I imagine this type of message is sadly familiar:
Email from *CEO* using a non-company personal address
Addressee is the accounts payable clerk
Text: “Heading into an important meeting. Could you let me have your personal mobile number so I can WhatsApp details of a payment which needs to be placed this morning?”
You are hopefully aware by now that it would be imprudent to respond to an urgent email purporting to be from the CEO demanding that a payment is expedited. It is more than likely to have been sent by a cybercriminal and is known in the business as CEO Fraud. You can learn more about this in our Big Bad Wolf blog.
This email could be sent from the CEO’s actual email account (in which case it’s seriously bad news) or a random non-business email address masquerading as the CEO’s personal address. Either way, it’s essential that all staff with access to banking are schooled in detecting these attacks.
If you are a hacker though, why bother coercing an employee into doing your dirty work when you can circumvent security settings and give yourself access to the whole sweet shop.
How?
You get the helpful IT support helpdesk to change credentials for you!
The company information on the website is your way in. Here’s the scenario:
– choose a business which is large enough to have an in-house IT helpdesk. (It is possible to attack an outsourced helpdesk, but it’s a great deal more convoluted, involving identifying their clients via their website testimonials)
– Find the name of the Office Manager (from team members page)
– Find the name of the Accounts Clerk (again from team members page)
– Make a phone call to the IT helpdesk pretending to be the Office Manager, asking for the Accounts Clerk’s password and MFA to be reset as they have lost their phone while travelling.
– If possible, introduce jeopardy by saying there’s an urgent invoice to be paid.
– If the helpdesk hands over the credentials while you are on the phone, you’re in! You have just been given the keys to the kingdom.
What can your business do to protect itself from such an attack?
– Your IT helpdesk needs to be aware that such an attack is possible – this includes every technician, not just the manager.
– There should be a documented procedure about who can request password resets and how this can be done (ideally in writing on a form).
– Passwords should never be divulged on the basis of a phone call; even if the caller is a known employee, their security clearance may have changed or they may have even left the company.
– Building a good rapport with the Office Manager (or whoever is responsible for user security) means that the helpdesk team won’t get duped by an imposter calling. As IT technicians notoriously prefer not to pick up the phone, this could be quite a challenge.
– Review the information you expose about your staff on your website and in other social media outlets including company news. You have been told that marketing branding is more effective when it features people, but you could actually be facilitating identity theft by giving out too many personal details.
– Consider what information you are showing in general on your website. Even including an *enquiries@* email address reveals the format of your company’s emails; if you include staff emails, you are disclosing the entire format. It is much safer to use an anonymous contact form.
The moral of this story:
Criminals will look for any chinks in your cybersecurity armour. Just as computer users should be challenged with the odd, unexpected phishing test to check their awareness, the IT helpdesk also needs to be on their guard against dodgy requests. The IT helpdesk manager could even run a table-top exercise with the team to prove that the procedures are working.
And just as you would verify if an email is a scam by picking up the phone and calling the sender (and of course *not* simply replying to the email which will go directly to the hacker), so you should check any security requests by making direct contact with the manager responsible.
Security measures can be cumbersome and time-consuming, but the alternative – a cyber-attack leading to a data breach – is infinitely more painful and costly.
Good procedures and educating the whole team – not just the accounts department – are key. Computer Troubleshooters can help you with this. And if you select us to work as your IT helpdesk, we promise to take good care of your credentials. Please stay safe.