At the end of a busy day Adel was preparing to go home. She is an office manager at a very successful small family business that sourced and supplied quality after market parts for air conditioning repairs.
Just before Adel closed down her computer she received an email from her boss, the owner, David. In the email David asked Adel to arrange an urgent $50,000 transfer to a supplier that night. David apologised for the urgency, but he needed to secure the great price for stock he had ordered.
David also acknowledged that the request was outside the normal ordering and payment approval processes, and he was authorising Adel, who was a bank signatory, along with Harry the bookkeeper, one of the other signaatories, to co-sign the payment. Normally one of the co-signatories was David. Fortunately for Adel, Harry was working late closing off the ledger for last month to produce the monthly reports for the management meeting next week.
Adel and Harry had a brief discussion and decided that, although out of the ordinary, it was just like David to arrange such a deal and they made the transfer.
The next morning David return to the office and logged onto the bank to check the daily balance as he did every day. He saw the $50,000 transfer and was a bit puzzled and asked Harry what it was about and who authorised the transfer. Harry said “you did in the email you sent Adel late yesterday”.
There was complete silence and Adel’s face lost all its colour. David had not sent the mail. They were the victims of an organisation that had infiltrated David’s laptop computer via a Trojan application. It turned out that the application was installed from a spreadsheet attached to a spam email opened by David some six months ago.
They contacted their bank in an endeavor to reverse the transaction. Their bank contacted the “suppliers” bank and fortunately the money was recovered.
Both Adel and Harry felt really bad about what had happened, but it wasn’t their fault. David’s business is one of many businesses similarly affected.
How did this happen? It was quite simple really:
- David opens a spam email attachment and the “Trojan” takes up residence on his laptop.
- Someone, somewhere is able to learn all they need to know about David; how he writes emails and who to, his appointments, his personal and business life and his habits. They saw all this on his laptop, by reading and monitoring his diary, and everything else on his laptop.
- When David is away, an email is sent from David’s account requesting an urgent substantial payment, and the payment is made by unsuspecting people, because they think it was David making the request.
What can you do to minimize the chance of this happening to you? The answer is also, in part, quite simple:
- Never open email attachments you are not sure about. If you think you really should open the attachment because is seems to be from a trusted source, “pick up the phone” and talk to them.
- Have protocols in place for urgent payments, like “pick up the phone” and other simple reality checks like comparing document details to your records.
- Don’t click on suspicious links. Mostly it is obvious that they are fakes. Hover the mouse pointer over links to check where they propose to take you. Lately, perpetrators are getting better at disguising links and now sometimes this method doesn’t work.
- Ensure that all staff have training on personal cyber security. Simple things that that can do to be safe. Essentially this means if they are in doubt about an email attachment or instruction, don’t act on it until they have thoroughly checked their authenticity.
- Engage a cyber security expert to implement a strong cyber security system backed by staff training.
- Establish monitoring of cyber threats.
- Regularly reassess your cyber security system and processes and change them as the types of threats change.
The moral of this story is; if in doubt about an email, don’t act until you have fully eliminated that doubt because, things are sometimes not always as they seem.