It is national consumer fraud week from 17-23 June so iTWire would like to help business based readers ‘Outsmart the Scammers’.
Scam 1 – getting malware or ransom ware on your system.
With the plethora of invoices being received pre-June 30 it is all too easy for a junior staffer charged with monitoring the companies general email address like info@ or accounts@ or sales@... to open a file called invoice.zip or overdue account.zip with messages like ‘Sorry this is late but can you pay pre-June 30 please’. These invoices usually are professional looking and come from a spoofed email addresses very similar to major airlines, department stores, office stationery stores and more.
In my interview with Robbie Upton, SMB sales manager for McAfee last week he said one particularly disturbing thing (among many) and that was spear phishing (highly targeted fake email) is now being done by people watching their targets and identifying possible drivers that will lead to the opening and execution of malware. These local watchers are paid by organised crime to discover vulnerabilities.
Even if these invoices are not malware they can still be fraudulent claims. If the watchers can identify key names in an organisation they can say ‘Fred approved this for payment’ or ‘Fred ordered these goods and services”. Often a multipronged attack is used where the watcher also phones up to see where payment is and asks the junior to check if they got the email ten berates them for not opneing it up passing it on to accounts. They can also simply ask for credit card confirmation (especially if they have the first and last four numbers found on some dockets) and you are done.
|
|
Prevention 1
Don’t blame the junior when ransom ware locks your system when it was let in via the innocent opening of a file. Fix the problem with better security.
Do educate the junior that under no circumstances may they ever answer yes to a pop up that says things like “You need to install this browser add-on or program to view this file”. Malware invariably needs to be user approved.
Do lock down your workstations to prevent any installations – no one but the system administrator (don’t have one – why not?) should be able to install programs.
Do delete all unnecessary programs from all workstations and the server including bandwidth hogs like internet music players, social media viewers etc.
Run a deep scan using updated AV software using the highest level scan settings.
Make sure that all necessary programs are the latest version i.e. Skype version 6.3.X for Windows is inherently safer, Flash must be updated, install all security patches and Windows or OSX updates etc.
Scam 2 – Directories and advertising (false billing).
These were the prevalent scam – official looking invoices highly targeted and often from organisations that sound like the real deal. For example you may get an invoice or call from the ‘Western District Police Services Group’ (just using that as a fictitious example) which has nothing to do with the Police. These ‘blowers’ are often intimidating and have the persistence to get to someone who can make a decision – once they get a name the invoice is pursued with vigour and some SMB’s pay up.
But the scam has extended to internet directories as well and convincingly realistic web sites with your details appearing on them are often used to ram through payment.
Prevention 2
Implement a fool proof system of ‘no order number, no payment’ because that is the only way to add a layer of governance over purchasing. But hark back to McAfee’s Robbie Upcroft’s assertion that nearly 50% of “attacks” come from within – everyone has their price and you could find this is a cooperative backdoor costing the company funds. A recent case involved an employee authorising fake office supplies purchases in qualities just small enough to go under the radar.
Scam 3 – Premium rate phone and fax calls
Competitions and enticements to fax back to win prizes from again seemingly legitimate suppliers but the fax or phone number is a premium one that can rack up hundreds of dollars in call costs. These so called 190 scams cost around $6 per minute and typically chew up $20-30 a time.
This scam is being extended to premium SMS and mobile numbers as well. ‘’Call now on XXXXX and receive your complimentary subscription to Business Weekly (fictitious name used).
Never SMS back or fax back even just in an attempt to remove your number.
Prevention 3
Don’t berate the junior staffer but educate them that it is not a nice world and keep their eyes open.
Scam and Prevention 4 – ‘I just need a little more information’
Important details like company address, email address, phone, fax, ABN and senior staff are all too easily found on most web sites. My strongest advice is to remove most of that information and set up special contact details to protect the company.
