A recent incident impacted one of our clients, demonstrating a new level of sophistication and patience on the part of hackers. Every employee in every organization needs to take heed and understand the extraordinary lengths that this hacker went to in order to thieve more than $200,000 from an unsuspecting company.
What Happened
The invoicing company sent out a legitimate email to their clients explaining a change in their billing system. Their client did not reply to that email, but the invoicing company sent a second email requesting payment for a legitimate invoice.
It was at this point that the hackers inserted themselves into the email chain.
Phishing Gets More Sophisticated and It Will Cost You
In analyzing the email thread, there was a legitimate conversation taking place between the invoicing company and the company being invoiced that was usurped with subtly different domain names appearing (names have been changed).
The invoicing company’s email address changed from @kwgm to @kvvgm and the invoiced company’s email changed from @angld to @anqld
The email addresses changed so slightly that neither party detected the change. The client paid a $200,000 invoice to the hackers instead of to the invoicing company.
Neither party realized what happened until the money wasn’t received.
How It Happened
This attack was not happenstance. The hackers had gained access to the CFO’s email by purchasing his password on the dark web. His username and password were for sale on the dark web because of the LinkedIn breach from 2012. This CFO continued to use the same or similar password for all the websites that he accessed. Rather than immediately exploit anything, the hackers bided their time, waited for the perfect opportunity, and inserted themselves into an email conversation when it would make them the most money to do so.
It was quiet. It was subtle. It was well masked. It was a highly sophisticated attack.
Your Email Security Isn’t Strong Enough Yet
We have talked for years about email security risks, like phishing, ransomware, and password spraying. And we’ve talked about email security requirements – the stronger passwords, the multi-factor authentication, the layers of security, the dark web monitoring. But to be fully secure also requires constant vigilance by every employee at every level.
You can no longer assume that an email is safe simply because it’s in a thread of emails that were at one time sent from a legitimate source. Each email needs the same vigilance and care. Every email needs to be scrutinized to be sure it’s from a legitimate source, and anytime money is involved, it’s best to finalize arrangements by verifying with a phone call and using a secure payment system.
This was a preventable incident – but it was so carefully perpetrated and so insidious that no one suspected what happened until it was too late. We must all learn from this costly mistake and not let it happen again.
Prevent Phishing with Best Practices and Vigilant Caution
Educating your staff is essential. You need to do more than just give them a brief presentation and assume they’ll remember. Email security training should be comprehensive and provided on a regular basis, to communicate updates and these reminders about best practices:
- Secure personal information – Do not use the same password on multiple devices and at multiple sites, including personal networks. Hackers can target specific individuals and explore networks like social media to gain information. Passwords should be complex and changed periodically, and double authentication should be applied whenever possible.
- Use available malware and virus protection programs – If professional devices are asking for updates, make sure employees are not ignoring prompts. Also encourage employees to secure their personal devices and provide accessible security options. By incorporating best security practices into their personal lives, employees are more likely to implement these practices in their professional realms.
- Use secure networks only – It can be tempting for employees to sign in quickly to an office network at home, even if it is to innocently check an email. Unsecured access, however, can give hackers the opportunity they need to infiltrate secure networks.
- Be aware of threats – Train employees to be suspicious of emails requesting private information, such as credit card details. If an email requests immediate action, then a moment should be taken to confirm the request. Nothing is so immediate that your employees can’t take the time to verify a request with a supervisor.
Your employees can be your biggest risk, but they can also become your strongest defense against phishing attacks. Knowledge is the first step in preventing data breaches, and by educating employees regularly, you can establish a culture of best security practices. Download the thinkCSC email security guide to get started – but don’t stop there. Get in touch with thinkCSC today to go over your email security protocols and determine where you still have risk.
[…] The Making of a Breach – How one Password Cost a Company Hundreds of Thousands of Dollars […]
[…] compromised, every subsequent use of that credential is at risk. We commonly see malicious actors inject themselves into the middle of an email conversation regarding an invoice or other financial transaction and intercept data (e.g. provide the other […]
[…] executive who had reused his password after the LinkedIn security breach found himself being phished years later, with a costly […]