or attachment displays a message explaining that the user has fallen for a fake phishing attack. It shows employees the red flags that were built into the email that can help them identify future attacks.
Extra controls for banking and finance systems
Companies can introduce additional controls for accessing and monitoring critical systems, including bank systems, accounts payable cheque runs and sensitive financial records.
Manning has changed his email system to ensure any emails from outside LMI Group are sent to one inbox, and internal “correct” emails are sent to another. Any payment over A$5000 must also receive a second pair of eyes and verbal confirmation that the request is legitimate.
Another tip is for companies to segregate approval responsibilities from requesting responsibilities and ensure role changes are reviewed against system permissions. For example, an employee with the ability to set up vendors should never have responsibility for disbursements added to their role.
Dunn advises to always check social media.
“Where you work, who you work for, what your role is – all this information can be exploited,” he says. “I would look carefully at controls on LinkedIn and make sure you know who can see your information.
“Be ever vigilant with all incoming persons. Don’t just click onto anyone who wants to be your friend or colleague. This is the easy pathway in for the smart hoaxer.”
How to protect against the new malware threat