David Van Damme

Situations You’ll Want to Avoid

You have undoubtedly heard it before:  When it comes to opening emails, clicking links, and browsing – – “Be vigilant.”  But why? In short, because not only are cyber security breaches in the news on the rise, but because issues are already happening at our clients.  Check out the following story:

Client Situation #1

Brother # 1 manages Company A – US, a foreign owned subsidiary and our direct client.  Brother #2 manages a smaller subsidiary, Company B – Foreign, from the parent company located in Europe.  Brother #1 and #2 own the parent company.

The vice president and controller of Company A – US, let’s call her “Betty,” will correspond via email and phone calls with Brother #2 about global operations and other matters.   Brother #2 loves dogs and regularly talks with Betty about his beloved pet.

One day Betty gets a phone call from Brother #2, who explains and asks: “We are cash tight right now and behind on paying one of our major vendors.  Is it possible for you to pay a few invoices on our behalf, and we’ll reimburse you as soon as we can access funds from our lender?”  The real kicker that follows is: “By the way, did you get that photo I emailed of my dog?”

Betty’s immediately thinking that everything sounds logical — after all, it was a phone call and reference was made to topics regularly discussed. Furthermore, Betty has been requested to do this very thing for Brother #2 in the past.  Nonetheless, Betty fills in Brother #1, who further confirms and says “sounds reasonable.”

Brother #2 emails Betty the related invoices.  These are smaller amounts, less than $50,000 in total.  The funds are sent.  A couple of days later money is actually received back!

A few days further out, another request is made, this time for invoices in excess of approximately $300,000.  Again, money sent.  But this time, well…nothing.

As a few more days go by, Betty casually mentions to Brother #1 that Brother #2 seems to be much slower at repaying these last larger invoices.  For whatever reason, this causes immediate concern to Brother #1 who asks to see the email string relating to everything.

What’s immediately noticed?  The spelling of Brother #2’s name is off, ever so slightly.

Together, they call Brother #2.  As it turns out, none of it is real — not even the phone call.  The hackers, in this case, were sophisticated enough to not only hack the email server but also tap into the phone system, see and listen to everything and, as a result, were able to execute a call with Betty impersonating the sound of the voice of Brother #2!  That’s just Client Situation #1.

Client Situation #2

Client Situation #2 involved the entire lock down and encryption of servers for almost a month until the equivalent of 30 bitcoin were paid, a point in time in which they were, going for $7,000 a pop.  In addition, significant additional costs were paid to professionals to help get the systems back online and to replace equipment.

Client Situation #3

Client Situation # 3 involved the payment of close to $500,000 to what the client thought was a request from their CFO.

So again, what does this have to do with you, or being “vigilant?”

While you may not be the one who wires money from your organization’s pocketbook under false pretenses, in all client situations, someone in the organization clicked or opened something which allowed hackers access to the overall corporate server, which in turn allowed the hacker to find the “right” person.  Quite often it is the person with access to the bank accounts.

Said differently, the ultimate “click” that led down a long road of Betty wiring $300,000 off to hackers, did not have to start at her computer.  It may have started with Joe on the shop floor.  Or Sam from engineering.  Or anybody.  The key is, that whoever did it, while [hopefully] not on purpose, allowed the hackers a chance to get into the company, and from there, they waited and watched until they found the right opportunity with Betty.

Everyone plays a role in helping prevent this from happening

1. If you’re not expecting it. Don’t open it.
2. Hover over links before clicking them. Does the site look legitimate?
3. Be safe rather than sorry. If somebody sends something that was legitimate, but you weren’t expecting it: call them!  Or, delete the email.  If it was important, they’ll follow-up again.
4. When it doubt, ask for help.