Getting scammed is easier than you think

Getting scammed is easier than you think

A financial columnist fell victim to a group of con artists and ended up giving them her life savings. Can this happen to you?

Charlotte Cowles is not the kind of person to fall for a scam. She’s a financial writer, the financial advice columnist for New York Magazine and has worked for some of the top publications in the US. She lives in Manhattan, is married and has a child. 

And yet, as she writes in this story, she found herself one day on a street in New York City giving a stranger in a Mercedes a shoebox filled with $50,000 in cash, nearly all her savings.

Continue reading

How to prevent employees from being scammed around the holidays

Around the Black Friday and Cyber Monday weekend, employees will undoubtedly be distracted by looking for the latest bargains offered by retail stores both online and in-store. However, due to the ongoing effects of the pandemic, many employees are most likely to be shopping online. This weekend is also an opportunity for many employees to do their Christmas shopping ahead of time.

Unfortunately, this shopping weekend is a lucrative opportunity for cybercriminals to target shoppers, who may fall into the trap of phishing and social engineering scams. According to Kaspersky, online payment fraud surged by 208% between September and October 2021, with 1,935,905 financial phishing attacks disguised as e-payment systems during October.

With many employees also using company devices for personal use, organisations must remind employees on best practices for staying safe and secure online.

Top tips to advise employees:

1) Remind employees of stringent IT policies

Employees must be reminded to follow stringent IT policies, compliance, and to avoid using company-owned devices for personal purchases. While it can be tempting to keep an eye on bargains whilst working, employees should not be doing this on their work laptops or phones, even during break times.

2) Shop smartly

Tell employees to use only trusted websites to shop and use credit cards for payments over a secure connection – remember to check the website starts with “https://”. Don’t forget to monitor bank accounts for any suspicious activity, so banks can be alerted at once if scammers do manage to infiltrate bank accounts.

3) Be aware of phishing scams

Employees need to watch out for phishing and social engineering scams targeting shoppers with bargain prices – always triple check any URLs before clicking on them by hovering over the link. Support employees with phishing awareness training and check their alertness with our phishing simulation tool to truly understand if employees know how to spot a scam.

4) Remember good password hygiene

When logging into accounts for each online retail store, educate employees to use a solid, unique password for each one. Make sure the password contains a minimum of eight characters, a mix of upper- and lower-case letters, numbers and symbols. Good password hygiene will help reduce the likelihood of details being compromised in a data breach.

5) Use added security barriers such as 2FA & MFA

Where possible, teach employees to use two-factor or multi-factor authentication to log into accounts to prevent others from accessing your accounts. If a password has been compromised or cracked by a cyber-criminal, multi-factor authentication requires the hacker to bypass the one-time password, which is usually a code sent via email or text to your number. This second barrier to entry makes it harder for hackers to get it and make purchases on the account.

6) Don’t fall for gimmicks

Employees must remain cautious of ads and prize contests, (which are rife during this period) looking to pull and sell consumer information to third parties. Remind them to not click on anything they don’t trust and appears too good to be true. If in doubt, always check the URL domain.

7) Finally, don’t forget overall device security

It’s vital to keep security updated on all devices, including laptops, tablets and smartphones. Remind employees to use anti-virus software and backup all files. With IT vulnerabilities constantly appearing, employees must continuously update their devices when prompted or told by IT.

Get in touch today to talk to us about how our collection of Information Security Courses can help prevent your employees from being scammed around the holidays and further strengthen your organisation’s cybersecurity risk.

