A few weeks ago, a client contacted us concerning a couple of emails they received. The client’s company in question often transfers sums of money and has a CEO and CFO that aren’t always in the office. These two factors, and some due diligence, almost paid nicely for some anonymous phishing scumbag. It is pretty simple actually. Practically anyone with a computer, a few hours time and about $20 can cast their rod in the pond that is the internet, phishing for easy money. In this case, the bad guy spent some time on LinkedIn, found a company that had 100+ employees and located the names and email addresses of the CEO and CFO. Step two was to purchase a domain name that was a misspelling of our client’s real domain name. Let’s say our client’s domain name is @themillergroupclient.com, the bad guy purchased the name @themilergroupclient.com. Then they setup an email address for the CEO (ceo@themilergroupcompany.com) and sent an email to the real CFO’s email address. This email was brief and direct, “I will be sending you payment details for an Admin service expense that needs to go out. Can we process a wire payment for this expense today?” It was signed using just the first name of the CEO. The CFO responded asking for more details as it appeared to be a normal email, similar to ones he has received in the past. It was addressed to the CFO, used his first name and was signed by the CEO. The email client’s (Outlook), spam filter and the antivirus didn’t flag this email. Here is the kicker, it shouldn’t have either. There was nothing technically wrong with this email. The bad guy did everything correctly. The CFO then received a response giving details as to where to wire the money and the amount, in this case, $28,000! A bank in the USA, with a USA phone number and address, nothing alarming. The CFO had a minor question about the transaction and decided to call the CEO whom, of course, knew nothing about this email conversation. This quick phone call saved the company from a very costly, likely irreparable, mistake.
How do you stop this from happening to you?
- Learning what to look for is key. The sender’s email address was a legitimate email, but looking at it closely would reveal that it was misspelled.
- There are rules that can be setup on the email server to input a warning message into incoming emails if they originate from outside of your company.
- Call The Miller Group to ask about Cyber Security Training for your company.
The Miller Group is rolling out Cyber Security Training for our ALL-Covered clients at no cost in the upcoming months. These brief training lessons will educate you on what to look for in emails and when browsing the internet. We will be offering this as an add-on service to our other clients as well. If you are interested in learning more about the training please fill out the form located on our Cyber Security Training website here.