Cyber Savvy
A successful cyber-attack has taken your company off-line. The FBI and CISA have been contacted. What now? As you know, if this hasn’t already impacted your business (either directly or indirectly), it will.
How can you make yourself a harder target, mitigating against cyber-attacks? What does all the terminology mean and why does it matter? What happens if an attack is successful?
Join DTC, Inc. as we outline, in a straight-forward manner, many of the issues surrounding cyber security which directly impact business owners. Our Cyber Savvy podcast episodes feature Mike Shelah as he brings in a new guest each month.
New episodes will be posted twice a month on the first and last Thursday, make sure to follow and subscribe wherever you listen to your podcasts, so you don't miss new content!
We would love to hear from you! Please send us your comments and questions to: AskUs@DTCtoday.com
Cyber Savvy
Phishing
In recent decades we have seen the number of computers and mobile devices multiply greatly making phishing scams incredibly lucrative. Phishing attempts are often the first step to more invasive and damaging attacks in which individual and corporate data is compromised. Join Andrew, Mike, and special guest Scott Leister, Director of Technology from DTC, as they discuss the many clever ways cybercriminals may disguise correspondence as coming from familiar and reputable entities in the attempt to access private information.
Scott Leister has more than two decades of experience in the MSP space, serving as a senior technician at DTC. Much of Scott’s career has been dedicated to enhancing security measures, driving automation, and safeguarding data for both DTC and valued clients. Scott is fully committed to constantly strengthening DTC’s systems and proactively addressing emerging threats within the dynamic landscape of cybersecurity.
Andrew Rose began a cybersecurity awareness program in 2016 while at a major agricultural bank after recognizing that the ag sector wasn’t getting the attention it needed about the risks posed by cybercriminals and other adversaries. He helped coordinate several symposiums and events focusing on the topic. He is now an independent contractor and volunteers his time to bringing cybersecurity awareness, education, mitigation, and response to the ag and food supply chain (and other special projects). His focus is on mitigating emerging threats. In addition to his experience in cybersecurity, he has a deep understanding of banking/finance, risk management, and other professional service sectors related to food, agriculture, and climate.
Michael Urbanik is an Account Executive with R.K Tongue Co., Inc. and is licensed in both Life & Health and Property & Casualty Insurance. He has experience working with both large and middle market commercial clients. He enjoys helping his clients understand the risks they face and develop cost effective plans to successfully mitigate and transfer these risks.
Did you enjoy today’s episode? Personal experience to share? We here at DTC, Inc. would love to hear from you! Please email us your comments and questions at AskUs@DTCtoday.com.
What will cybercriminals do with the stolen data they obtain from phishing scams? On our next episode Andrew and Mike will be discussing one of the possibilities, Cyber Extortion.
Looking for more cybersecurity related content? Check out DTC’s blogspace to read more!
Want to hear more? Past episodes are all posted, including on YouTube! Follow and subscribe on your favorite podcast app to ensure you don’t miss out on the conversation!
[INTRO MUSIC]
[00:00:06 Andrew Rose] Welcome to Cyber Savvy. This podcast was created by DTC to bring awareness, mitigation and response to cybersecurity threats companies and organizations face daily. Be prepared. Be cyber savvy.
Welcome to our podcast today. This is a very important subject of phishing, and if you don't know what phishing is and you haven't been a victim of phishing, trust me, you will be.
My name is Andrew Rose. I'm here working with DTC, the premiere elite managed service provider for discerning clients. And I've been joined today by Mike Urbanik from R.K Tongue, who is an elite risk management company that helps provide cyber security insurance and a wide variety of other business coverage policies for any type of elite business professional. And today Scott Leister has joined us, and Scott is with DTC.
And Scott, I'm going to let you introduce yourself since you're a new voice to this podcast. Who are you and what is your role with DTC?
[00:01:08 Scott Leister] Okay, well, thanks for having me. I'm excited to be here. My name is Scott Leister. As you mentioned, I am a senior technician. I've been with DTC for a little over 20 years now, so I've definitely seen the computer landscape change, especially in the MSP market over those years.
You know, back to when dial up was a novelty all the way to nowadays where you know you're dealing with gigabit Ethernet and always on connected world. So, my knowledge spans across pretty much the MSP space. Nowadays I'm less out of the helpdesk type of work and more into pushing our security platform forward. Plus, I do a little bit of development on the side just for like on the automation side just that help eliminate some of the day-to-day issues.
[00:01:58 Andrew Rose] Well, I mean, I think you're a little bit humble there, too. I mean, 20 years experience working in MSP, crossed quite a few bridges and probably built more than- more than I can count, that's for sure. And Mike, who are you, what is R.K. Tongue, and I'm sure our listeners are enthralled with you guys anyway, but it's always good to remind them who you are.
