It seems basic common sense but even for seasoned pros sometimes it’s not! Email spoofing is a hackers easiest way to grab a handful of money and be gone!
They do this by intercepting a legitimate emailed invoice as an example, and now they have the information they need to begin. They’ll open a new bank account, claim it’s your new account and they are in play, here is how.
Hacking Phase 1: Find a high value invoice you’ve emailed to a client who has been infilitrated and intercept it.
Hacking Phase 2: Register a domain similar to your authentic one. But using many methods they ‘spoof’ the domain name, adding or changing it in ways most people won’t notice in the loads of email they get per day.
Hacking Phase 3: Send an email with this new domain and advise your client that there have been banking changes, or issues, then provide them with the ‘new’ banking information, and request an e-transfer not a cheque to be sent to the new account. Not that many of us use cheques anymore. The E-transfer request is a dead giveaway that you’re being spoofed if you do use cheques.
Hacking Phase 4: Collect the money, close the bank account they emailed you the new credentials of, and pocket the cash!
Scary how simple that is!? How can you avoid this ‘smash and grab’? Pick up the phone and confirm if this is true/real or not! That’s it that simple and fast. I’ve attached a link that not only defines email spoofing but gives some good information.
Recommendations:
- Email all clients and vendors to specify the process that you would use if you were to change banking information. And ask the client to report any email where they get asked to change banking payment information for your company.
- Implement the rule that will specify that an email is coming from an EXTERNAL source. Notify and train employees that if they receive an EXTERNAL email from an internal employee, that something is likely wrong and they should report this immediately for investigation.
https://en.wikipedia.org/wiki/Email_spoofing
Remember your Accounts Payable people and everyone in your organization need to be educated in email safety. The most important step to take with any email that seems even the slightest bit off is to call the person, don’t reply back, your replying to the hacker. A phone call could save you hundreds of thousands of dollars if not millions.
If you have been a victim of fraud contact the police immediately as well here is a link from the Canadian Government Anti Fraud website which contains a lot of great information.
https://www.antifraudcentre-centreantifraude.ca/index-eng.htm
Great blog. Thanks for the info. Even scarier is how easy it is to make a copy of a website and other digital marketing assets with all the AI available.