Are you the Phish? Tales from the Fraud Trenches.

As many of you know, I’m a Certified Fraud Examiner. As such, I see, hear, and investigate a number of different fraudulent activities. I’ve spoken over thirty times from groups as small as five, to as many as 300 participants across the country. I’m passionate about stopping people and companies from being victims.

I think the passion started when I was in grade school and someone stole my bike. I loved that bike. It had a Sissy Bar, the back tire was a slick, it sported a three-speed shifter that looked like it came out of a race car, and it was fast. I remember being boiling mad when it was stolen. That incident put me on a path to fight fraud and theft.

This was like my bike, but mine was a cool yellow.

Two of the most insidious crimes that have raised their ugly heads are Phishing and Spearphishing.

Phishing, SpearPhishing you say. What is it, and how can I stop it?

Phishing

There are two types of ways criminals can extract money from you over voice, text, internet or via email. The first is Phishing. We’ve all been Phished. If you’ve ever received an email from a Nigerian Prince offering to give you a million dollars in exchange for a mere $1,500, or the IRS is calling you to tell you they are going to freeze your bank accounts, or someone calls your cell phone to tell you your Windows Systems needs upgrading, you’ve been Phished.

The criminals cast a wide net to see who bites. If they get someone on the hook, then they exploit them either by getting them to give them money, or ransoming their computer and demanding money. The criminals are counting on that one in a million person who is going to fall for their schemes.

Most Phishing attacks are relatively easy to spot. Microsoft is never going to call you about upgrading your system. The Nigerian Prince is never going to have that million dollars, and the IRS is never going to call you about freezing your accounts (they send you a notification letter). That being said, Phishing attacks do work, or criminals wouldn’t keep trying them. The rule of them is if it sounds too good to be true or if they are demanding money, like yesterday, it’s most likely a scam.

SpearPhishing

SpearPhishing is the more sinister of the two. This is a targeted attack on you specifically. They attack by pretending to be something or someone they’re not, and infiltrate your business or your personal life through the use of emails or social media contacts. The unnerving part is that they have usually done research on you specifically. This is particularly prevalent if you’re in accounts payable or a company’s treasury department, but it can be anyone.

What are they trying to do?

Criminal SpearPhishers are swimming around with their spear-guns locked and loaded waiting for you to poke your head out from the reef. They may have chummed the water to get you to come out.

Let’s take the example of North Korean hackers. Lately, North Korean hackers have been searching LinkedIn for employees in specific positions within a company, for example Treasury. Once they find you, the send you and innocuous email, or invite asking you to connect with them on LinkedIn. A couple of months may go by and then you receive a message from them. It goes something like this.

“Thank you for connecting with me. I noticed that you have a vast amount of experience. I too, worked in the (your industry). It’s funny, but I worked for a company you did business with (they give you the name of a company you worked for). Our company is growing quickly, and we are looking for a (your current position) to be filled immediately. We pay substantially above market rates (more than 25% above market), with a $20,000 signing bonus and a $600 monthly car allowance. If you could fill out the enclosed application, we think we have a position for you.”

This is exciting. Someone finally recognizes your talents. You click on the document and fill out the application. It may go nowhere, but it’s nice to be noticed as a leader in your industry.

What Just Happened Here?

The minute you click on the application, the North Korean hackers have added a keystroke logger virus to your computer. When you login the next day, the criminals can see every keystroke and mouse movement you make. They are looking for your network password. Once they have it, they’re in your network. At that point things get really bad. They can impersonate you as a supplier, they can get your banking info and drain all of your accounts. There are a host of very bad things that can happen.

If you don’t believe me read the article below. The hackers infiltrated Chile's ATM network by getting someone to apply through LinkedIn. They even had a Skype interview with the individual as part of the ruse.

But what can you do to not be the Phish?

I call it the STOP, LOOK, and LISTEN approach to prevention. When we were young, our mothers taught us to cross the street. They said, “before you cross, Stop, Look both ways, and Listen to hear if any cars are coming.”

It’s the same with emails, invites, and social media friends’ requests, even emails from a superior requesting salary or human resource information. When you receive something, STOP, LOOK, and LISTEN. Ask yourself, do I know this person, why are they being so friendly, what are they really asking me?

I know we are all busy. We never have enough hours in the day. I get it. But if you will STOP, LOOK and LISTEN when you receive a request, it may save you a world of hurt in the future. A healthy dose of skepticism doesn’t hurt.

I know a company where a fictitious email was sent to all 75 employees by someone impersonating the CFO asking them for W2 information. Out of the 75 requests, 13 employees responded with their W2 salary information to the criminal posing as the CFO. All 13 had someone file a fictitious tax refund from the IRS. The fictitious refunds added up to more than $4,000 apiece. $52,000 stolen from employees is not a bad haul for a few days of research on the internet.

Be suspicious and stay safe out there.