Why Security Should Be Your Top Priority in 2021
Election security and Russians hacking the US government nabbed the headlines in 2020, but 86% of this year’s security breaches were financially motivated. And the scammers are so convincing! The risk to you, your firm and your family is higher than ever. In fact, a whopping 28% of all breaches happened to small businesses. If you haven’t already reviewed your security practices and battened down the hatches, now is the time to do so. Security is a top priority.
There isn’t a week that goes by that we don’t hear about a successful business email compromise attack. In most cases, a firm’s client has been compromised. In some cases, the firm itself has been compromised. And sometimes business email scams attack the home front.
At Liscio, we recently saw a scam happen in December 2020 to one of our own families:
The Refund Scam
Alison’s mom received an invoice by email, saying “Congratulations! Your computer monitoring service has been renewed for 2 years and we have debited your account for $199”. She knew she hadn’t ordered this service, so she called the number on the email to cancel it immediately.
Little did she know this one simple phone call would kick off a sophisticated and convincing scam. She almost lost $30,000.
Here is how the “Refund Scam” plays out, step by step
- Victim receives a bogus email invoice showing a paid receipt for “Computer Services” and calls the number to protest the charge.
- Scammer responds kindly “No problem – we just have to take the software off your computer”, and sends a link.
- Victim clicks the link, and Team Viewer software is installed on the victim’s computer. Software is “removed” (note: there is no software to remove – they just make it look that way).
Several Days Pass…
- The scammer calls the victim back and says he will issue the refund now. He just needs her to click a link and input her bank details.
- Victim clicks the links and inputs her bank details.
- (Scammer is watching this via Team Viewer – he has also been watching the victim for several days, and now has her log-ins to online banks, credit cards, etc. He now knows a LOT about the victim).
- Then the scammer asks the victim to input the amount of the refund into the form. He tells her the refund will be $300.
- She inputs 300.00 into the form, but it won’t take the decimal. It looks like she has input 30,000. She tries again, but it won’t take the decimal. So she just hits send.
10 – 15 minutes Pass…
- The Scammer calls in a panic and says “You made a mistake! You inputted $30,000 and now we have put that money in your bank account. I need you to send it back immediately or I will lose my job.” He is really convincing – almost crying.
- Victim logs in and sees an extra $30,000 in her checking account.**
- Scammer gives the victim several options to return the money (get cash and FedEx it, send Google Play Gift Cards, buy Bitcoin, etc.
- (Alison’s mom insisted on a wire transfer because that was the only way she would send money)
- Victim arranges the wire transfer to send the money back, because she feels so bad that he is going to lose his job due to her mistake, and she is 100% convinced she has this extra money.
- (in Alison’s mom’s case she did not lose the money in the end, because the Wire Transfer company would not send money to a Thai Bank.. But this was far too close for comfort – the scammer literally convinced her all the way through.)
**Unlocking the Scam
Here is how it LOOKED (so convincingly) like she had the extra $30,000
- While he was on the phone with her, he logged in to her actual bank account and transferred $30K from her savings to her checking.
- (remember he had her password because he had been watching her for several days on Team Viewer, and she had GIVEN him her bank details in step 5)
- He then logs out, but not before taking a screen capture of her bank account using several different views.
- Then with her on the phone,he asks her to log in to her bank account and check that the money is there.
- While she is in her online bank account (ie: with it on screen) her screen suddenly goes black for a second or two then comes back up showing the $30K in her checking AND in her savings account.
- This is all smoke and mirrors – he has used Team Viewer and switched what she is seeing – he is showing her a screen capture of her bank account that has been edited to show the $30K in both her savings and checking account.
If she had called the bank at any time, they would have verified that no extra money was in her accounts – but that a transfer had been made from her savings to her checking.
Post-mortem cleanup and protection moving forward
Because the scammer literally now knows everything about Alison’s mom, it was important to clean her computer of any mal-ware and remove Team Viewer, change all her passwords, and notify and place fraud alerts on all her bank, credit card, credit agency, and brokerage accounts. She now knows never to answer calls from unknown callers, and to use voice mail to screen calls instead.
Alison also signed her up for LifeLock, and moving forward, any suspect emails are to be dealt with by a younger family member. We don’t expect it to happen again, but it was altogether too close for comfort. If the scammer had been able to produce a non-Thai bank account, the wire transfer would have gone through and Alison’s mother would have been out $30K.
As professionals, mothers, fathers, sons and daughters, we need to help those around us to follow best practices and stay safe.
The good news is that most scams are preventable, with education and proper caution.
Here is a short list of do’s and don’ts to help protect yourself and your family from email, snail mail, or phone financial scams.
- Use extreme caution when an unexpected notice arrives – especially if it’s about a service you know you didn’t order.
- Call your bank or Visa company to verify or dispute a charge, before you call any phone number in an unexpected email or invoice.
- Ask your family for help if something doesn’t make sense.
- Remember that there is never any urgency when you are dealing with a Tech Company. They will just email you again. (Urgency is a sure sign of a scam).
- Never click on a link, or log in using a link, in ANY EMAIL – go to the vendor website instead and log in there.
- The scammers are VERY good at spoofing reputable vendors like Intuit, PayPal or your bank. For this reason, never click a link in an email
- Never call the number in an unexpected email or invoice.
- Never allow a stranger to install software on your computer.
- Never send money to a person you don’t know. If someone asks, get a family member involved before you send money. Two heads are better than one!
Preventing Email Hacks
How many times have you seen an email from someone that said their account was hacked? Per Verizon’s 2020 Data Breach Investigations report: “Over 80% of breaches involve brute force password hacking or the use of lost or stolen credentials.” Let that sink in for a moment. Consider how much safer you and your business will be by following these basic Do’s and Don’ts:
- Always use multi-factor authentication
- Always use a password manager
- Always approach requests for private information with skepticism
- Never reuse passwords
- Never click on email links
- Never use your browser to store your login information
- Never authenticate to an unknown application
If you aren’t already using a password manager, go get one. LastPass, Keeper, DashLane, and 1Password are all good choices. Browser-based password managers are vulnerable to credential dumping and should not be used. It’s also worth noting that a new wave of scams will spoof someone you might know and send a familiar file type (such as Excel or Word) and ask you to authenticate your Microsoft account (or similar) to open it. Never do this.
Always approach email with skepticism. When in doubt, never click a link or download a file. If you know the sender, call them to confirm its authenticity. If you don’t know the sender then don’t download the file unless you can be certain it is safe. If the email tells you that the item is urgent but that you shouldn’t call, then it’s probably worth immediately deleting it.
Everyone wants things to be easy. That goes for hackers too. They’re counting on our being lazy with our accounts so they don’t have to take on the herculean task of breaching modern cloud infrastructure like Amazon, Google, and Microsoft. So pass the word on. Be great online. Be skeptical about unexpected emails. And let’s keep one another safe.