The new year has just begun and the scam artists, fresh from a holiday break, are poised to use social media and the weaknesses in your data security plan to their advantage. Pause for a moment and reflect on how many workers you employ at your company, and then think about how many of those employees use social media on a daily basis, perhaps even sharing seemingly unimportant information with the world.
Take for example those employees who use LinkedIn, which has their job title and more importantly all of their contacts and the contacts’ job titles. It is human nature to connect with people you know, and therefore, not unusual for an entire department to be represented on just one person’s page. It just takes one employee wanting to increase their profile to connect with anyone who asks, thus allowing a cyber-criminal access to information that maps your company’s internal administrative personnel by just following the chain. Now add Facebook to the mix and that same employee can be more deeply followed by a cyber-criminal, generating good guesses to passwords, travel schedules, email addresses, and even more business contacts.
Now the crook has enough information to evolve into an impersonator. Do you know how to spot a fake and protect your company? Are your employees vigilantly working to prevent this risk?
Recently and frequently, we are seeing this kind of impersonation where a request is made for payment to vendors.
Perpetrators accomplish this by using spoof emails that use the same names as actual individuals at your company with some variance in the email address. The scam starts small for something that might be regarded as just a routine payment for services. The impersonator creates a fake invoice for one of your vendors and then also pretends to be one of your employees sending an email request to a legitimate employee in the accounts payable department. The email from the impersonator will have some sense of urgency to be paid saying the account is past due with instructions that payment be made to a specific bank account. The accounts payable employee recognizes the name of the other employee and also recognizes the vendor’s name. The payment is then made to the bank account, which in reality is being used by the cyber-criminal. Now the crook knows the scam works and will continue using that same employee’s impersonated email account with different vendor invoices or switch to impersonate another employee. The financial losses can grow quickly.
For example, if the company’s sales manager’s actual email address is firstname.lastname@example.org, a cyber-criminal could use an email address that is email@example.com or firstname.lastname@example.org or perhaps email@example.com. Some perpetrators even set up fake websites to match the fake email address extension. The extension refers to the portion of the email address that appears after the @, so the fake website for our first example would be www.companyinc.com. Often, they even copy the website content from the real website so it looks familiar to those who are trying to ensure they are dealing with a real company representative.
Under another scenario, the perpetrator impersonates your company to communicate with one of your suppliers. The perpetrator’s goal is to purchase equipment on credit in your company’s name. They use the credit terms (often a net 30 arrangement) get equipment shipped to them and disappear, leaving the actual company to foot the bill after they had time to cover their tracks. Here too, the perpetrator creates a fake email address that resembles the email address of one of your actual employees, and may also create a fake website using your company’s trademark and possibly copied content. If you spot a fake website, your company’s trademark and copyright rights (also called intellectual property rights) give you the right to ask the website provider to shut down the website to combat fraud.
There are tell-tale flags that savvy employees can use to determine whether they need to investigate the communication before replying further. First, consider the context of the email. Is it unusual for the purported sender to be sending you an email? Does the tone of the message match previous communications from that sender? Does the invoice from the vendor look the same as others? Is the payment amount different? Has the payment been cross-referenced to other internal documentation such as supply agreements, contracts, or other documentation showing that the work was actually performed? If the vendor is new, do you have requirements in place to have a W-9 completed before any payment is made and have you verified this information? Is the employee sending the email on vacation or out of the office traveling? Fraudulent emails often have misspellings or a short, terse tone that does not capture the personality of the impersonated person. Sometimes the sender asks for information that they should already know or fishes for other information outside of the normal purchase. If there is ever any doubt, DO NOT REPLY to the email. Instead, pick up the phone and call the purported sender’s number you have on file to verify that the request was legitimate.
If you would like more information, Stites & Harbison’s Data Security and Intellectual Property attorneys can help.