[00:02:15 Mike Urbanik] Yeah, absolutely. Great to be here, as always. R.K. Tongue is a generalist insurance broker, we’re 100 years old. Work with all types of industries and clientele with a specialization in those in the medical industry and white-collar professions.
Cybercrime is very important, and we have a passion for it because it is by far the fastest growing risk segment we see for our businesses. And time to time again, we're the ones on the end of the phone getting the call saying, “Hey, I had something happen, do I have insurance for it?” And sometimes we get to say yes and sometimes we have to say no. And that's why we're really trying to champion this education campaign to get people to be aware. What is the risk? How large is it, and what do you need to do to stop it and prevent it? So, that's who I am and who we are and our piece in all this.
[00:03:07 Andrew Rose] Well wonderful, we're so happy to have you as a partner in this as well and I appreciate all the work you've done, the research behind the topic of phishing. And based on the presentation on the history of cybercrime, I am just going to sit back and enjoy this conversation between you and Scott about phishing. From time to time, I might interject a question or comment, but for the most part, I’m going to let the two of you have this conversation. Enjoy.
[00:03:28 Mike Urbanik] Yea perfect. So, Scott we see phishing as easily one of the largest and most prevalent types of cybercrimes hitting our businesses. I would say it is the tip of the spear or maybe the first starting point where eventual crimes can flow and begin.
You know, phishing for those who are not familiar, it is essentially a cybercrime that leverages deceptive means; emails, text, phone calls, anything and everything, a communication channel to attempt to trick someone or impersonate someone and get an individual to share credentials for their computer.
What they're trying to get a hold of is really just the key, the key into the door, because once they get inside, they can figure out is this account, is this business worth my time? And almost always the answer is yes.
A lot of people are going to receive phishing attacks from many different sources. One of the biggest ones are emails. And you know, “what do they look like?” is pretty common question we get asked. The answer is they can be infinite and varying in what they look like depending on your business segment, the type of clientele you work with, but they're often going to have a couple of trademarks that you want to look for.
One is going to be the email they come from. It's not going to be correct. The bad guys probably cannot get a hold of what Bank of America's email looks like directly, so they are going to make something pretty close. It might say Bank of America with a lowercase ‘A’ or a different phonetic ‘A’, or the at return might not be @BoA, it might be @Comcast.
So, there's going to be a couple tricks that you can do to look at who it's coming from. A lot of times these are going to hide who is the sender. It's not going to say from MattSmith@BankofAmerica, it's not going to have a legitimate person connected to it. It is going to say undisclosed recipients, or it's going to hide that at all because you are part of a big blind CC chain mass mailer.
So, it's not going to look like it's come from someone specifically on a low-end attack. Certainly, some who are doing some very identified attacks and they have identified who your banker [is], might make it in true impersonation and do some cyber impersonation of who that person is to get you to lower your guard. But usually these are low barriers, blast off.
And then what are they going to ask for? You know, they're going to ask for pretty questionable things, but they might not seem all that questionable at times. And I'll give a personal example, but in a Bank of America, they might put a link that says, “Hey, sign in here to your Bank of America account. Your payment was overdue,” and that can be pretty believable. But other times they're going to ask for things that are just immediate cash value that they can redeem anywhere in the world. So, it might be Starbucks gift cards, it might be different types of gift cards or debit cards. Common ones are iTunes gift cards.
In today's world, the easiest thing for these guys is any sort of Bitcoin or cryptocurrency, it has just put fuel on the fire because that is the universal currency for any of these bad guys. It doesn't matter where they are, where the end user is, that money flows pretty easily. So, anything asking for crypto or to be paid in crypto is a pretty big red flag. Most people in most businesses don't deal in that interchange or monetary currencies. So, you know, keep those with a big red flag.
So those are some of the big things to look at. You know, who is it coming from? What is it titled? Who is the actual sender and what is the contents of the email? Does it look like the normal Bank of America, or your client email, or your vendor email? Are there red flags or signatures put in the right spot? Take a minute to look at these things. Check any links they might ask for in any type of immediate payment means, whether it's debit cards, or cryptocurrencies, or egift cards. Those are immediate red flags.
[00:07:44 Scott Leister] Yeah, you really covered the gamut there. I don't really have too much to add to that.. Other than to say that, you know, sometimes on like a bank account email, a phishing email - you mentioned about update your financial information or your payments overdue, or they'll send you the message that your account is locked, “log in here” just trying to steal those credentials from you..
