Any employee can fall for a phishing scam. When the employee who falls for the scam is authorized to access and transfer large sums of money, an honest mistake can have significant costs.
$400,000 Sent to a Phisher
That’s what happened to Barbara Corcoran, of “Shark Tank” fame. A phisher changed one character in an email address and reached out to Corcoran’s bookkeeper. The email requested nearly $400,000 to be sent to a German company.
Of course, the bookkeeper didn’t just hand over the money. She replied back to who she thought was Corcoran’s executive assistant, and there was a legitimate-sounding reason for sending money to what appeared to be a legitimate business. The money got sent out, and it was only a later email to the executive assistant—not sent by hitting “reply” to the phishing message—that discovered the scam.
Business Email Compromise
The FBI calls these targeted phishing schemes business email compromise (BEC), and they’re a major risk to businesses. Once the money is wired, it is extremely difficult to get it back.
The scam Corcoran’s assistant fell for required some knowledge of how her business operated, in order to have a reasonable response when the bookkeeper questioned the request for the funds, but hackers don’t need to be sophisticated to implement the scam. Criminals can simply purchase templates that allow them to send these messages or break into an email account using passwords stolen in an earlier breach; if they’re not sure what they need to do, they can buy a phishing tutorial to learn. The overall costs of BEC in 2019 were close to 1.8 billion dollars, according to the FBI.
Defending the Business Against BEC
There are multiple types of phishing attacks, so there are multiple defenses needed, too.
Not all the attacks are as targeted as the one that hit Corcoran. Some attacks send generic messages to thousands of targets. Email filters can help block the messages from reaching employees, and training can help employees learn to report them rather than responding to them.
The more targeted attacks need to be handled through business procedures as well as technological fixes. When there are unexpected requests for large sums of money, businesses can require confirmation through a phone call in addition to an email paper trail.
Learn more about protecting your business against phishing emails.
To make sure you have effective phishing protections in place, contact CCS Technology Group. Our IT security services include employee training as well as the latest in technology to keep your business secure from phishing and other IT security threats.