Alaskan businesses are being targeted by cyber criminals who research large companies and use “spoofed emails” that appear to originate inside the company as a way to garner wired funds or vendor payments.
Michelle Tabler with the Better Business Bureau says some of the more advanced attackers are buying domain names similar to well known vendors which they use to trick employees into paying.
Tabler: “What they’re saying is, this invoice came in based on a purchase order that we made and go ahead and pay it. It looks like it’s really from your CEO. One that was recently shown to me was for over $600,000 and they caught it because they had hired a security firm. Some of these are going on through something as normal as VistaPrint, where some of us go to print business cards and that sort of thing. They also register domain names and you can get them within a couple hours.”
According to the FBI, total losses are estimated to be almost $800 million nationwide from October 2013 through August 2015. Last May, Alaska’s Afognak Native Corporation fell victim to a similar cyber scam and lost $3.8 million to a fraudulent bank account in Hong Kong.
Tabler detailed precautions companies can take…
Tabler: “People that have access to payment systems should be on dual controls and company policies and procedures should cover the verifier’s review of valid source information and valid source documents. They need to look closely at emails; what these phishing attempts have done is registered domain names that are really similar to their own companies so a quick glance and it will look like it is from your own email system.”
Here’s a list of ways companies can safeguard against “spear phishing” scams:
- Proper controls. Ensure there are proper controls on financial transactions and accounts payables. Consider two party procedures for larger payments.
- Education. Develop security policies and protocols. Make sure all employees are trained to recognize possible phishing scams and to be vigilant when clicking on links or attachments to emails.
- Brand protection. Purchase domains with similar names to protect company branding.
- Beware of what you share. Scammers research social media sites to find information that they will use to gain access to protected data. They may also attempt to obtain company information by calling to conduct a survey or impersonating a company vendor.