The emails of one of our customers was recently hacked on their business computer.
The hacker saw that we had quoted of supplying a new laptop a month ago. The hacker pretended to be us in an email to our customer and convinced the them to direct deposit money into a bank account they provided.
We only heard about it weeks after the deposit, when our customer contacted us asking where the laptop was. By then, the money, and the hacker, were long gone.
Hackers are sophisticated and clever. They make themselves look legitimate for people uncurious about emails and calls they receive.
In this instance, there were 3 indicators in the email from the hacker that it was a hack, 3 indicators we saw the moment we saw the email they had sent to our customer:
- The email named one of our staff members but had a dodo mail email address clearly visible.
- The grammar was poor – much worse than our usual typos (sorry for them). For example: all program has been loaded as well. The singular program is the giveaway here.
- We never ask for direct bank deposit by email.Our customers can shop with us online through a secure platform, or we issue an official invoice with payment details. Our invoices have a secure payment link.
What happened to our customer was what is called a payment redirection scam. We have provided our customers with advice on reasonable steps they could take to pursue what has happened to them, even though the chances now of resolution are slim.
For more, read about the payment redirection scam: https://asic.gov.au/about-asic/news-centre/news-items/asic-warns-small-businesses-to-be-vigilant-about-payment-redirection-scams/
While the advice from the ASIC and other government agencies is straightforward, it comes down to being vigilant, careful and questioning, especially before you part with any money.
For our customer, the hack was before they received the email. It could have been days or weeks before. Protecting against this involves the most basic of care – clicking only on links you absolutely trust and being careful as to the websites you visit from the business computers.
The Australian Cyber Security centre run by the Australian Signals Directorate offers excellent advice on protection against email hacks. We share this link with our customers as they are the experts. It’s best to share government provided expert advice rather than write our own. This way we are sure the advice is current and best practice. We particularly like:
Consider introducing an approval process for requests that ask to change payment details or make a large transfer.
Verify any such requests by calling the sender. Call them on a known and verified phone number (not a phone number from the email, as this could be operated by a cybercriminal). Speak with the sender over the phone to verbally confirm the request or change.
Ensure workers have clear guidance to verify account details and to think critically before actioning unusual requests.
Have a reporting process to report threatening demands for immediate action, pressure for secrecy or requests to circumvent protective business processes.
In terms of what we do at Tower Systems, we never ask our customers to transact with us insecurely. Payment is always through a secure platform, a trusted platform that protects our customers and protects us.
Recent Comments