Sep 14
computer error

Business, Lawyers and Phishing

Posted by EricW on Wednesday 14th September 2016

One of the fastest growing and potentially most costly cyber security risks is what’s known as ‘Spear-phishing’ – it’s a frighteningly effective technique.
We’re all used to ordinary phishing emails – they start with a variation on:
“Hello, I am the manager of a bank and I have some inactive accounts I must close”

Not too many people fall for that one anymore.
Things have moved on.

At Work

Now, you’re the accounts manager or FD of a company and you’re working away coming up to a deadline – end of year, end of quarter, and you get an email from the boss. It reads plausibly and you’re in a hurry to get stuff out. They’re also in a hurry – “need to transfer a lot of money and there’s something wrong with the banking software (or maybe it’s me).”
So you answer the mail, and they come back with “tried that, didn’t work. Have you got 5 minutes to do it for me? If I don’t do it today the opportunity goes.”

And if you do the transfer for the boss? To get some peace and do your job?
It was a forged email with a bogus reply-to address, and the money’s gone. Via Asia or Africa, and beyond all reasonable hope of return.

We know a couple of people who escaped that by the skin of their teeth. The MD had just spoken to them on the phone, and never mentioned shifting £10,000.
Ubiquiti Networks make some very stylish cloud-managed equipment (we sell their stuff). They lost $47 million to this. They’ve managed to get back about $8 million.

Won’t happen to me. I don’t have access to the company bank account.

At Home

So.. you’ve sold your house. You’re just waiting for the money, and you know what account to pay it into. An email comes through from your solicitor/conveyancer saying “Our account details have changed – please use this account”. Ah. Check those email details carefully. Check that account carefully. Call the office and confirm the details. Quite possibly that’s a bogus email, not from the solicitor. Send the money that way and you’re up a creek.

I’m always very careful and would never fall for that.

At Your Solicitor

Someone’s bought your house. You can see what’s coming..

The solicitor sends you an email asking to confirm your bank details – they have the account name, so you send them the account number and sort code.
That wasn’t the solicitor? Ooh.
The real solicitor gets an email quoting your old account details and specifying a new account to use.
There goes the money.. (although on this one, you *might* get it back through their insurance. Or not.)

How do they know these things?

We leak stuff through social media.
“off to China to see a factory”, “so happy our house is sold”
Unscrupulous people make guesses based on the for sale board on your house.
Email costs nothing to send, and scammers need a very low hit rate to make some easy money.

What to do?

  • Set your social media security settings to never share with anyone you don't know and trust personally. Friends of friends? They're strangers.
  • Never use email to authorise payments.
  • Always confirm bank information over the phone or in person
    (and if an email tells you “and our phone number’s changed”, call the old number. No serious business will fail to divert their calls to a new number)
  • Arrange a code phrase for payment – but make sure that if you don’t use it, they:
      1. Won’t move your money
      2. Won’t coach “you” to say the phrase

    For more background info follow these links:

    CEO Fraud:

    Mortgage fraud:

    Company Trending; Leatherhead IT Services, Leatherhead IT Support Company, IT Support Leatherhead, IT Company Leatherhead

    Client Feedback...

    Efficient, cost-effective, honest advice...

    D Skinner rated 5 stars