Phishing is a big business and you’re their next mark. We’ve covered how to identify fake pages and how to identify fake emails previously, but here we’ll cover the consequences of falling for them. Many people don’t take the threat seriously and treat these events as if they were just a form of vandalism. Make no mistake, there are real consequences of falling for these schemes that will cost your company money and maybe cost you your job.
Invisibly Working In your Mailbox
The majority of the most damaging attacks happen with email. When you fall for one of these schemes, the first thing the perpetrators do is examine all of your emails. They learn about you, what you have access to, who you are, and how they can take advantage of having access to your mailbox.
Once they’re ready to exploit your identity, they put rules in place to ensure that you never see the emails that are in response to ones they send out. They’ll make emails with their subjects go to a folder buried in your mailbox that you’d never see, they delete items in the sent folder, and they’ll even set up rules to forward a copy of all of your emails to an outside address just in case you change your password. The rewards for them can be high and they’ve developed skills to make the most out of the opportunities they come across.
There are real monetary losses associated with falling for a phishing scheme. By giving a criminal access to your email and other accounts, they have the perfect cover to pretend to be you. Depending on their skills in impersonating you and what you have access to, a lot of money could disappear.
When perpetrators of these schemes get into the mailbox of someone who can authorize orders for a company, they might attempt to send fake invoices to accounting. We’ve seen someone attempt to send a $60,000 invoice into accounting. Luckily the perpetrators were incorrect in believing that this person had the ability to authorize that and this invoice was for something the company never would buy, but there’s no doubt that many of these get through without that level of scrutiny.
Wire Transfer Schemes
As wire transfers can be difficult or impossible to reverse, any information received by email regarding one should be confirmed by other means. On more than one occasion we’ve been brought into situations where either someone was about to lose thousands of dollars, or they just did lose it. It’s an extremely disappointing situation when it happens and may have fallout beyond just disappointment.
We recommend that companies seriously consider how their banks may accept wire transfer requests from them. If your company only infrequently uses them, you might have a more burdensome approach, like requiring a visit to the local bank branch to do it. If your company is doing them more frequently, then maybe it could be done through the bank’s web portal with appropriate authentication measures in place. However, if your bank allows wire transfers just through email, then you need to reconsider that situation. Thankfully as banks are just as much on the hook for these losses, maybe even more so than the customer, they have adopted better policies and hopefully not many accept requests just by email.
This type of scheme occurred where a user in accounting fell for a fake email that purported to be from Google Drive. The perpetrators got into this person’s mailbox, found wire transfer forms for their bank, created a new one based off the information found, and it almost was accepted by the bank. The only reason it wasn’t was because the bank thought there was something odd about the note in the memo field of the form, poor grammar, and decided to call the purported person requesting it only to learn that it wasn’t legitimate. Following that event, the bank itself implemented much stricter policies since they almost lost $25,000.
During another event, the perpetrator hijacked a conversation. They were inside the mailbox of the victim and found a conversation that could legitimately lead to a wire transfer request. They responded to that email using another email account, feigned a conversation that would appear to be legitimate concerning the subject, and ultimately led to the individual making a wire transfer request leading to the accounts of the perpetrator rather than the intended vendor. This company almost lost over $10,000 here.
Having access to your email likely means that someone can initiate a password reset on a brokerage account along with other accounts. If someone is able to get into your brokerage account, they could sell your good quality investments and buy into ones that are worthless that they are selling at inflated prices. It could be part of the many stock schemes like “pump and dump” and spam campaigns. Since investments are not insured like bank accounts, you might find your retirement wiped out because you failed to recognize an obviously fake email.
Reputation and Liability
Falling for a phishing scheme will almost certainly lead to some damage to your reputation. Many times it will be minor. Many will try to write it off as a minor embarrassment: “look at me, I fell for a phishing scheme.” However these events can have more serious consequences for your reputation and potentially make you liable for damage to others.
Your mailbox tends to be a history of every communication you’ve ever sent. With business class email services offering unlimited email storage for affordable rates, why would anyone delete emails? The consequence of this is that if someone gets into your mailbox, they have access to everything you’ve ever sent or received. This is the biggest reason why IT professionals urge people not to send sensitive information over email.
Job applications, loan applications, tax forms, medical records, employee rosters, and other documents with information that can be used to steal someones identity should not be sent over email. Every person who is involved in that first email, and every recipient of any forwards, will have a copy of that information. Each one of those people is now a weak point in the security of that information.