Or sometimes on the other end, it's they're offering you free stuff just like, “Hey, you won this lottery!” or, “You won this!” “You're eligible for this refund, just click here!” and then it's the oh, then you get the bait and switch, which, “Oh, just send us $100 and then we can give you your $10,000 that you won!” type of thing. And then, which usually they ask for in the payment of gift cards or..
You don't see it too much anymore, but they used to always ask you to wire cash to them through like Western Union or something. But now with gift cards and stuff, they can do it right over the phone as you're there and they don't have to wait for you to run down to the store or down the, you know, 7-Eleven or something to wire money.
But yeah, some other things that look for are just like generic greetings. It's from your bank. You would think they would be able to address you by name and know who you are as opposed to, “Dear Customer” or something along those lines. That's something to look out for.
And also you mentioned that the email address on the from. Well, sometimes they can do a pretty good job of spoofing the from email address, but if you just hover your mouse over the email address, generally, it'll show you specifically what that email address is. And then usually you see it’s some randomized Gmail or something like that email address that doesn't look at all like it.
A couple other things that you can look at are, does the content of the email, the subject, match? Do they match? Does the subject what's in the email? Is there anything odd about it that just looks all those off?
Those are just some simple things that easily find a phishing email. But like you said, it's either like they're trying to scare you to act urgently, or they're trying to give you something and, or just impersonate somebody that you're using just to relax your guard and get you to send them money because it's all financially driven. It's... they're just looking for the get rich quick scheme and they'll entice with those too.
But yeah, just a couple other things that just with phishing emails is that you can look out for is: is it an expected email? Like were you expecting this email with an attachment? If not, then you know, is it a company that you've dealt with or a person who've emailed you something similar in the past? And if not, then chances are it's probably a phishing scam.
Or if it is a company that you've dealt with in such as like your bank, where you get the text or the email saying that your account is locked or there's been suspicious activity, click here. It's just... don't use the email links. Go to your known links on a separate browser outside a different computer, log in to your bank and just verify or give you your bank call and just say like, “Hey, I got this email. Is this legitimate?”
And a lot of times you'll see... even I've seen them on like my utilities, like the electric bill or the gas bill of certain scams that are floating around. Like they'll have information right on their home page about scams related to their industry that you can look out for, just to help you clue in on whether it actually is a phishing email or not.
[00:11:28 Mike Urbanik] Yeah, you couldn't see my head over what you're saying, but I was doing a lot of nodding Scott. You dated yourself a little bit with the, “click here to redeem your prize” I also remember those websites I would visit with a little pop up box.
You're right. Yeah. You can give away free information to these guys by thinking you're going to get something in exchange and then you talk about common vendors being impersonated, Amazon's a great one. I think all of us have probably seen at some point, “Hey, we tried to deliver a package and you weren't available,” or “missed package, click here to let us know you want to redeem it,” or “click on this link for us to redeliver”.
Well, everyone expects Amazon packages probably every week at this point, so that's a pretty common one that you can fall for. But you know, had you gone on to your Amazon account, or taken a second to call your bank and actually speak with someone, that is a great way to circumvent these little tricks and mechanisms these bad guys are using to get a hold of you.
[00:12:30 Scott Leister] Yeah, it's interesting you mentioned Amazon because a few years ago... Now we've used Dell servers and usually we always buy direct. Well, the one day just popped in my inbox was a receipt for a Dell server through Amazon. And my initial response is why are we ordering servers from Amazon? So, I went and I started looking at the email and I mean, it looked like a legitimate bill, a legitimate email from Amazon.
And I was like, this is just bizarre. And I was about ready to go up. And then I noticed that instead of Amazon.com, it was Amazons.com was the was the sending email. And I was like, okay, that tells me where it's coming from than. It's a phishing email. But I mean, it looked legitimate. There was nothing on there outside of the send email address that you couldn't determine.
Now we actually use link filtering in our email service, so it obfuscates all the links so it changes the name. So, just checking that we can't tell where the links go to just by hovering over them because it goes to our third party service that will analyze those links once you click on it. So, that was an option out for us. But yeah, it's definitely interesting. They will definitely use Amazon as a phish because the majority of people use Amazon to buy stuff.
Spear phishing is actually one of the types of techniques that they use. There's plausible techniques that they use, but the easiest one is just pretty much a spray and pray approach where they just randomly send out mass emails just hoping to catch a fish. Somebody that clicks on a link or downloads a file or enters, you know, their credentials for a service that they think is legitimate coming through.
And, what they try to do is they use social engineering techniques, which are one... usually it's one or two ways. It's try to impersonate a service or a business that you deal with to get you to relax your guard and just click the link. And then the other technique that they use as they try to scare you.
