Friday, 26 January 2018

Prevention ideas for hard to prevent scams

Now this is an interesting scam: (a) Tauranga school teacher is in online relationship with South African (SA) man and groomed over time; (b) Golden Bay (GB) employee unwittingly loads key logging malware on their work computer via memory stick, and it infects the work network; (c) GB business email account compromised; (d) GB business email watched until large invoice comes in; (e) hackers intercept the GB business email and change payee details to Tauranga school teacher's account; (f) Tauranga school teacher pays 'transferred' GB business funds to SA man; (g) result: GB business out of pocket $7.5k + embarrassed Tauranga school teacher + happy SA man.

Wow. The hackers picked the PERFECT invoice to hack: a TradeMe sale. This was a one-off payment to a new account (so the Golden Bay business wouldn't have the payment details already on record). The worst of it is that the business was unable to make a claim on their insurance, as, by the time the whole debacle was unwound by the Police, it was more than twelve months down the track.

In my view, the business did not act foolishly. Both the employee and the Tauranga school teacher did.
  • The GB employee should not have loaded an unverified memory stick into the work system. Habitually using a sandboxed machine may have prevented the malware payload... although it is hard to know without knowing the technical details. The employee stopping to think about the potential ramifications would have helped.
  • The Tauranga school teacher could have asked why the SA man could not have used PayPal; or checked the reference or the code on the deposit to her account and then checked with her bank. The 'if it feels too good to be true, it is too good to be true' dictum needs to be followed, particularly for internet romances. More suspicion and critical thinking are required when our only experience of someone is virtual.
So what could the business have done differently to have protected itself? ALWAYS double check account details with source over the phone. For a new payment, ask for a phone number to contact their accounts person. This simple addition may not save us, but it will add an extra layer of complication that might make a scam fail. 

What else? We need to run malware and other checks regularly. Keep antivirus software up to date. Train our staff, and get them to read articles like the one below so they are regularly reminded how we all contribute to organisational safety.

This has made me cringe, as students often bring their work in on a memory stick, despite me asking them to upload their files into our online dropbox. There is nothing like a reminder to NOT let any unverified memory sticks into our networks. A timely reminder for me to get students - and clients - to follow the rules, with no exceptions on memory sticks, and to tell them why

At home I use an old laptop for memory sticks. Also, when I lend memory sticks, I reformat them afterwards on that sandboxed machine, and this is a good reminder of why I should continue to do that. 

And I would be interested to hear any other simple ideas that a small business could take to avoid such scams :-)


Sam

No comments :

Post a Comment