Scary Stories in IT Security

This week I had a speaking event where I talked about the basics of IT security in front of about 70 business owners and executives.  I shared a bunch of real life stories I’ve heard over my 10 years working in the managed services industry.  I realized as I started to go through my presentation just how scary a lot of the stories I’ve accumulated must have been to my audience.  Fear is a great motivator however, so I’m hopeful that it made a lot of folks in my audience think hard about their current security.

One story in particular stuck out to me as worth sharing.  A year or two back I was called by a new prospect that was unhappy with their current IT provider.  I went to their office to sit down and discuss their situation when he told me this scary story.

He said that had been hacked.  More specifically one of their employees had fallen victim to a phishing scam that allowed the bad guys to gain access to her email account.  They sat there and quietly monitored her for some time reading her emails and understanding what she did.  She had no idea she had been compromised.

This particular employee worked in accounts payable, sending invoices to their clients.  The nature of their work is such that it wasn’t uncommon for her to send invoices for large dollar amounts.  The bad guys caught onto this fact.  They created a template that looked exactly like hers for invoices.  They then used that template to send large invoices to a bunch of their clients.  They sent instructions via email on how to access their new “payment portal”.  Essentially how their clients could wire large sums to the bad guys instead of their business.

They had 6 clients that fell for the scam.  It looked really credible.  Fortunately of those 6 all 6 transactions got flagged by their banks as suspicious.  5 of those 6 called to verify the change in accounts and stopped the wire.  The 6th told the bank to push through a wire transfer for $100,000 to the bad guys.  The money was gone.

Lawyers got involved, things were nasty.  The employee had apparently let their IT guy know that she thought something might be up somewhere in this process.  He told here that she might think about changing her password, and no further action was taken.

There are a lot of lessons to be learned here.  Phishing scams are the rage right now.  Taking some time to educate your employees on what to look for so they don’t take the bait is well worth doing.  There are several different solutions that allow you to do this with regular trainings.  Humans can often be the weak link in network security.

Additionally there is a lot more that the IT provider could have done to protect their client in this case.  Password reset would be a start, but with a breach of this nature more steps should have been taken.  Hope is not a strategy, especially for IT security.

We’re here to help.  i.t.NOW has IT security solutions and experts to secure your network and ensure the integrity of your data.  Call us today for expert advice.  When you’re prepared and educated, things aren’t so scary anymore.