They will tell you like send an email stating that your account is locked for your bank, and if it just happened to nail the right bank, you're terrified that- “What happened to my bank account?” or, you know, there's been a suspicious charge that you want to go and investigate so they'll terrify you.
And then obviously it's obviously successful, which is why they keep doing it. And that's more or less what you see on the spray and pray.
Now, unfortunately, probably everybody's information out there floating around somewhere on the ominous dark web. There's been so many data breaches over the years, and that's just a reality we have to come to expect, and all we can do is just be vigilant and try to, you know, protect ourselves against that. But with that data breach comes the knowledge and databases that these criminals will buy.
Then that way they have specific people within organizations that they can target with specific information, which makes their campaign a little more effective because they can impersonate the CEO, the CFO, somebody who's a high ranking individual, because we have seen instances, you know, even in our company where the CEO impersonation has gone further than I would have liked.
Thankfully, we weren't susceptible to that. But it proceeded past step one, which is terrifying. And you also mentioned about the gift card scheme. We've also seen that in our industry, which is going past step one, which is also very terrifying.
So those are just like some of the techniques that they use. Just, you know, it's like I said, just to try to scare you or to make you feel like it is urgent that you act now.
[00:16:36 Andrew Rose] You raise some of the spray and pray there and it struck a chord with me.
I opened my business banking account at M&T Bank and I was waiting for my credit card to come through and all the rest of stuff. I got a text message from M&T bank saying there was a charge on my credit card or something went awry. And I'm like, how did they get that, THAT quickly before I got my credit card? And, I contacted M&T bank and it was a spray and pray, but was sent through text. It just, for me again, like you said, it was the timing. That was MY bank, I was waiting for something, and now there's a problem there. That's something I need to pay attention to.
So that's a real salient point. So sometimes that spray and pray, yeah, but it hits their targets every once in a while as well.
[00:17:16 Mike Urbanik] Yeah, I completely agree with Andrew. You know, as a person living in the year 2023, you know, I have social media apps and I see messages sent to me, “Sign up here to learn about Bitcoin courses.”
And some are pretty lowbrow, you know, they're very benign and I think we all are relatively aware of what phishing is. And we all, I think, think to ourselves, “Hey, I'm smart enough not to fall for that.” And sometimes we can easily detect those. But Scott, to your point, the sophistication for these attacks, it honestly impresses me.
Sometimes I think I've seen it all and then I see something even more creative. And it can be to Andrew's point, I've seen emails where they have found what a bank's email platform looks like.
They will copy it to the T, they will create a fake LinkedIn account or a fake personnel at that bank, and they will start emailing businesses, soliciting potential bank accounts and redirections of monthly fees owed into the point that you think you are interfacing with the bank, that you think you are interfacing with a real person there.
So, everyone on the end of this podcast listening, if you're thinking, “Hey, I'm smart enough to catch these attempts”, humble yourself a little bit. These bad guys are infinitely crafty, and they will use infinite channels available to them.
And all it takes is one time because it's low energy, low effort to create these emails and then just blast them out to all the email addresses they found online for free or purchased on the dark web or telephone numbers and all they need is a few hits to make it more than cost effective for them.
So, just take a second look at everything and go a little slower because these bad guys are very, very crafty, especially if you're a business owner.
[00:19:09 Scott Leister] Yeah, and that's an excellent point. There's just two things I would add to that:
Number one is obviously this cyber attacking and ransomwareand stuff. They have almost legitimized those that they are business organizations now, so they function like a business. So, that's what it's up against. It's not just some shady guy in his basement anymore. It's actual organizations.
And the other thing that I love your point about being too smart. Even I am susceptible to the phishing emails. There was, we had an example shared with us that we knew it was a phishing email, but we had to figure out why it was a phishing email. And the only thing that determined that, was the characters for the letter ‘A’ were in the Cyrillic alphabet and not the ASCII. And you look at it and you see an ‘A’ but it's not the correct ‘A’ to indicate that yeah, this is malicious. So yeah, they're very wily so to speak to, to get around just standard perusal.
[00:20:16 Mike Urbanik] So, we just established even the professionals in the room can struggle with identifying these. Are there tools available to us to help screen emails and maybe cut down and filter out the amount of phishing attacks that even hit you, right? Is there a wall or a barrier that could be put up?
[00:20:36 Scott Leister] Well, there's basically spam filtering, which will do some phishing filtering for you.
Unfortunately, it's a give and take game. It's like as you get smarter and the spam filters get smarter, the bad guys get smarter, too, as they develop ways around the spam filters. So you do see that.
