The father of a Catholic parish in Ohio recently had to explain to his parishioners how his church had lost $1.75 million. In a letter to his flock, Father Bob Stec explained what had occurred, how overnight, nearly $2 million had disappeared from their coffers.
The church had been undergoing renovations and working with a construction company. The church wired out $1.75 million under the belief it was sending the money to the construction company to pay for the renovations. In reality, the payments had been sent to a fraudulent bank account where the money then vanished.
Hackers had broken into the church’s email accounts and tricked its staff into believing the construction company’s wiring details had changed. The staff, after changing the wiring details, wired the money to the hackers instead of the construction company, and poof, $1,750,000 was gone. This scam is called Business Email Compromise (BEC). It’s common and it’s devastating.
Organizations across the world have fallen for this type of attack. Losing millions of dollars is shattering to any type of organization, especially a mid-sized company. This is why it is so fundamental to think before you send.
When you send out any information in an email, you have to understand that you may not be sending it to the person or entity who you think you are. Often cyber criminals “spoof” individuals or organizations to trick a user into sharing personal or financial information. They also may attempt to trick a user into downloading an attachment or clicking on a link to infect a machine or network with malware that can lock down files, spy on user activities, or steal information.
Ground zero for all of this digital combat is the email inbox. It’s where you, as a user on a digital network, are most vulnerable. Therefore, it is where you must remain most vigilant. This is where the bad guys will try and work you.
Here are some ways to help you ensure that you will not fall victim to these types of social engineering or spoofing attacks:
Think Before You Send: Before you send any sensitive personal or financial information in an email you need to ask yourself some important questions. Why is the person requesting this information? Is this information they should have access to? Can I speak to them to verify that they indeed need this information? This is especially true with any financial information. If you are going to share a bank account number, wiring number, credit card number, or social security number, you need to make sure you have made the effort to verify that you are indeed sending the information to the correct person, and they actually need this information for a legitimate purpose. This can be done by picking up the phone, sending a text message, using an alternative communications platform, such as Teams or Slack, or walking down the hall and asking. This is a second factor check. It’s helping you ensure that their email hasn’t been compromised or yours, and the person on the other end of that send button is not a cybercriminal.
Also, if you work with an organization’s banking or financial information, when you are asked to change that information (such as direct deposit or wiring instructions) you must be absolutely certain the request came from a legitimate party. Even our organization often gets spoofed emails asking those in accounting to change the direct deposit information of our employees. If you were to send an employee’s two weeks’ pay not to the rightful employee but to a cybercriminal, well that makes for a bad day for everyone, except the cybercriminal.
Hang Up the Email: Let’s say you get a phone call randomly from someone claiming to be your bank. This person tells you there is something fishy going on with your account. The caller says he can fix the problem, but first he needs to verify your identity. Therefore, you must share your account number with the caller. Most people understand that in a situation like this you do not share your information. You hang up the phone and call the bank back after locating its legitimate contact number.
This is very similar to an email. If you receive an email asking you to share information whether that be personal, financial, or account details, do not share the information by directly responding to the email. Instead, hang up the email, as you would the phone, and find an alternative way to communicate with the organization requesting the information. This could be by navigating to the organization’s website or calling them on the phone. This is especially true of passwords. If you receive an email requesting you to change your password, don’t change it via a link in the email. Go to the provider’s website and change it there.
Think Before You Click: Links are one of the most dangerous things in an email. It’s the phishing bait. Email providers have gotten better about recognizing bad links, but it’s not a perfect science, and the bad guys are always evolving. That’s why it is important to take extra caution when you click on a link in an email. Before clicking on a link, hover over the link with your mouse. This allows you to see where the link is taking you. This way you can be sure the link destination is where it is supposed to be. Also, if someone shares a link with you, and it seems off, it very well could be. So, err on the side of caution. Find an alternative way to reach out to that person and ensure they did indeed send you the link.
Think Before You Download: Like email links, email attachments can be bad news. Zip files, Word documents, Excel spreadsheets, these can be loaded with malware. So, when you are downloading any type of attachment, just take a moment to consider if this attachment is something you should be receiving and one you should be opening. When we get busy, that’s when we make mistakes. So, slowing down and taking a breath before completing an action in an email (clicking on a link / downloading an attachment / sending sensitive information) can help to ensure we don’t make mistakes.
Finally, we’re human, and we’re fallible. We are going to screw up. It is important to be honest; if something happens, don’t try and hide it. Being open and reporting incidents can help speed up mitigation. It can save the organization from unnecessary damage. Don’t cover it up. Report it.