Recently, a company contacted Abacus IT Solutions after it was caught in a fairly innovative scam. It cost the business tens of thousands of dollars in a matter of minutes, and we want to explain what happened and how you can avoid falling prey to the same kind of fraud.
At some point, a criminal gained access to the CEO’s email account. Once they were able to log in and send messages, they contacted the CFO requesting that a wire transfer in excess of $50,000 be sent to a supplier. The details for the transfer were included. The email from the CEO seemed authentic.
The CFO, wanting to do his part to keep the business running smoothly, complied with the request (which, for this company, didn’t seem incredibly unusual). It was not until later that they noticed the account was not supplier the company did business with, that the account was an overseas bank and that a theft had taken place.
Looking at what happened from an outside IT perspective, a few things stand out:
Keep Emails Safe
Requests like this could have come not only from the CEO, but also from other members of an executive team. It is important to note that these kinds of digital break-ins can occur as a result of weak passwords or from poor internal password security (e.g., email passwords being shared with staff members who don’t need them, or people posing as IT professionals).
Most companies need tighter email controls, and this is a good example of exactly why.
There Is No Quick IT Fix for This Problem
The interesting thing about the situation is that there is no instant fix to the problem. Aside from tightening controls on email, there is not a good way to stop these kinds of messages from going back and forth because the majority of them could be quite legitimate.
So as a technology services consultants, we want to point out that these kinds of scams are taking place, but also encourage companies to look within for solutions. That brings us to our last point…
Now Is the Perfect Time to Change Your Processes
The real problem in this case wasn’t necessarily that email was able to be accessed, but that it took relatively little effort for the thief to have this money wired to their account because of a lack of oversight. With a quick phone call, or just a check that the wire request was legitimate, this theft could have been prevented.
So rather than looking for a complicated and expensive technology-based solution to this kind of vulnerability, we advise you to look carefully at your email passwords, ensure that you have a process-based policy in place that prevents sharing passwords, and enact stricter controls over wires and other financial transfers, such as dual authorization (similar to requiring dual signatures on a bank check).
Taking these steps might not be as simple as installing a firewall or software patch, but they are more effective in the long run. Don’t make it easy for criminals to convince you to send them money when a quick review of your internal processes can easily prevent it.
Looking for a great IT team to help identify threats and keep your company running smoothly? Contact a member of the Abacus IT Solutions team today and see how we can help.