5 of the most expensive phishing scams in history

5 of the most expensive phishing scams in history

Related Courses

Phishing scams are one of the most successful methods cybercriminals use to cause a data breach. According to the 2020 Phishing Attack Landscape Report, 53% of respondents revealed that their organisation has seen an increase in email phishing attacks during the pandemic. Almost a third (30%) said that email phishing attacks have become more successful during this period.
Compared to other cyberattacks, organisations tend to be more susceptible to phishing attacks as phishing scams can easily target any employee. The report found that over a third of respondents (36%) were not confident that employees at their organisations could spot and avoid an email phishing attack in real-time. In addition, 38% of respondents highlighted that over the past year, someone within their organisation has fallen victim to a phishing attack.
With phishing attacks so prevalent in current times, let’s check out five of the biggest phishing scams in history (so far).
1. Facebook & Google – $100 million
The costliest phishing scam in history was with two of the biggest tech giants in the world, Facebook and Google.
The Lithuanian hacker, who targeted them both between 2013 and 2015, impersonated a Taiwan-based company, Quanta Computer, to send an elaborate fake invoice that cost them $100 million. Quanta Computer is an electronics supplier they both use, which is why the scam wasn’t obvious. Google and Facebook both worked with the authorities to recuperate some of the funds. This is a clear example of the importance of analysing all aspects of an email to check its authenticity.
2. Crelan Bank – $75.8 million
In 2016, Belgium-based Crelan Bank lost $75.8 million (approximately €70 million) to fraudsters who compromised the CEO’s email account, tricking an employee into wiring the transfer. The phishing attack was discovered during an internal audit.
This type of spoofing is also known as business email compromise (BEC), which impersonates a company by hacking into a corporate email address and tricking customers, partners or employees to send money or share confidential data. This is a clear reminder for all employees, regardless of seniority, to understand the importance of creating strong passwords that are not used for multiple sites and using other security measures such as multi-factor authentication to improve the company’s security defences.
Image
3. FACC – $55.8 million
Also in 2016, FACC, an Austrian aircraft manufacturer, suffered a similar business email compromise attack, spoofing the CEO’s email account. The cybercriminal instructed an entry-level accounting employee to transfer funds to an account as part of an “acquisition project”. The staff member wired the funds without doing due diligence.
Although FACC recouped around one-fifth of the loss, the company fired and sued the CEO and the CFO for failure to establish internal policies to prevent this from happening.
4. Upsher-Smith Laboratories – $50 million / $39 million
In 2014, a US drug company, Upsher-Smith Laboratories, lost more than $50 million over three weeks. Yet another result of a successful business email compromise attack on the CEO’s email account, which sent emails to an employee in accounts payable to transfer funds.
Luckily, the company recalled one of the wire costs, dropping their loss from $50 million to $39 million (+interest). The drugs firm also sued its bank for making the transfers despite multiple missed “red flags”.
5. Ubiquiti Networks – $46.7 million
Ubiquiti Networks, a US-based computer networking organisation, was swindled out of $46.7 million due to a BEC attack in 2015. The fraudster impersonated the company’s CEO and its lawyer asking the company’s finance department to transfer funds. The FBI (Federal Bureau of Investigation) alerted the company about the attack.
So, what can we learn from these phishing attacks?
A business email compromise is a phenomenally successful type of phishing attack, so employees and organisations must always do their due diligence when a particular email, even if it’s from the CEO, looks ‘phishy’.
Educate employees at all levels on how to spot a phishing email and provide further cybersecurity awareness training. Test your employees by using a Phishing Simulation Tool to launch a fake phishing campaign to your employees. This is a great way to find cybersecurity skills gaps in the organisation, allowing both security & L&D teams to provide focused phishing and security awareness training to those that need refreshing on it.

Related Courses

How to spot a phishing email

According to Verizon’s latest report, 36% of breaches involved phishing attacks, an increase of 11% in comparison to the previous year. Due to the pandemic and more employees working remotely, cyberattackers have used this to increase their phishing campaigns to organisations and their employees. All it takes is for one employee to click on a link in a phishing email for them or the organisation to fall victim.

That is why organisations must support their employees with cybersecurity awareness training and helping their employees understand cybersecurity foundations such as how to spot a phishing email. In this blog, we share some top tips on how your employees can spot a phishing email, helping to strengthen your organisation with its cybersecurity strategy.

1 – Check the email address of the sender

If you spot an email and the display name looks familiar or from a brand you trust, it doesn’t mean it is them. Be sure to check the actual email address is from a trusted sender. Phishing scams impersonate a person or a company you trust, e.g., TV licence phishing, Amazon phishing or more recently Covid-related phishing.

Sometimes a phishing email may come from an address such as [email protected] or [email protected] – trusted senders would not send it from a generic email such as Hotmail, Gmail or Yahoo!, instead a verified email would be from their domain name. In the second instance, having a domain name that looks similar, but is slightly misspelt, is another way of fooling you into believing they are a trusted source.

2 – Detect spelling and grammar errors

While this may sound strange, spam emails often have spelling mistakes or grammatical errors. Cyberattackers really aren’t worried if their spelling or grammar is correct.

Read the email thoroughly and be suspicious of any errors. If the email is poorly written, then it’s not from the company they are impersonating. If in doubt, always forward the email to your IT team. But NEVER follow through on the actions requested in the email.

Image

3 – Beware of how the email sender greets you

Is the email greeting impersonal? E.g. Dear reader, Hello Sir/Madam. Or perhaps it fails to recognise your name entirely, e.g., Hi [first name]?

If a trusted source is emailing you, e.g. your bank, they will address you personally. Don’t fall for the trick, mark the email as spam and delete the email. Even better, forward it to your IT team, so they can warn everyone in your organisation of phishing scams targeting your organisation.