‘Robots’ harvest email addresses. A simple person AT company.com.au instead of person@company.com.au can foil the robot gatherer. Consider using a false and unique name on each web site or email out campaign like ‘AU1web’ or ‘AU1email’ as well so you can identify where the email address came from. I have used this system for years and I know precisely if the email is legitimate or not.
Some CV’s of senior staff are so comprehensive that scammers could almost steal their identity. Cut back to basic, harmless and anonymous details and definitely cut out things like where they went to school, methods of deducing approximate age and remove any personal contact details.
Do brief all staff about giving out too much information to callers or via email requests. If you can’t identify who the person is and their legitimate interest in the company then don’t provide information.
A better response is to ask them to give you their phone number, email and contact details you will get someone to call back. 99 times out of 100 the details will be false. Remember there are ‘watchers’ out there paid to build profiles for identity theft. These people will go through your garbage, find credit card vouchers and build a picture that exposes weaknesses.
At a minimum put a crosscut shredder (not the cheap $20 ones) under everyone’s desk for disposal of all important information. Shred receipts and documents with signatures and anything that could be used to build an identity. In particular bill copies with the companies address on it are gold to scammers. Make it a habit.
Out of Office notices are also an issue. If these are turned on spammers will get response proving that the email is ‘live’. The only cure is to stop email before the ‘Out of Office’ kicks in.
Some of the more common business scams
Given that there are watchers out there now it is not unusual to receive contact about a business opportunity. It could be about introducing a potential client or about buying a competitor or about being a potential target for takeover from a larger competitor.
Believe me that I have experienced all these perpetrated by highly astute scammers. The foreign investment take over scam is now more prevalent than ever “My client is interested in acquiring your business” and that leads to information exchanges that could lead to identity or corporate theft or loss of trade secrets.
Internet/email scams
The internet has made it all too easy for competitors to put out false and somewhat anonymous requests for proposals – information is the new gold. If you can’t ascertain the bona fides and try to meet the ‘client’ face to face never respond to an unsolicited email request. More requests are coming from apparently legitimate RFP engines – just remember that there is little credential checking by these sites prevent up a fake RPF.
‘Fred Smith has sent you an invitation to connect on LinkedIn [or Facebook]’ will invariably launch malware as you are whisked off to a clever look alike LinkedIn page where you have to click an accept button and it installs malware.
Domain name renewals are a top scam. An invoice is sent for the renewal of your domain – only problem is that the company sending it does not exist and does not have your domain under its management or alternatively it enables them to move from your domain registry to theirs or sell the name etc.
Another recent scam is the contact from a web registry company (usually in Asia) claiming someone is trying to register a web name very close to yours and for payment of a fee they will not accept the name. This too is very convincing – I have been at the end of several of these calls.
Another is the request for goods and services to be exported to a nearby country. “We can’t get [insert goods or service here] in [insert country here] and would you please be so kind as to prepare a quote on the following. Payment is invariably made by credit card which is reversed some 60 to 90 days later.
The offer of positions with competitors and like industries touting believable but higher salaries and asking for your CV – usually requesting a processing fee to handle the introduction. You got to love this work from home scam industry and a few of my acquaintances have been stung. Inevitably identity theft follows.
The offer of season specific gifts, accommodation or experiences is increasing. A recent offer for a Valentine’s day package left hundreds of people turning up at hotels expecting a room, dinner and champagne (amongst other things) at a reduced price. The web site was a fake and all monies paid went to scammers (the banks had to cover it). It just shows that the group buying appeal is powerful and I have seen enough ‘last minute’ of ‘’overstocked’ offers to know that all that glitters is not gold.
I could go on and on but the moral of the article is that the web is an enabler for scammers as well as legitimate uses. Right now someone is watching your company looking for opportunities.
Prevention is the best cure. But if you are a victim or see a scan make sure you report it to the Office of Fair Trading in your state as they will help get the word out. A great list of these and relevant government agencies is here.
