In 2015, a Mattel executive received an email requesting a payment of $3 million to be transferred to a vendor based in China. The executive checked protocol, authorized the request and sent a payment of $3 million to the Bank of Wenzhou in China.
A few hours after approving the request, the executive suddenly realized the email did not come from a legitimate source. The entire company hurled themselves into panic mode and they tried to find a way to retrieve their stolen money.
This may seem like a rare event and hard to believe, but incidents like this happen all the time. According to security expert, Brian Krebs, business email scams, also known as phishing, has totaled to more than $1.2 billion in loss across the world.
What is Phishing?
Phishing is the act of sending out malicious emails with the intent to take personal information, financial data or business secrets under false pretenses. A phishing email can ask a professional to supply the sender with sensitive information like login credentials or social security numbers, to click on a corrupt link to visit an infected site or to take an action that goes against protocol like wiring money to a foreign account.
Kaspersky Lab asserts that well over 50% of users are not entirely confident in their abilities to successfully detect and avoid a phishing attack. This is because an attack can be incredibly targeted and detailed. A hacker can stand to make a large sum of money from a successful phishing campaign. Therefore, it's not unusual for a high level of planning to go into the process.
Consider the incident with Mattel. To approve any vendor payment above a certain amount, two senior-level executives are required to sign off on the process. The email that was sent to the Mattel executive came from another senior-level executive, the newly hired CEO. When she checked protocol, she realized the other executive already approved, so she didn't hesitate to comply with the request.
She failed to see that the request was illegitimate and hackers had learned the internal protocols of Mattel. The email was crafted and timed perfectly.
Now take a step back and imagine if it was your company. It wouldn't take much for a hacker to undermine any internal protocols you have and it wouldn't require much effort for a hacker to fool an unsuspecting office manager.
Where is Phishing headed?
Phishing is no longer limited to the inbox or impressive hackers. A successful attack can be played out in person, over the phone or through an online ad by any petty criminal who wants to give it a go. All that's required is a heavy dose of social engineering and maybe even some acting skills.
Here are a few ways a hacker can prey on employee weaknesses:
- Acting like a concerned third party - I'm calling from ABC Internet Company and we noticed you're experiencing some technical difficulties. Could we have your login credentials to run a few tests? Seems legitimate enough.
- Showcasing a deal that's too good to be true - Click here for your free trial of Photoshop! Works all the time. Ever heard of the Trojan horse?
- Offering something for a password - Here's a $100 gift card. Now, what's your password? This may seem like it won't work, but it does.
How do you protect yourself?
Your greatest defense against phishing emails and social engineering is your suspicion and educating your staff. You should always remain 100% suspicious of every request for information, money and the data that you receive - even if it appears to come from your CEO.
Here are a few tips to help you and your fellow team members protect your business and yourselves from everyday phishing scams:
- Create strong internal processes that encourage requests to be double-checked and sometimes triple-checked.
- Review all contents of the email to ensure that the proper grammar, contact information and email address is used.
- Consider the request carefully and don't always respond immediately. Ask yourself why someone would need this information, if this is typically how things are handled and if this is coming from and going to the appropriate source.
- Use strong anti-phishing software that protects your inbox and your internet browsing.
- Regularly train and educate your staff members on how to effectively detect and avoid phishing emails.