Earlier this year, we participated in a seminar that showed examples of major cyber-crime. The sophisticated impersonation of a friend overseas is a powerful reminder than cyber-crime is very real, increasingly clever and not just targeted at larger businesses.
I received a simple email from his genuine email address (see yellow highlighter in image below) saying he needed some assistance. I replied and was sent another email purporting to be from him but with a very similar but subtly different email address (in green highlighter below) asking to buy him some iTunes cards.
It was a plausible email but not a request I would have expected. I checked the email for ‘red flags’ and saw a similar, but false, reply address had been used. I rang him to find a very distraught person dealing with the fallout and trying to get things fixed. How do you get Hotmail to cancel an email account you didn’t set up? Do you just casually email all your Contacts and say, “If I ask for help, ignore me!”?
The most disconcerting thing is it appears someone has got into his email account and set up an auto forward enabling them to see every email he receives.
The moral is to always be wary of emails you receive and make sure your employees are consistently reminded of the prevalence of cyber scams. People’s actions are an important line of defence and should be part of your risk culture. As part of ABM Risk Partnership, we spend a lot of time discussing risks. Even so, it was a good reminder to check my email account settings. Changing passwords regularly, and especially if you feel you may have been compromised, is always a good idea, but other responses may also be necessary. This specific hack continued even after the password was reset. Settings deeper in the system still needed to be reviewed and changed.
Also be wary of reading and quickly responding on your smartphone – I, for one, am much more comfortable using the desktop email applications which also make possible inconsistencies much more visible.
For companies, today’s integrated systems allow IT teams to remove the number of settings a user (employee) can control. This may seem a bit ‘big-brotherish’ but it makes it much harder for someone who does hack into an email account to make changes that may not be picked up for a long time.
Have you experienced any sophisticated cyber-crime attempts recently that people should know about?
