Every day I cannot tell you how many emails I receive that utterly garbage. They are clever in their attempt to get you to open them and click on whatever link or attachment they have provided, but they are garbage, and go directly into the trash. However, despite the warnings that are on the Nightly News, Social Media Pages and whatnot, for some reason, people insist on opening these emails and infecting their home network, or business network. We know, because we see the outcome from these mistakes all the time.
In this example the fraudster used a mix of Phishing and Social Engineering to conduct their fraud. In fact, this is the example we see most often as of late. The fraudster in this case used Social Media, specifically, LinkedIn to determine what employees worked in the billing department of this organization. They then sent a series of emails to these employees in hope that one of them would open the email and click on the link provided, which would install the malware that would allow the fraudster open access to the computer. The fraudster in this case scored when they were able to lure the Finance Director of this organization into their little scheme.
What the malware allowed the fraudster to do was monitor when the Finance Director was at her workstation, and when she was not. Yes, this took considerable time on their part, but cybercriminals are actually pretty good at waiting and doing their research. Over time, what they discovered was that the Finance Director usually left the office for the weekend by 4pm each Friday. This left approximately 1.5 hours for the fraudster to conduct their business by the end of the day and avoid detection over the weekend until Monday.
What the fraudster did during these 1.5 hours on Friday was transfer a large sum of money from the corporate bank account to a foreign account the fraudster had setup to receive the stolen funds. The transfer would occur at the end of the business week and avoid detection through the weekend until the bank opened on Monday. Even then, it was several hours within the business day before the business and bank noticed something was wrong.
How was the fraudster able to gain access to the online bank account? Remember that Malware we mentioned that was installed on the Finance Director’s computer when she opened that piece of junk email and clicked on the link provided? Well, that Malware had a “key-logging” component that allowed the fraudster to gain access to the user id and password into the online bank account. In fact, the fraudster had access to everything the Finance Director had access to including payroll records, tax filings, etc.
Upon discovery, Management contacted our firm to trace the financial transaction back. We worked with their Information Technology department to clean-up the Finance Director’s desktop, along with all employees with computer access. The server was updated, and new monitoring and firewall software was installed. We assisted the company in working with their Insurance provider and financial institution to obtain a partial reimbursement of the funds that were lost during this episode. Unfortunately, full funds were not able to be returned as the transfer was issued through the business bank account using the businesses user id and password.
An accounts payable clerk received an email that appeared to be from the CEO of the company. However, instead of using the business email, this email came from a free Yahoo account, but had the name of the CEO (example: email@example.com). The email said something of the nature . . .
“Hi, this is John. I’m working from home today and I am having problems logging in with my work email. We need to transfer $X of funds to XYZ company immediately. Can you run this transaction since I am unable to log in, or get into the office today? Our new project depends on it.”
Seems legitimate enough, right. In this case, the AP clerk was familiar with this type of request to transfer funds to various companies on a short time frame. Plus, aren’t we all familiar with having some type of problem with our work email? Fortunately, what the AP clerk did was copy the CEO’s work email when replying to the Yahoo email that the funds transfer was underway. The CEO received the message, called the office notifying the clerk that he made no such request and was able to contact the bank prior to the transfer being completed.
In working with the company and the bank on this case it was determined that an additional layer of security be added for any funds transfer over a specific dollar amount be implemented. The AP clerk could make the funds transfer request from the bank, however, the bank needed verbal approval from the CEO or another approved officer of the company prior to completing the transaction.
A brand-new receptionist had only been on the job for a week when she received a call she thought was from the Information Technology department of the company she was working for. The caller identified himself by name and such and said he needed to jump on her computer to install some updates. Being brand new, the receptionist was willing to easily comply with the fraudster’s request. In order to gain access though, he needed her password and user id. Again, she easily complied with the caller and the fraudster had immediate access to install the Malware on her desktop and infect the entire network of the company.
What this Malware did was send bot-based email to everyone on the receptionist’s email address book. Fortunately, the calls and replies started coming in immediately from concerned customers, vendors, partners, etc. which notified numerous employees that there was some sort of problem. Management was immediately able to engage the “real” Information Technology Department to pinpoint the problem, cause and implement solutions.
A mass email and letter campaign went out to all clients warning them not to open the malicious message they had previously received. By opening the attachment in the email, it would load the Malware program onto the recipient computer and start the bot campaign all over using that person’s address book.
The receptionist was given training on identifying fraudulent phone calls, emails and inquiries and provided another copy of the employee roster to help her identify individuals that were actually employees of the company.
Unfortunately, the fraudsters out there are getting more and more crafty to trick unsuspecting users into handing over the keys to their systems. It is up to businesses to continue to train their employees to watch out for these tactics and protect the company’s assets and customers personal information. There is a ton of new information that comes forward every day when it comes to Cybersecurity. We will continue to post that information on our social media outlets and create our little video’s, white papers and case studies to help you protect your business.