Watch Out for Vendor Social Engineering Scams Near the Holidays
Is Your Business Prepared for a Cyber Attack this Holiday Season?
The stats on cybersecurity are grim – we continue to see an increase in attacks each year, and many businesses are underprepared without a cybersecurity plan or insurance to cover the financial impact of a breach.
Nearly 850,000 cyber crimes were reported to the FBI last year, surpassing $6.9 billion in losses. Business email compromise schemes had the largest dollar losses for the fourth year in a row, with more than $2.4 billion
ThoughtLab reported cyber attacks and data breaches increased by 15.1% from the previous year
UpCity study showed only 50% of small businesses have a cybersecurity plan, and only 32% of those companies have updated their plans since the pandemic
One common attack method cybercriminals use is social engineering – deceiving or manipulating someone into divulging confidential or personal information that may be used for fraudulent purposes. Social engineering fraudsters use a variety of means to carry out their attacks, including phishing attacks and business email compromise schemes.
Educating and training employees to spot and report phishing emails is a necessary step in protecting your business. Fraudsters are casting a wide net. Small companies and nonprofits are often targeted because they may not have the best security or most up-to-date systems, and their controls may not be as tight. But every type of company that uses computers is vulnerable to these attacks.
Vendor Social Engineering Scams During the Holidays
Social engineering tactics are getting more sophisticated. A big trend we are seeing is cybercriminals posing as vendors and striking just before holiday weekends when employees may be less on guard.
Here’s how it works: Cybercriminals will use a phishing email with a malicious link that allows them to hack into your computer system. They will send out a wide range of these emails and see who they can get to click the link. Once they have access to your computer, they will read your emails and learn your habits.
It’s very predatory. They have access to your calendar and emails. They know nicknames, pet names, and kids’ names. They know schedules and who is going on vacation. These cybercriminals have studied your previous emails and mirror speech patterns.
Then, they will reach out, posing as a vendor you work with. Because they’ve been reading your emails, they know personal details and will include them in the email. They can even duplicate previous emails, so it looks similar to the communications you’ve been having with the real vendor.
It will have the hallmarks of a classic phishing email – coming from an email address you don’t recognize that may closely resemble the vendor's email address but with a small misspelling. They’ll reach out right at the end of the week when not everyone is as vigilant.
Using personal details, they’ll pose as the vendor, saying their account information has changed and ask if you can send payment to the new account. Just before holidays is a heightened vulnerability for companies because employees may be rushing to finish up assignments and not reading emails as carefully.
It’s a very basic attack, but it can have a devastating financial impact. Billions of dollars are lost this way each year, and the numbers continue to increase.
Sometimes these vendors ask for a small amount, around $1,000, and gradually increase the payment request. Employees may finally get suspicious at a large amount requested. By the time the employee realizes the mistake, it’s too late.
What can businesses and individuals do? First and foremost, businesses want to stop cybercriminals from getting into their systems in the first place. Second, the focus should be on preventing any fraudulent transfers.
These tips can help accomplish both:
Be hyper-vigilant around the holidays and end of the week, and be wary of requests to ask quickly
Don’t click on links in unsolicited emails or text messages
Be careful what you download
Use two-factor or multi-factor authentication
Verify payment details in person or over the phone
Verify any account changes in person or over the phone
Pay attention to any misspellings in email addresses or URLs
It’s also a good idea to have cyber insurance in place. Businesses should assume that being a victim of a cyber attack is a matter of when, not if. Cyber insurance can help businesses protect themselves from the financial impact of a cyber event. Some insurance companies also offer free employee training and consultations to identify vulnerabilities.
Dan Zeiler
dan@zeiler.com
877-597-5900x134