Phishing: STOP Posting Your Personnel’s Contact Information!

Please, please stop.

In marketing, it is great to give your business a personal face: a close contact or a person to call when things go wrong. That is great, but it causes a tremendous security headache in I.T. when you paint that target.

What are we talking about? A common scam known as phishing.

 

Phishing Targeting You and Your Staff

The way this scam works is a hacker scans your website for contact information. They find a CFO, CEO, a bookkeeper or someone in authority in the company and dig up EVERYTHING they can about them. The do what is known as a “full dox” on the person. That includes information related to their personal lives, charity and so forth.

 

Laying the Trap

Some time later a person who does payments and who is profiled on the website received this kind of email:

“From: [email protected]

To: [email protected]

Hey, Sarah, I am in NYC at the charity event we talked about and I need you to wire $15,000 to this charity’s bank account. Thanks, Steven.”

Pretty straight forward huh? Steven is away at a charity event, and he sent Sarah a request for a donation to a charity he was at, and everyone was expecting…. BUT IT ISN’T REAL.

 

Let’s Break It Down

1. The email address it was sent from was from a common service, usually gmail, hotmail or yahoo. Untraceable or unenforceable. The respond to address may match the companies address, but anyone in email management will tell you that you can easily spoof someone else.

2. Since Steven made it public he was going to be at an event the hackers used that timeline to strike and send a fake email to the book keeper in the company.

3. Bank account transfers are tough to reverse and even if you found out where the destination was, the jurisdiction of the united states may not apply.

This can easily result in millions of dollars lost over a period of time or a big one all at once.

 

Phishing Happens More Than You Think

Companies have been fooled by this type of scam A LOT! A prime example is our main wireless supplier, Ubiquiti. In 2014 the company lost NEARLY 50 MILLION dollars when a mid-level book keeper received an email to transfer many small sums of money to a bank in China. By the time the error was discovered, it was MONTHS later and the thieves have made off with almost all the money.

 

All they had to do was read the website, build a dox and send an email.

 

So for your companies safety, DO NOT put your contact information for your employees on your webpage. Just general departments like accounting@, Service@, CEO@ or HR@ instead of individuals names. This will extremely reduce the amount of data hackers can get from your website and help protect your money from theft. Contact us for more best practices and how to look out for phishing and other common cyber scams.