Everyday I go through all the security headlines I can in order to be on the top of the security game. Through all the information out there, all the news, it pains me that security breaches, fraud and mistakes are still happening. Through each mistake a company or person makes I research on how to prevent it and communicate that out to my co-workers, teams and clients. It’s surprising easy to avoid most of security attacks out there. There is no need for heavy investment in new technologies only to increase awareness.
The latest mistake to learn from comes out of Canada. MacEwan University in Edmonton, Alberta fell for the common phishing scam and lost $9.5 MILLION by trusting an email. Based on an email they trusted to be legit the staff changed financial payment information for a vendor. Instead of paying the vendor the funds were being put into the criminals accounts in Canada and Hong Kong.
This case, like the other CEO phishing scams, prove that technology does not solve your security problems. The University could have had the best of the best, impenetrable systems on the planet and none of it would have prevented this crime. Why? Because everything comes down to the people. A person made a mistake and moved within the borders of the security systems and willingly sent millions to a criminal.
Phishing exists and is successful because we as a society trust the digital world too much. We have accepted mass, instant communication channels so much we have lost the skills and desire for interpersonal connections. We don’t talk to each other anymore. Email is trusted, embraced and that’s why it’s used by the criminals to commit widespread fraud. The criminal elements prey on our sloppy communications, lack of attention to details and open acceptance on something that ‘looks’ legit.
Every, single CEO phishing fraud scam can be prevented by inserting one simple step into the process. Pick Up The Phone. If the HR person, accountant, CFO, University vendor manager actually stopped and picked up the phone to speak to someone to verify the request then there wouldn’t be a single penny lost. Instead email is trusted and we blindly accept it.
I’m sure people will say that making a phone call to a person is easier said than done. The CEO is a hard iron fist ruler and I would never dare question his emails. The vendor wants their money now, we can’t wait. No one has time to verify anything… and so on. My response is that the one time you catch a fraudulent request and save the company, partners and vendors potentially millions of dollars, they will understand. If not, good luck to you.
Email is one kind of communication. It’s also a method that can be spoofed, faked, cosmetically altered, re-routed, sent from anywhere, look like it was sent from anywhere and most people skim and accept it too much.
Simple rule – If any monetary request is through email then you verify it in person or on the phone. It’s not for the 99% of the times they are legit, it’s the one time it’s not. It will happned to you, just a question of when.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.