How Spear Phishing Can Impact Your Association

There sure are a lot of ways lately that we can get in trouble with our email. Spoofing, Whaling, Phishing, Cloning. And, now we have “Business Email Compromise (BEC),” which is simply any email that tries to get someone within your business, or your business partners, to send sensitive information or money to someone that should not be receiving it.

How do they do this?  
By using a very targeted email. This is not a bulk or SPAM email that goes out to millions in hopes that someone will click it. It is researched and sent only to someone specific within your organization. This is a specific kind of BEC called “spear phishing.”

Criminals will use social media, such as Linkedin, or other means, to determine who the higher-ups in a company are (the "whales" in the whaling cases) and where they are currently located. Then, they will clone an email that would come from them, with the correct looking footers and even spoof the "FROM" email address with their own. From there, it’s a matter of an email coming from what looks like them, that seems familiar to your employee.  Here’s an example:

FROM: Bob Smith – ABC President
TO: Mary Jones – ABC Accountant

Hey Mary, this is Bob and I am in Florida and I met with a new booth vendor that is going to create us a new booth for about half of what the others cost.  Please transfer $10,000 to their account:

Account #:   xxxxxxxx
Routing Number: xxxx-xxxxxx

He needs the money to get started on the booth tomorrow.

Thanks,

Robert W. Smith
President
ABC Company, Inc.
Columbus, Ohio
tel: 614.555.1212

Is this too far-fetched to happen?
Not at all. I just returned from the Columbus Cyber Security Conference where the head of the FBI - Columbus Office was presenting. He reported that there are presently more than 100 open cases within Central Ohio alone. If a case is reported within 72 hours, the lost money can often be recovered. Any longer than this, there’s very little chance. Over Christmas break, he was able to recover $2 million for a single company that was targeted.

Holidays are prime time because CEOs and key executives will post on publicly-accessible social media pages that they are in remote locales. Assuming that the accounts payable clerk is still working in the office, these hackers send a highly personalized email that seems legitimate, as shown above.

To learn more, please select this link

As if that is not enough, the standard email phishing scam with fake invoice viruses attached is still around, too!

This may even be worse, since association members are susceptible to this. It is simply an email that looks like it is coming from someone at your association. They almost always spoof the "From" address to make it look legitimate. The message is simple:

FROM:                    Tim@AssociationName.org
TO:                             Jill@AssociationClientEmail.com (or most of the time it is a list)

ATTACHED:            Invoice#3476.pdf.gz
Subject:                     Invoice Attached

Hey Jill,

Please find attached your invoice for 2019 dues from Association Name.

Tim Rorris
Membership Director
Association Name
123 High Street
Dublin, OH 43017
614-555-1212

Pretty straight forward. They are even getting clever now and going to your association website and seeing what events you have coming up. Then, the message would be something like this:

Please find attached your invoice for the 2019 Association Name Conference registration. We look forward to seeing you at the Smith Hotel Downtown Columbus on August 15, 2019.

To learn more, please select this link.

What can you do?
Make sure you use a top-ranked anti-virus and phishing scan program (e.g. Webroot, Norton, McAfee, etc.) and keep it up to date.  If emails are suspect, wait and even call the person to make sure it is legitimate. 

For money requests or HR/personal information requests, always have two people agree with the request. On top of that, require a confirmation via phone-call.

Backup, backup, backup. Ransomeware will lock your files on your computer and any attached drives or devices, so rotate backup drives. You always want to have a recent copy that is NOT connected to your computer. Virtual drives and offsite backup options are out there, OneDrive by Microsoft, G-Suite Drive by Google, DropBox, Carbonite, etc.

Stay safe out there!  If you have any questions, please feel free to email me.

Tim Rorris
TCS Software, Inc.
tim@tcssoftware.com

Printer-Friendly Version