We've suddenly seen a large uptick in firms in Palm Beach County being hacked and taken large sums of money. Oddly, the amount is often between $200,000 and $400,000 and pretty much all of them trigger lawsuits.
We routinely get contacted to help with cybersecurity after breaches but this is (1) a new spike in the last 2-3 months and (2) involves an employee tricked into giving access to their email account.
Here is the executive summary:
- Employees Over Confident: Every employee is positive they would never fall for a phishing or bad link scam. But we constantly have this happen.
- Bad Guys Get Access to Their Email: The employee gets tricked into entering their user/password through any of several very convincing emails, or pop-up boxes.
- Two Factor Doesn't Always Stop It: Amazingly, even having the password and PIN number requirement for new email logins does NOT stop it! We've repeatedly seen employees give out the PIN number on a form thinking it's legit.
- So What if They Get Into a Low-Level Employees Email?: They then do a few things; (1) Look through sent and deleted items for any invoices, any emails about money, etc. and reply to the sender AS the employee. They get them to change the payment method/instructions or send them a new request. (2) They send out a blast email to every one of the 1,000s of people they have ever emailed with a special offer. i.e. "Our company is giving a huge $1,000 coupon (or similar) if you give us $50 today!" Or any other quick scam to get their credit card info. (3) Or any other way to appear as the employee and get money out of other employees, vendors, or customers. It is SHOCKINGLY EFFECTIVE.
- The Rub!: The email doesn't come from the hacker! It comes from a REAL mailbox from YOUR company complete with your employee's actual email signature. It doesn't just look real, it is real. Why wouldn't the employee, vendor, or customer believe it?
- Who is your customer mad at? The hacker tricked them but only because they got into YOUR company's email system. They are mad at you!
- Results: Every one of these we have seen in the last 2-3 months has been over $200,000 and resulted in lawsuits and hell for the business owners.
So what can you do?
First, be aware! No one seems to take cybersecurity seriously enough UNTIL they have a painful breach! Then they are SUPER invested in improving cybersecurity.
Are you regularly reviewing your cybersecurity? Picking a few things to improve every 3-6 months so you keep getting tighter and more secure? Most cybersecurity improvements are cheap or even free!
The bad guys getting into ANY employee's email in the company is happening constantly and causing huge damage. How positive are you that NONE of your employees could be breached?
You can also set up automatic fake attacks to be sent out monthly to all of your employees who report back to you who fell for it and who did not. You can require them to take remedial training and then pay attention if they get tricked yet again.
Please do something, anything, before you get taken for large sums of money, jobs are lost, reputations tarnished, lawsuits fly and your life is derailed for months or even years. Prevention is so much easier.