In mid-January, I was asked to present at a conference of businesspeople regarding CyberSecurity issues. I usually present at least once per month at meetings and conferences about Cyber issues and best practices for protecting corporate and personal information.
When I speak at conferences, one of the topics I always discuss is phishing – a malicious e-mail sent to someone in an attempt to steal information from the recipient or otherwise negatively affect the recipient or their computer system. I’ve also posted on this blog previously about the risks of phishing.
When I would present similar information two years ago, I would say that more than 70 percent of attendees were unaware of phishing and the various risks associated with it. In my more recent presentations, including this latest one in January with 150 attendees, it seems like over 50 percent of attendees were aware of the concept of phishing scams and 20 percent of them had seen it first-hand.
The Good News: Many more people are aware of Phishing scams
The Bad News: The reason many people are aware is because they or someone they know have been hit with some of these scams.
To continue on our quest to spread awareness and recognition of these scams, I’ve created another post about it.
To be clear: Phishing Scams are currently the most common active threat that are hitting users personally and at all levels of organizations.
Spear-Phishing is something similar but more targeted in which e-mails appear to be sent from a particular person that the recipient knows. When this happens, the recipient can sometimes communicate back-and-forth with the scammer because their e-mail address looks legitimate. Every month a company executive or board member mentions a scenario to me whereby their organization was or was almost duped into sending confidential information or wiring money based on what appeared to be legitimate e-mails from scammers. Often times scammers create an email address but change the letters of the company domain name and then send their messages to unsuspecting users.
Here are some simple examples:
If the CFO’s real address is email@example.com the scammers create one such as
-firstname.lastname@example.org (a numeric 1 in place of the letter ‘l’)
-email@example.com (’n’ in place of ‘m’)
They then send an email to someone who can wire transfer money, such as a Controller or Finance Manager, and they requests funds be sent for some logical reason. If the recipient doesn’t look closely enough, they won’t see that it came from an incorrect e-mail address.
Note: Almost every week we hear about these types of spear phishing scams. Most of them involve wiring money or some other funds transfer.
Ways to protect yourself and your firm:
1 – If possible, never accept a request to wire transfer money without a face-to-face (or video) conversation or a phone call dialed by you to the phone number you know is accurate for the person requesting the wire. Implement this policy in your firm and make everyone aware of it.
2 – If you typically cannot meet with the person face-to-face/video call, such as in large organizations, setup a code word that is to be used in authorization step for all wire transfer requests. The code word should be published only to staff involved in wire transfers and it should be changed on a regular basis, but no less than annually.
3 – Ensure that your bank sends an e-mail alert anytime a wire transfer is requested, and setup your e-mail software (such as Outlook) with a rule that automatically will display an alert on your screen when a wire transfer happens. Alerts should be sent to more than one person. Even better, send the alerts to your mobile phone(s). My team can show you how to do this.
4 – While many good firewalls can protect your firm’s users by blocking lots of external threats, carefully created phishing emails can often slip past them. We offer clients a content filtering service that blocks certain types of outbound connections that are attempted when a user unknowingly clicks on a link in a scammer’s email message. Check with your IT department or provider for this type of service.
5 – Always try to look at the sender’s e-mail address to see if it truly is accurate. With as busy as everyone is, it is easy to miss that.
6 – Remember that high-quality logos from banks, utilities and other organizations may look accurate, but unless you check the links to see where they go to, you cannot be sure. One way to be certain you are going to the correct website is to actually type the web address into your browser rather than clicking a link or button. It is an extra step, but it helps ensure you go to the right website (assuming you type it correctly).
User Awareness also helps drive down the impact of CyberSecurity scams. To that end, we have created a bi-weekly CyberSecurity TechTip for which you, anyone in your firm, or other colleagues at other firms can sign up. We don’t use the CyberSecurity TechTips for any other purpose other than to help our clients, colleagues and friends avoid Scams. To sign up for the Bi-Weekly CyberSecurity TechTip emails, simply go to this page and enter your name and email address.