Are you concerned about your firm's cybersecurity?

bobaguard-suite-logo

This Happened: $50k Stolen After 1 Employee Swallowed a Phishing Scam’s Baited Hook, But It Doesn’t Have to Happen to You

Knowing how to spot a phishing scam a mile away and not be suckered by it is vital not just for you but for everyone with an email account in your firm (pretty much everyone).

Don’t believe me? Then let me tell you a true story about how $50,000 was stolen from a former client of our vCIO due to just one untrained employee being reeled in by a professional phisher’s baited email hook.

This happened before our vCIO joined our team. At the time, he was doing IT work for a Managed Service Provider, one of whose clients —we’ll call XYZ Corp.—was a road construction heavy equipment dealer. XYZ wasn’t a law firm, but it was exactly like one in that the internet and email communications were at the heart of its operations.

One day, an XYZ sales rep received an email in his company-supplied inbox. The sender purportedly was Microsoft. The subject line indicated the email required immediate attention and action—it was a notification to the recipient that his Microsoft access credentials needed to be reset to continue using Word, Outlook, and other programs.

So the sales rep opened the email. At the bottom, it helpfully supplied a live link to a “Microsoft” page where he could perform the reset.

Mind you, the rep had no reason to suspect anything was amiss here (he would have had such reason were he to have been trained to recognize a phishing email, but I’ll talk about that in a bit). It seemed legitimate, especially since the email bore the Microsoft logo and was awash in Microsoft’s brand colors.

Accordingly, he clicked the link and was whisked to what he thought was an actual Microsoft account page (do I need to add a spoiler alert here, or do you already get that this page he landed at was bogus and a trap?). My point is the page looked very convincingly like it was part of an official Microsoft portal.

The rep proceeded to enter his current username and password to begin the process of resetting his credentials. At that instant, the person or persons who created the fake Microsoft page had captured the rep’s login details.

The “reset” step the rep performed changed nothing, but the page congratulated him for successfully updating his access info. He gave the matter no further thought and carried on with his work.

Over the next six months, the phisher—now able to freely log into the rep’s email account—regularly monitored every correspondence the rep sent out and every correspondence he received.

Phishers are also known as hackers; I mention that so you’ll know I’m talking about the same cybercriminal when I use that alternative moniker going forward. At any rate, in addition to monitoring the rep’s email activity, the phisher also created special rules that caused the email system to automatically redirect any incoming email containing the words “invoice,” “receipt,” “payment,” or the like into a secret second mailbox that the rep had no clue even existed.

Here’s how this played out. The rep sold $50,000 worth of equipment to one of his clients (we’ll call that customer ABC Inc.). The terms of the transaction were delivery first and payment after. Well, delivery occurred, but no payment was forthcoming—or so the rep thought.

That prompted the rep to reach out to ABC and give them a friendly reminder that their duty to pay had arisen. ABC appeared to ignore the email from the XYZ rep. In reality, ABC did respond promptly with an email saying they had sent payment in full to XYZ as soon as the equipment arrived.

However, XYZ never received the money. Why? Because the hacker had earlier sent ABC an email purportedly from XYZ directing ABC to wire the money to a particular bank account (the account in question did not belong to XYZ but to the hacker).

ABC complied with what it innocently believed was an instruction from XYZ, and just like that, XYZ was out $50,000. All because a phishing scam suckered one lone employee.

As a lawyer, you, of course, instantly recognize the interesting legal questions to which this situation gives rise. However, litigation and counter-litigation never ensued, thanks to XYZ’s insurance company covering the loss.

Imagine the mess that XYZ would have faced had its insurer balked. XYZ would have suffered financial pain and reputational damage—who would want to do business with a business so easily taken in by hackers and fraudsters?

That’s a question your clients are likely to ask if you should ever be so unfortunate as to fall prey to a phishing scam.

Don’t imagine it can’t happen to you. In fact, it happens to lawyers with alarming regularity. If statistics mean anything, it’s only a matter of time before your number comes up unless you train yourself and your employees on an ongoing basis to recognize phishing attempts and augment that training with an automated phishing defense system to stop phishing emails from ever reaching your inboxes.

BobaGuard is a proven, comprehensive eight-layer security solution that includes an automated phishing defense system as well as phishing-detection training (and that’s only 2 of the included cybersecurity layers). BobaGuard could be just the thing that saves you from what happened to my vCIO’s former client.

It’s worth remembering, too, that 90 percent of data breaches—events in which the client-sensitive information you’re obligated to safeguard is unlawfully accessed and absconded—starts with a phishing email swallowed hook, line, and sinker.

For more information about BobaGuard, please go here.

Comments are closed.

Want to receive more
Stupid Simple Security Tips?
Sign up below.

FREE CHECKLIST

The Security Checklist for Busy Lawyers

The Security Checklist for Busy Lawyers