Phishing: STOP Posting Your Personnel’s Contact Information!

Please, please stop.

In marketing, it is great to give your business a personal face: a close contact or a person to call when things go wrong. That is great, but it causes a tremendous security headache in I.T. when you paint that target.

What are we talking about? A common scam known as phishing.

Phishing Targeting You and Your Staff

The way this scam works is a hacker scans your website for contact information. They find a CFO, CEO, a bookkeeper or someone in authority in the company and dig up EVERYTHING they can about them. The do what is known as a “full dox” on the person. That includes information related to their personal lives, charity and so forth.

Laying the Trap

Some time later a person who does payments and who is profiled on the website received this kind of email:

“From: [email protected]

To: [email protected]

Hey, Sarah, I am in NYC at the charity event we talked about and I need you to wire $15,000 to this charity’s bank account. Thanks, Steven.”

Pretty straight forward huh? Steven is away at a charity event, and he sent Sarah a request for a donation to a charity he was at, and everyone was expecting…. BUT IT ISN’T REAL.

Let’s Break It Down

  1. The email address it was sent from was from a common service, usually gmail, hotmail or yahoo. Untraceable or unenforceable. The respond to address may match the companies address, but anyone in email management will tell you that you can easily spoof someone else.
  2. Since Steven made it public he was going to be at an event the hackers used that timeline to strike and send a fake email to the book keeper in the company.
  3. Bank account transfers are tough to reverse and even if you found out where the destination was, the jurisdiction of the united states may not apply.

This can easily result in millions of dollars lost over a period of time or a big one all at once.

Phishing Happens More Than You Think

Companies have been fooled by this type of scam A LOT! A prime example is our main wireless supplier, Ubiquiti. In 2014 the company lost NEARLY 50 MILLION dollars when a mid-level book keeper received an email to transfer many small sums of money to a bank in China. By the time the error was discovered, it was MONTHS later and the thieves have made off with almost all the money.

All they had to do was read the website, build a dox and send an email.

So for your companies safety, DO NOT put your contact information for your employees on your webpage. Just general departments like [email protected], [email protected], [email protected] or [email protected] instead of individuals names. This will extremely reduce the amount of data hackers can get from your website and help protect your money from theft. Contact us for more best practices and how to look out for phishing and other common cyber scams.

Security Risk: Why We Don’t Show Client Testimonials

No testimonials please.

If you have been around this website for any period of time, you’ll notice no testimonials. Why?

Testimonials are a source of pride for many but it is also a source of hacking and targets for their clients. You might be surprised to find out how much information a hacker can learn about a company through their testimonials.

Hackers Can Use Testimonials to Find Weaknesses

Every business does their own thing and does it slightly differently than the other people in the same field, IT services is no different. By analyzing what that person does and how that company does it a person could get into that client’s network and utilize their weaknesses get into their infrastructure.

So we don’t post any testimonials to our web page nor to our Facebook page. It is considered a medium risk when it comes to data security and compliance.

Once a hacker knows how the infrastructure is established and how the systems are setup that information could be used to penetrate and destroy that network.

Security Over Celebrity

In one of our previous blog posts, we posted about how a data breach at the source of an RMM service called Continuum caused havoc throughout the MSP world by giving them unfettered access to all the resources to all their MSPs.

That was bad and still continues to be bad for those affected clients.

You’ll never see a solicited post for a testimonial on our public pages. Think of us as the strong, silent type. Want to learn more? Contact us.