Now, another add-on to spam filter, which is always nice to see, is if there's like link protection in that spam filter as well. So that way, it goes through like a third-party service that actually analyzes each link that comes through your email, just in case you accidentally click one. And then, so you have another validation there just on that those links are legitimate and not going to some malicious site.
Plus there's other email options that you can do just to prove who you are, like DMARC and DKIM are different mail technologies that you can implement just so that way you can prove, you know, who you are. SPF records also go a long way towards that as well.
And I was just also going to add that any kind of endpoint protection that you can run also just in case it gets by everything else, at least one last line of defense there at your endpoint as well.
[00:21:53 Mike Urbanik] So Scott it sounds like there are technological devices that can be put in place to obviously help and reduce this.
Yeah, it sounds like it's a bit of a nuclear arms race between the quote unquote good guys and bad guys. As the tools develop and they understand what tools they're using, then they update the systems, then they develop something new and creative, gets it out there, they find out about it, update the system.
Totally understandable. Well, let me ask you this, though.
It sounds like there's a huge human element involved here as well. What do you have… what do you recommend clients do to find training or make themselves better or more aware of the avenues that they could be susceptible to these phishing attacks?
[00:22:36 Scott Leister] Well, the easiest thing to sign up for, and usually if you're a service provider, will generally have one. We're actually in the process of rolling one out now. It's pretty much a phishing campaign where it just randomizes emails to everyone in your company that will just send test phish emails and then it'll just collect that data.
And what's nice about it then, is on the receiving end is anybody that falls for these phishing campaigns get a nasty email back, you get a nice surprise of cybersecurity awareness training, or you get like short little videos like, hey, you fell for this trick! Here are some tips and tricks that you can go through, and they do them kind of like fun scenarios too. And they're usually not long, just to help educate the end user a little bit more about things that they can look out for within phishing emails.
[00:23:30 Mike Urbanik] Yeah, that vulnerability test I think is honestly a brilliant idea.
What I found when working with business owners and businesses is of course we deal with the owner and the CEO, the C-Suite to develop the insurance and risk transfer programs, but they are often not aware of how much access their employees have to their own computer systems.
So, while the C-Suite and the owners might really care about protecting their business and their assets, an employee - no fault of their own, just might not be aware of cyber risk or carry this passion as much as them.
So, should they become compromised, would be just as bad as if the owner was compromised. So it's a great tool to check, hey, who in my organization might be leaving that door unlocked or fall for these?
Because it doesn't matter where the bad guys get in, if it's the owner's email or log in or the front desk, it can just be equally damning and damaging to that business. So, I love that idea.
[00:24:28 Scott Leister] Yeah, you're correct. I mean, I've seen entire networks get ransomware based off of just some odd computer that somebody checked their personal email one time. And you're right, all it takes is one entry point and then the whole system is compromised.
[00:24:43 Andrew Rose] Well, that's where the MSP comes in, right?
I mean, it's not the fire alarm you want. You'd rather have the... everything running smoothly and you're taking care of the updates and patches as it is. But once that ransomware attack or the phishing attack occurs and the rest of the attack has been executed, it starts to move laterally.
That's when the firefighter has come out, right?
[00:25:02 Scott Leister] Yep. That's when you hope you at least have some monitoring and technology in place that at least try to head off or at least alert somebody that, hey, something's going on to cut it short if possible.
Or at least investigate why it happened and what happened and where it came in at. So, when you do recover, you can prevent that same incident from happening in the future.
[00:25:23 Mike Urbanik] Yeah, exactly to your point, Scott and Andrew. And we'll talk about those concepts in the future episodes. Data breach, Malware, some of the more pervasive and bigger issues that can stem from phishing attacks.
But phishing is the first point. The bad guys want to get in, they need the chink in the armor, and most oftentimes it's not how sophisticated your antivirus is, it's not how sophisticated your computer systems are. It's how good are the people using your computers and how susceptible are they to being tricked? They're really leveraging that human element. And once they leverage that and use it correctly and get that log in, then the floodgates can open, and the real problems can occur and other issues develop.
And again, we'll talk about those. What is data breach? What is malware? What are the IT solutions that can help with those and remedy those issues which are far larger? But it all has to start somewhere and it's phishing. And this is why we are really passionate about preventing this because should you stop this first step, you prevent everything else down chain and we find, yeah, it's part IT, but mostly it's humans.
[00:26:38 Andrew Rose] Why is it so pervasive?
[00:26:41 Mike Urbanik] Well, I found the reason it's the most pervasive, and why is the first point, is the barrier to entry is very low.
All you need is a computer, a phone number, and you could develop your own phishing email relatively easy. In a few hours, you could put something together, make it interesting, put a link that you want people to click on and just start blasting it out there.
