The View from 30 Feet: Cyber Fraud
by Jen Clark
Tips to prevent phishing
If you receive an email from anyone asking you to send funds to a different bank account, utilize a different means of communication (phone, Skype, Fax, etc.) to double-check with the vendor.
If you are uncertain about the validity of an email, check its properties. With the email open, go to File and then Properties to see from where it originated. In Viking Plastics' case, emails from the hacker show in the Properties:
Received: from [127.0.0.1] (port=42962 helo=webmail.arabdoctors.ae)
The font in red should have been the email address for Viking Plastics' contact. Keep in mind, though, even if it looks like the contact's URL that does not always mean it is safe.
Set up a secret phrase with your contacts. If there is ever any doubt, use this means to test that you are communicating with the correct person.
Business gurus often talk about the view from 30,000 feet – the big picture that provides a look at overall operations. Perhaps, however, the focus should be on the view from 30 feet – a close-up of specific processes and procedures that make an impact now.
While the information age has provided tools that make doing business easier and faster, it also has enabled a proliferation of fraudulent activity. Two MAPP-member companies recently experienced similar attacks and decided to share their experiences to help prevent cyber fraud from happening to others.
Cyber fraud is any type of deliberate deception for unfair or unlawful gain that occurs online. The most common form is online credit card theft. The US Department of Justice defines these types of crime as "Mass-Marketing Fraud" because the schemes use one or more mass-communication techniques and technologies to harm victims. Bank and financial account schemes, for example, trick victims into providing bank or financial data, which gives the fraudsters unauthorized access to those accounts. The most common types of deception include "phishing" (attempting to acquire sensitive information such as usernames, passwords or credit card details), "vishing" (the telephone equivalent of phishing) and "spear phishing" (an email that appears to be from a known individual or business).
Viking Plastics, Inc. was a victim of the latter. Cathy Pitts, controller, said she thought the Corry, PA-based company's internal controls would prevent such a thing from happening; however, "I received an email one morning from a vendor in China saying 'We have not received the funds that you wired us'," she recalled. "I was sick to my stomach and knew immediately there was something wrong. I had an email the day before confirming that they had received the funds."
The vendor was a company Viking Plastics had dealt with in the past and had transferred funds to previously without problems. An investigation determined the vendor's systems were breached. "Hackers got into their email and took over," Pitts explained.
She and Viking Plastics' program manager had received an email asking them to send the funds to a different account than normal. "We discussed (the situation) and thought that it was questionable," Pitts said. "I took my mouse and hovered over the name of the sender to see where it really came from and it (appeared to be) from our contact. We then received another email with the new account information. Once again the email appeared to be legitimate. We even have emails from the hacker discussing logistics and how the shipment was going to be handled. I transferred the funds on Thursday, and on the following Monday I received an email acknowledgment that the funds had been received. Yes, the hacker was nice enough to confirm receipt."
Fortunately for Viking Plastics, its first encounter with spear phishing was a loss under $10,000 and its vendor has taken full responsibility for the breach of security. "We are working with our bank and authorities to try and recover the money for our vendor," Pitts said.
A second MAPP-member company suspects its own email system was hacked, allowing someone to falsely authorize payments through an Automated Clearing House (ACH) account for services never received. "The first draw was very small," an official with the company said. "I understand that this is to test the numbers to verify that they are good and that the monies can be retrieved."
Once a fraudster finds the numbers are legitimate, it doesn't take long for large amounts of money to go missing. "In just a few quick transactions, our account was relieved of $50,000 before our bank questioned the activity and before we noticed the withdrawals," the official said. "We quickly had our account frozen and have since suspended all ACH payments."
In this type of cyber fraud, perpetrators use several different individuals to receive the funds. Once the funds have left the receiving bank, they cannot be recovered. "The authorities are not interested in prosecuting the individual because they were not the one who actually withdrew the money," the official said. "They also were, in a sense, a victim."
The company has worked with its bank to recover the funds and has set up certain security measures to prevent the loss from happening again. "The key is to secure your account and password information and never send it in an email or fax – it might be compromised," the official said. "There are new encrypting methods, and banks also have newer protocols that require additional authorization processes for ACH payments. I suggest anyone using ACH should have a discussion about security with their banking representative."