Phishing Defense



Phishing is a type of attack carried out to steal usernames, passwords, credit card information, Social Security numbers, and/or other sensitive data.  Phishing is most often seen in the form of malicious emails pretending to be from credible sources like people, departments, or organizations related to your business.

Attackers can use this information to:

  • Steal money from victims (modify direct deposit information, drain bank accounts)

  • Perform identity theft (run up charges on credit cards, open new accounts)

  • Send spam from compromised email accounts

Attackers can also use your public information and relationship with the spoofed "sender" to get you to:

  • Purchase gift cards

  • Connect to an insecure site (http://) 

  • Get you to click on a malicious link and install malware on your device

Two examples of extremely sophisticated phishing that resulted in hundreds of thousands of dollars in losses for both businesses.  And both of these customers were in Office 365.

1)  The first example:  the hacker broke into their Office 365 & researched the owner's wording within his emails.  They also were familiar with the corporate structure of their accounting department.  The "owner" emailed one of the check signers in the office & directed him to send a $200,000 payment to a new vendor & gave the bank information.  The check signer questioned the transaction but the "owner" approved it to be sent.  The "owner's" email address was one letter off & the check signer didn't catch it.  The money was sent.

In these type of cases, I always advocate the old fashioned phone call or sneaker mail.

2)  Another example was a notice from a significant vendor of the business.  There were many invoices outstanding & the "vendor" said there was a bank change & emailed the new bank information.  The a/p clerk asked that the change be sent on letterhead which they promptly provided.  $300,000 of invoices were paid to the new bank.  Again, a phone call would have caught this phishing scheme.  Unfortunately it was not.

  • For vendors that get paid via ACH:

    • There should be a chain of command approval process to set up new vendors - including a telephone call to verify banking information;

    • To change the banking information of an existing vendor, there should be the same procedures as above.

Microsoft  |  Citrix  |  VMware  |   Cloud

Professional Firms | Investment | Landscape | Builders | Trucking | Hospitality | Manufacturers  | Warehouses| Govt. Contractors