If your mailbox demonstrates an ongoing source of this information, the perpetrators of the attack might just stay in your mailbox indefinitely and will collect the information as it comes in. They gather this information, enter it into spreadsheets and databases, and sell it on dark web to the highest bidder who will use it to victimize those who the information pertains to for their own gain. Depending on your industry and its regulations, you may have to disclose these events, which may make you lose customers or prevent you from getting new ones. If your handling of the information was negligent and these attacks can be traced back to this breach, you could also be held liable, hurting your reputation and costing your company money.
Getting More Access Through You
Once the perpetrators are done exploiting the information in your mailbox, they basically set your reputation on fire. They use you as a launching point to try to trick others into the same scheme that you fell for. It’s a widely held misconception that the victimization begins when these emails start going out to others while in fact it’s when it ends. They could have been inside the mailbox for any amount of time, weeks, months, years, and now have decided that ongoing access is no longer valuable. The remaining value in your mailbox is to use you to trick others so they can move on to someone else.
This event is embarrassing and may lead to direct financial consequences. Your customers may lose faith that you can treat their information with the care that they expect. They might leave you for a competitor that hasn’t had an event like this. This might demonstrate that you’ve disclosed their private information to a third party that wasn’t authorized and lead to monetary damages for the disclosure. Someone might try to hold you responsible for their falling for a scheme that originated from your mailbox. While that last one might be unreasonable, it doesn’t mean that you won’t lose opportunities over it or money defending yourself over the situation.
How Do We Protect Ourselves
These schemes are not technical. They’re a form of “social engineering.” Very similar schemes have always existed through the phone and through the mail. While the IT professionals at your company can do things to reduce your exposure to these schemes, it would be impossible to eliminate it.
The first step to protecting yourself is to recognize that it falls to you to do so, not IT, and not your company. You can fall for a phishing scheme in both your personal and business lives, so you need to be vigilant because in all cases, you suffer. Too many people believe that there’s nothing they can do, that these things just happen, when the reality is far from that. If we all individually just did some very simple things, these attacks would almost never be successful.
- Check where the links lead.
The way you do this varies depending on the way you check your email. On devices with a mouse, you typically hold your cursor over the link. On touchscreen devices, you typically hold your finger on the option to see the option to see the link. Learn where the link is supposed to go. A link in an email supposedly from Amazon will go to amazon.com, not a hijacked church website in another country.
- Check the From address.
The from name on an email is easily altered, but the from address is not, though that’s not impossible either. Walmart emails do not come from gmail or hotmail or a hair salon in Brazil, they come from walmart.com. You should be familiar with how your email displays both from names and addresses as some perpetrators try to put a legitimate email as the name hoping you won’t see the bad address afterwards.
- Don’t panic, ever.
Establish with everyone that you correspond with that nothing by email is treated as time sensitive. Most of these schemes rely on you letting your guard down because you are in a rush to rectify the situation. “you owe lots of money,” “you have won lots of money,” “your password is about to expire unless you tell us your current one,” “I’m very upset with you look at this attachment immediately,” are some of the many ways they try to get you to let your guard down.
- Rely on precedents and expectations.
You’re not going to receive a proposal from someone out of the blue. You’re not going to receive invoices if you’re not responsible for handling them in your company. You’re not going to suddenly get a voicemail from a new system that was never introduced to you. You’re not going to get a fax through email unless you subscribe to a fax to email service and know your own fax number. These are all examples of what should be obvious phishing emails.
- Trust your doubts and just delete the emails; don’t forward them.
Forwarding a phishing message just leads to the potential for victimizing whoever you forwarded it to, even your IT professionals. If you have doubts about an email, consider yourself to be right about it. Just delete it and move on. Out of 1,000 emails forwarded to us that people had doubts about, 999 were phishing emails.
Learning new things can be difficult, but this is a part of the way we communicate today. Failing to learn these basic steps to identify phishing messages is a lot like failing to recognize a red light while driving a car. As time goes on, employers are going to be less tolerant of their staff falling for these schemes because they absolutely can be avoided and will start acting against those who seem to be unable to learn. Protect yourself and protect your company. Work with the IT professionals at your disposal to ensure you know the risks your company faces and how they can be mitigated.