So, it's very easy to enter this, you don't have to develop a virus.
You know, I'm certainly have no idea how to code, but I can develop an email to entice people to click on it pretty easy. And should I get some login credentials or some emails and passwords impersonating a Microsoft employee... You know, Scott mentioned earlier, there's a whole market - there's an economy for these businesses.
So, I could sell that to another hacker who now wants to go on to that and download the malware.
There are links and steps in this process for multiple businesses to exist, and that's why I find it’s most pervasive. It's the easiest to get into. It takes relatively no IT or technical skills, and you can be very effective and make a lot of money as a bad guy just blasting out emails or text messages to businesses.
[00:27:56 Andrew Rose] Scott, quick question for you.
I know that on my Microsoft outlook, when I get a suspicious email or one that I know is a phishing attack, there's a little fish I can press report there and I know it deletes the email my inbox. What happens? Where does that report go to? And is that common that most email services now have that anti or that reporting of the phishing attempt button for folks to push?
[00:28:20 Scott Leister] Yeah, they do because that helps who's ever running your service to improve their techniques and their heuristics to actually look at what got through. So, it's always best to report spam.
There's even like third parties out there. I think it's one called like the Anti-Phishing Working Group. If you get a suspected phishing email, you can find them on Google and just forward your phishing email over to them. And they're in the business of stopping cybercriminals, but always report spam as you see it, because guaranteed if you get one, you're going to get a lot more.
And it's usually like in campaigns where you see a bunch at a time. So, if you start reporting all of those, then your spam filters and your email protection services can learn and they can get better and then they can start, you know, preventing that from getting through and protecting at least against one attack vector.
[00:29:23 Mike Urbanik] Well, hopefully at this point people are aware of what a phishing attack is. Some of the avenues and channels they can come through. And I think we might have been doing a little bit of a disservice with talking about Amazon.
While it's very relevant, it makes it seem small. Your little package, what are these things and people might be thinking at this point might, you know, that wouldn't be that big of a deal if it hit me. I wouldn't get compromised too much.
But all they need is that chink in the armor for some major damages to come downstream. And I'll just give you a couple examples.
So, back in January 2016, there was an Australian aerospace parts manufacturer. There was a phishing email that went out to the employees of the business and the phisher was impersonating the CEO of the company. And he asked for them to do a parts acquisition and someone in the building, an accounting department authorized a $42 million fraudulent transfer based off that email.
So, if you think these are small potatoes; someone got in, found the CEO's email, sent a legit email over to the billing and accounting department, and they thought it was legit. It looked legit and they did the parts acquisition per what they were told and transferred $42 million to the wrong person. And let me tell you, once that money gets sent, it pretty much evaporates into thin air. There's not much recourse for that.
They're...major, MAJOR corporations who you think are incredibly sophisticated and big players in the tech world. Facebook, Google, Sony, all of them have been hit and taken basically to the cleaners.
Now, it didn't bankrupt and luckily they're huge businesses, but Facebook and Google were receiving fraudulent invoices from someone they thought was legitimately doing business for them. And he was sending fraudulent invoices he found through phishing mechanisms. Who the vendor was supposed to be, put together, invoices and sent them over and their billing departments were just paying them.
And that's cybercrime, and it all stemmed from phishing. And I think the total amount these guys paid out to this guy was to the tune of $90 million. So, all of that could have been prevented had they really stopped the phishing at the beginning, not getting their credentials out. They're not letting someone impersonate their email, not clicking the wrong link.
So, yes, these things have small beginnings in the sense that it could be something as benign as, “click here to redeem your prize,” or “click here, you missed your Amazon package”. But once your information's out there, the bad guys can do a lot of damage with it downstream. And yes, there's monetary damages, but there can be colossal reputational damages.
We've had clients who have been victims of phishing scams. The bad guys have gone in, figured out what their bills and invoices looked like, changed the account number on the emails, and then been sending them out to the business's REAL clients. And their clients were paying, but they were paying the wrong person.
All of those damages started from phishing. Someone let them in and let them understand what their accounting system and their invoices looked like. And so, yes, there's financial damages. Hey, the business lost money and they couldn't really go ask their clients to pay twice. That certainly wouldn't be fair to them. But also, the clients lost faith in the business that they were dealing with someone who had their act together.
It really kind of can be a gut punch and hurt you in more ways than one. So yes, these things have small beginnings, but they can be major problems downstream.
[00:33:06 Scott Leister] Yes, certainly. And even for like a lot of those companies report due to regulations and other models that they need to report those big breaches.
