Rob Swystun, Pristine Advisers
While companies put a lot of time and effort into making sure their computer systems are safe and invulnerable to cyber attacks, there is one vulnerability that they might not be accounting for: employees.
Recently, as outlined by digital crisis management guru Melissa Agnes, print and online media company Atlantic Media put their employees through a test to find out how many of them were acting as a weak point for the company.
In order to determine how easily it could be for someone to get into the Atlantic Media system via employee unpreparedness, the company sent a phishing email to their employees that requested them to verify their accounts (presumably by clicking on a link and going to a fake web page where they would enter their account information).
The results were troubling.
Nearly 50% of the company’s employees opened the email, and 58% of those who opened it clicked on the phishing link provided within it.
For the uninitiated, a phishing scam is when scammers attempt to get information like usernames, passwords, credit card details from people (“fishing” for it). They usually do this by sending a fake email from a website saying there is something wrong with the recipient’s account and asking them to sign into their account to fix it. These emails are often accompanied by a link to a mock up of the real website where people are encouraged to sign in. When you sign in, your credentials are captured.
If you belong to Facebook or eBay or any other big website, chances are you’ve received at least one of these shady emails in your spam folder.
Last year, both The Guardian and The Onion — a couple of major online players — fell victim to phishing attacks. And if it happened to them, it can happen to your company, too.
Sometimes the attacks aren’t just electronic in nature. They can have a human element to them, which makes them seem less shady.
I recently wrote about a major New Zealand retail chain that was hit with a phishing scam. In that case, someone actually telephoned one branch of the chain and identified himself as a senior member of the company. He then directed employees to a fake website that was designed to look like the chain’s official tech support site. The unwitting employees then downloaded a malicious program that tried to take over the company’s computers.
Fortunately for that chain, which understandably remained anonymous, their actual IT department caught on to what was happening and cleared the company’s computers of the malicious software before any data was breached or lost.
Although not a phishing scam, another way businesses are being targeted is by criminals looking to have legitimate businesses unwittingly launder money for them.
This scam sees businesses contacted by a fake overseas customer asking to purchase products. The fake customer then pays over the stated amount, and asks for the excess to be sent to an overseas bank account, thus laundering it in the process. The funds that are used to pay for the product are usually obtained through fraudulent means, like the aforementioned phishing scams.
While some companies have been lucky enough to stop a cyber attack before any damage is done, not all companies will escape unscathed, which is why a simple test like the one that Atlantic Media did can be extremely helpful in identifying human vulnerabilities within an organization.
Once it has been ascertained that these vulnerabilities exist, then the education can begin, starting with teaching employees about online scams and how to avoid them.
Here is a helpful list to get started, provided by a New Zealand police department.
Red flags for money laundering business scams:
– Contact made by phone or email by an overseas or unknown buyer
– Too much money appears in the business account from a purchase
– Purchaser then wants money transferred to overseas account (even though it came from an account within the business’ own country)
Red flags for general scams:
– Overseas contact via phone or email
– Rapport built up to a point where the victim feels like they can share personal information
– Information gained by the scammer is used to place pressure on victim to send money
– Money to be sent usually via Western Union or other money remitter to an overseas destination
– Usually romance or social networking scams
If you think your company has vulnerabilities in the workforce that can be exploited by a phishing scam, you might just want to set up your own test. Better to identify these vulnerabilities and fix them now rather than deal with the fallout later.