Red flags in this attempted social engineering attack include: (1) addressing the email to a generic title rather than the individual’s name; (2) using the incorrect term “hustle” rather than “fraud”; (3) nonsense phrasing; (4) misspellings; and (5) a link to download a file. Additionally, the scammers rely on a sense of fear and urgency to prompt the recipient to click the link, which undoubtedly will download malware to the computer. Image courtesy of Sullivan Wright Technologies.
The easiest way to thwart social engineering is to contact the person via a different method of communication to confirm that they sent the message that was initially received. If any red flags are raised due to the sense of pressure applied in an email to share login information for bank accounts, call the person to verify they really did ask for the information. If it seems odd that a text has requested payment in the form of gift cards, email that person or call that service provider.
Phishing & How to Respond
In addition to social engineering, phishing is a similar and popular type of cyber threat. Phishing is when criminals send mass emails to trick people into clicking on malware or disclosing sensitive information or financial account credentials. More than 90% of successful data breaches originate from phishing emails, and phone calls and texts are also popular methods of attack.
Examples of phishing attacks include:
- A text claiming to offer shipping updates for a package;
- A phone call supposedly from the electric company threatening to cut off service unless a bill gets paid in gift cards;
- An email posing as DocuSign instructing the recipient to click a link to review attachments;
- A letter in the mail which includes a bogus change of address form from USPS, which would allow an attacker to redirect mail to an address of their choosing.
Red flags in this phishing attempt include: (1) a spoofed email address that is very long and complicated; (2) addressing the recipient by their email address rather than their name; (3) misspelling the corporate name and address of the entity the scammers are trying to imitate. The cyber criminals rely upon creating a sense of fear and urgency in the recipient to prompt them to click a link that will lead to malware. Image courtesy of Sullivan Wright Technologies.
Phishing often uses fake branded websites and emails that look legitimate enough to trick victims. However, red flags include misspellings, odd phrases, and web or email addresses that are very similar to the real thing but might differ by one or two characters. The best deterrent of phishing attempts is to never click links or attachments on suspicious emails. Additionally, it is recommended to visit the legitimate website of the service provider in question and/or contact them through their known customer service to verify if the message is real or not.
The Danger of Malware
Malware is malicious software that takes control of computers. This is almost always delivered through emailed links or attachments that are typically disguised as invoices or email delivery failure notices. Once opened, these programs are downloaded and installed on the computer in order to access files or the company’s network, steal login credentials for financial or social media accounts, or even take over webcams and microphones for spying purposes. Ransomware, a very disruptive form of malware that costs businesses more than $75 billion annually, encrypts file systems and data until a ransom is paid.
A Real-World Cybercrime Case Study
A high-volume cultivator recently fell victim to a socially engineered scam that lost them more than $20,000. Unbeknownst to the cultivator, scammers gained access to the company’s email account. The criminals monitored all email activity until they intercepted an email from a vendor for a sizable invoice. The scammers deleted the original invoice email and sent an altered invoice with different payment instructions to the cultivator that directed the payment to the scammer’s bank account. The fraudulent email came from an email account that looked nearly identical to the actual vendor’s email address except the “.com” at the end was changed to “.org.” Not suspecting anything, the cultivator paid the invoice using a third-party payment service (not via Abaca).
After a few weeks passed, the CEO was made aware that the vendor was claiming the invoice had not been paid. Several employees worked together to figure out what had happened. This was when they discovered the fake email account and traced the payment information in the doctored invoice to an account in South America that had already been cashed out and closed.
By the time the fraud was detected, more than a month had passed. It was too late to reverse the transaction, and, citing the terms of their service, the third-party payment platform would not help the cultivator either. The criminals cheated the business out of more than $20,000, and the cultivator still had to pay their vendor for that same amount.
Preventing This Attack
- Two-factor authentication on the email account would have prevented email intrusion.
- Careful attention to the “from” email address would have uncovered the “.org” altered email extension.
- Formal organizational processes and accurate vendor records may have uncovered the altered account number in the invoice.
- Payables controls with dual-person approval may have enabled detection of the fraudulent ACH information (available on Abaca).
In Part 1 of this cybersecurity primer, we’ve covered the most common types of cyber attacks and the devastating effects they can have on cannabis operators. To learn how to best protect your business and how to respond in the wake of a breach, read the recommended cybersecurity measures in Part 2.
All cybersecurity statistics referenced in this article can be found at https://purplesec.us/resources/cyber-security-statistics/.