But, you know, it's like the common people… How many do not say anything, or report anything, and just accept that personal loss? It might be a few hundred dollars, but on the other end, if you get enough people giving you a few hundred dollars, that adds up pretty quick.
So, it certainly is… I mean, I had [the] company my wife works for they had one of their staff members have their email compromised, and they started sending out phishing emails from that email account.
So, it's a legitimate person. It's come and it I actually received one and I asked my wife was like, “What is this person sending me emails?” It's like I never e-mailed with this person before. I knew, I knew who it was, but I didn't know. Well, thankfully, more people started calling and asking, “Why are you sending me this email?”
It's like, is it okay to click on this link that's in here? And they were able that the IT was able to step in then and cut it off to find out that, yeah, the account was compromised. So, then they could take the necessary actions to correct that.
But yeah, it's just one of the key things you do is just be vigilant. Just… I suspect every email coming in, if it has a link or an attachment that it's probably phishing. Even if it is legitimate, it's like I want to verify that it actually is legitimate, and just like one of the ways you can do that is what the recipients did in the incident at my wife's company is just call the sender.
So like, hey, did you send this to me? Is this legitimate?
It's a simple thing to do, but at least you're protected from wreaking damage or havoc or losing some personal information or financial information.
[00:35:00 Mike Urbanik] Yeah, and we're certainly not trying to be fearmongers, but we are trying to scare people a little bit.
You know, live with a healthy level of skepticism when dealing with these communication channels on the digital platform because they are the primary means through which the bad guys are starting their entire digital crime enterprise. It starts here.
And, you know, should you become a victim of it, yes, there's also financial damages, but it could make it harder downstream to put in proper firewalls from an IT component side.
And it can make it much harder to secure cyber liability coverage should you want to purchase it, because then you're going to have to be reporting on that application.
“Yes, I had an incident. Yes, I've been a victim of this”, and that can impact your insurability.
So, keep a healthy level of skepticism. I know that can be a fatiguing way to live, especially with the number of texts, emails, phone calls we all make. But if it looks too good to be true, chances are most likely is.
[00:36:03 Andrew Rose] And it's a numbers game too. There's a statistic out there that one out of every 30 emails is a phishing attempt. And there's another statistic that about half of all email traffic right now is spam.
[00:36:15 Scott Leister] Yeah. Wow. But that definitely puts it into perspective Andrew.
It's like, you know, I can go into our spam folder and look at the statistics and you can always tell like certain times of the day or trends for usually overnight and usually like around lunchtime or something when people have free time, or when they're most likely to check like their personal mail or something, you know, like when they wake up first thing in the morning, or at their lunch break or something like, that. And you see like the statistics.
But yeah, it is definitely eye opening at the number of emails that are actually phishing.
[00:36:51 Andrew Rose] But it's not just emails, is it Mike?
[00:36:53 Mike Urbanik] No, it's absolutely not. And I mentioned earlier I share a personal story and I have a text message…
Shortly after I joined R.K. Tongue. I'm still within- I'm going to call it the Magic Window, where you don't really know who's who and what's what at the company, you're still getting settled. We were at an event which the CEO of the company was attending, and he was… we had a number of clientele there, and I received a text from him at the event and I didn't have his phone number saved in my phone. So, it came across as a unknown number or just a string of numbers, which even to the credit of the person sending this was from the same general area, the Baltimore metro area.
And it goes, “Hey, Michael, can you get this done ASAP? I need a couple of gift cards. Here are some listed guests I want to present the cards to. How quickly can you arrange them, because I need to give them out in 30 minutes? Would you be able to provide me with the type of gift card and the amount?” And there was a list provided and then it's signed from our agency president at the time.
So very tactful text message to come across. And as a new employee wanting to please and, maybe there was a raffle that we were doing, which is a legit thing we can do at sales events, and we give out Amazon gift cards and things of that nature. It was a very believable attempt. So, I saw this.
Luckily, I've been through a number of phishing training programs. I saw that the request for gift cards seemed bizarre, even though plausible seemed bizarre. Right? So, I had luckily a phone roster that I checked this number against. It did not jive for what my CEO's number was at the time.
I called my direct appointee at the company and said, “Hey, Ed asked this of me; is this legit?” And they said, “Yeah, absolutely not.” And then they also shared that almost new- every new employee at the company received this text message at some point.
So, someone out there is specifically targeting our agency and sending this. And they know when we bring new people in, probably via our website or probably some local publication where we announce that we've brought new employees on.
So, if you thought this was a little above and beyond for the bad guy, it shows that they are putting in some energy and effort to identify people because if it pays off one time, it'll pay off more times. And it's just a numbers game.
