We recently heard an alarming story from a local non-profit organization. Despite being a relatively small non-profit, they became the victims of a very expensive wire fraud perpetrated by sophisticated spear-phishing cybercriminals. If you aren’t familiar with spear phishing, read on and the story should clarify how these attacks are structured. According to the SANS Institute, “up to 95% of all enterprise network attacks are the result of successful spear phishing.”
But we (Upward) are starting to see them more and more in the mid-market. What you are about to read is not your average “Namibian prince needing funds to release multi-million dollar inheritance” story (these emails are simply termed “phishing”).
A cautionary tale for small and mid-size business owners:
It appears that this crime began with the perpetrators initiating a massive spam blast to owners, directors, and managers of companies of a certain size (small and midsize companies). They were looking for all responses that came back as “Out of Office” vacation auto-reply.
For those responses, it appears that the criminals went to the organization’s website and pinpointed the staff member in charge of finance or accounting. They now had their mark; a business manager out of the office on vacation, and a Finance Director who is isolated from their manager.
The perps then emailed the finance director with a masked email that appeared to be from the Executive Director. These emails seemed to come from someone from the company domain, but if you “reply” you can see that the email is from a completely different and random domain (firstname.lastname@example.org, or something like that).
The Finance Director then received an urgent email from the “Executive Director” with specific, urgent directions for wiring money due to an unforeseen event. Due to some unusual internal chaos at this company (there’s more to the story here, ask us if you are curious), the Finance Director trusted the credibility of the email dialogue and proceeded with the wire transfer.
The first transfer was for $9,000, just shy of the limit before the bank puts a 24-hour freeze on your transfer. The second transfer was for an additional $6,000.
The money was immediately swept out of the escrow and became untraceable. By the time the Finance Director texted the executive director to tell him the transfers were done, the organization had lost $15,000 of hard-earned (and donated!) money.
These opportunistic criminals, often branches of organized crime syndicates, are becoming increasingly sophisticated. The threats are no longer brute force “number games”, and are becoming more and more targeted and exploitative.
A good offense is the best defense against these threats, Upward has best-practice security solutions designed to match your risk profile.
Call Upward to explore the solutions that can protect your company from cyber-criminals: 503-517-2008