4 – Do not share personal information

Are you asked for personal information such as your bank details or security details? Remember, genuine companies such as your bank will NEVER ask you to confirm that over email. They already know that information. Don’t share anything.

5 – Do not click on suspicious links or attachments

Cyberattackers love luring in their victims through links, for example, “validate your email address or account”. Always hover over a link to check the linking URL, if it looks suspicious or doesn’t link to what the rest of the email says – don’t click on it! The same goes for attachments, if you’re not expecting an email with an attachment and if the email is out of context – then don’t open it!

Phishing emails are there to incite curiosity or panic to get hold of a vulnerable employee who will open your organisation to the cyberattacker. It’s important to continuously remind and educate staff throughout the year with phishing training and other cybersecurity awareness training to ensure everyone stays alert on what to look out for, so they don’t get caught.

Organisations can use a phishing simulator tool to increase the security awareness of their employees. By regularly testing employees, organisations can ensure they remain alert, asking themselves if an email is legitimate or spam. Using this technique also helps L&D and security teams understand who in the organisation might need some extra training or support.

Protecting your business from ransomware

How would your business cope if employees were suddenly unable to access computers, files, or your network? Your customer database, emails, and that critical project due by the end of the week: all locked.

Work would be brought to a halt, I.T. would be inundated with panicked phone calls, and your communications team would be in crisis mode. You might be wiling to do almost anything to regain access to your critical files – which is why ransomware is a growing tactic for cybercriminals.

Ransomware blocks access to critical files or applications and asks users to pay to regain access. And, while in some cases it’s clear to users that they’re being held to ransom, messages often appear to come from governments, law enforcement, or even your own technical team – leading to payments made to cybercriminals.

Falling victim to ransomware creates a dilemma for businesses. Should you pay the criminals, with no guarantee they’ll restore access, or should you go public, take the hit to your reputation and finances, but at least take control of the situation?

Clearly, the best approach is to avoid falling victim to ransomware in the first place. So, with cybersecurity firms warning of increasing ransomware attacks, how can you protect your business?

As with many cybersecurity threats, the answer is a combination of security software and education practices.

1. Keep software up to date

All businesses should use software to protect them from cyber threats which could lead to ransomware infection, such as spam email, unauthorised access, unsafe websites, and unsafe files.

But installing this software is just the beginning. Cybercriminals and tech companies are locked in a perpetual race to stay one step ahead of each other in discovering vulnerabilities. With more uncovered daily, it’s crucial to keep security software updated, protecting your business from known and newly discovered vulnerabilities.

2. Train staff to be vigilant around email attachments

The most common way for computers to become infected with ransomware is through staff opening unsafe email attachments, a trend cybercriminals are increasingly creative in exploiting.

Recent examples include emails appearing to be speculative job applications with attached CVs, and documents ostensibly from the CEO or senior management; but even files attached to gobbledegook emails are opened alarmingly often.

Banning email attachments altogether isn’t feasible and antivirus software isn’t 100% effective at identifying viruses, especially when they can be hidden in seemingly innocuous files like Word documents or images. Combat this risk by training staff to recognise suspicious emails, check the email address of the sender is recognised, and to get verbal clarification from the sender if any suspicion arises.

3. Prevent access to unsafe websites and files

Another way ransomware finds its way onto your machines is when employees visit compromised websites or download unsafe files. We recommend limiting what sites staff can access so unsafe ones are automatically blocked, and only giving rights to download and install files to those employees who need them.

But even with these measures in place, employees often end up getting granted admin rights when they really shouldn’t, just for convenience’s sake, eventually resulting in cybersecurity issues.

Rectify this by making cybersecurity awareness a part of your business culture, ensuring people only have the access rights they need, and that they know what risks to look out for when browsing the web.

4. Implement a strong password policy

The above techniques are all designed to prevent cybercriminals from accessing your systems by the back door – but don’t forget to lock the front with strong passwords.

A cybercriminal would only need to determine one employee’s password to access your network and install any software they want. It could be as simple as methodically attempting to gain access with the most common passwords, words from dictionaries, or even using passwords seized from another site.

Prevent this by ensuring your employees understand good password practices such as ensuring passwords are hard to guess, using combinations of lower and uppercase characters, numbers and symbols, and using unique passwords for different websites.

5. Make technical support the first port of call for problems

In the unfortunate event that one of your employees falls victim to ransomware, they’re likely to be shown an error message either asking for payment, to click a link or call a phone number.

Genuine error messages would never ask for payment, nor would they include manipulative language that’s designed to incite fear in the user, and your employees should be aware of this.

If they ever receive error messages, their first port of call should always be technical support, who will be able to determine if the error message is genuine, and what action should be taken.