So be aware. It's not just email, it's text messages, it's apps through social media channels, it's very prevalent. So again, that healthy level of skepticism, it might be fatiguing, but keep your armor up because it's the human element that lets the bad guys in here.
[00:39:34 Scott Leister] Yeah, that's a great story of a spear. I don't call calling it phishing that ones more smishing. Through SMS, through texting and you get phone calls to which you hear all the, the horror stories on the news these days about with AI voice impersonation now where they're trying to scare you into thinking something's happened to a loved one or something and getting you to send money to them.
They'll stoop to any means to try to get you to give up information or get your financial or get you to send those gift cards to you.
[00:40:09 Andrew Rose] There's a story of a very large company that somebody in the finance department got an email from the controller of C-Suite saying, “This account, we've changed the banking numbers, please record it and make this transfer happen.”
The employee had a failsafe and that was to call the person to voice verify and somehow, they got the phone system. I don't know if they're in the VIP or what, but they impersonate this person's voice as well and said, “Yes, thank you for calling me. Please do execute that transfer.”
And we found out about this later on. So, it's not science fiction anymore. This is this is in the wild and being used today.
So, Mike, I mean, that said, I mean, are there certain things that an individual can do? I mean, general skepticism is important. I know my wife will often come to me and say, “hey, I got this thing that our Netflix credit cards expired, to click on this link. I didn't know my Netflix credit card was attached to this or my credit card...”, and it probably wasn't. But, at least she's demonstrating skepticism, too. So, it's not just the emails, it's these texts and what have you.
But, Mike, what are a few other tips and tricks that folks can do to protect themselves?
[00:41:15 Mike Urbanik] Yeah, I would say first is that, again, that healthy level of skepticism. Think that everything you're receiving is potentially not legit. That is a great way to start the defensive system.
Be generally hesitant to share any log in information. You know, you've probably seen this before. Microsoft is not going to ask you for your username and password.
Be very careful with any information you share. If you do have to share it, you know, ask for an employee ID of the person you're speaking with. Verify that you called and contacted that person through a legitimate channel.
It wasn’t, click this phone number, call here, go to the company's website. Find the legitimate customer service number, call them.
So, conduct all business and transactions in legitimate channels. That healthy level of skepticism, verify who you're speaking with.
Then, you know, from a business owner component, if you have an employee base and they have access to your computers, which almost all do these days, make sure they're getting some level of training, you can't just expect them to do this and know this.
There's plenty of free material out there. There’s paid courses that are even better.
Make this a part of your annual training program. You have to own it if you're going to want to protect yourself and then go beyond that and work with reputable companies like DTC to put the proper tools in place and channeling monitoring systems in place. Rather to alert yourself should someone get into the system and suspicious things start happening, to cut it off at the source.
And we'll talk more about other types of attacks businesses can deal with once the phishing occurs, but you can stop a lot of things at the source by understanding what this problem is, what the bad guys are looking for, and really, quite frankly, some simple things that can be done to prevent it.
[00:43:10 Andrew Rose] And it also- just this is going to lend itself to a lot of really good articles afterwards.
So, we're going to have all kinds of to do's, definitions behind things, ways to prepare yourself, or make yourself a harder target.
So, Scott, I really do appreciate you jumping on board, and I'm looking forward to hearing your voice more on this podcast because I think that you're a natural here.
[00:43:31 Scott Leister] Oh well, thank you. Yeah, it was enjoyable, thanks.
[00:43:34 Andrew Rose] Yeah. They didn’t hire me for my voice. I'm putting that out there right now. The two of you, you guys are amazing. I appreciate that.
So, thank you very much for joining us today for this discussion about phishing with our guests, Mike Urbanik, R.K. Tongue, and Scott Leister from DTC and, I’m Andrew Rose representing DTC as well.
Our next podcast, for those of you who are breathlessly waiting to hear what it is, is on cyber extortion.
We're covering the history and we've covered phishing.
The extortion part is one that you definitely want to tune in for. So, looking forward to speaking into your ears next time at our podcast.
For more information, you can reach us at DTCtoday.com, RKTongue.com or you can email us at AskUs@DTCtoday.com.
We'd love to hear from you if you have some particular phishing stories that you want to share with us, please do. The more details that we can get about these particular attacks, the more to protect ourselves, our clients.
Thank you very much and have a wonderful week.
[OUTRO MUSIC]
[0:44:40 Andrew Rose] We would love to hear from you. Please email us your questions or comments to askus@DTCtoday.com. New episodes of Cyber Savvy are posted at the second Tuesday of every month. For more detailed information, visit our website at DTCtoday.com.
Be prepared. Be cyber savvy.