If a phone call meant the difference between losing hundreds of thousands of dollars in a cyber attack, or avoiding one altogether, would you make that call? Of course, you would. Yet cyber criminals continue to divert payments from their rightful destinations because businesses don’t have a policy in place to validate requests for changes in financial procedures.
It happens like this.
It Starts with a Phishing Email
Someone in your company inadvertently clicks on a phishing email that gives a bad guy access to your network. The bad guy sneaks around unnoticed, gathering information about who you pay and who pays you. They find out who’s in charge of accounts payable.
When the opportune time arrives, the accounts payable employee receives an email from a company executive asking them to change the routing information on a payment. While it may be a little unusual for this employee to get email from an exec, they comply because of their position.
The payment information is changed, and payments are made. No one realizes that anything is amiss until they’re contacted by the real payee who wants to know why they’re not getting paid.
The response from accounting is – but we have been paying you. That’s when they discover that the money was going straight into cyber criminal hands.
This scenario is real and it plays out in different variations.
Variations on the Same Scenario
The email from the executive could be impersonated with a look-alike domain. Alternatively, the executive themselves could have fallen for a phishing scheme and given the bad guy direct access to their email.
Payments to your vendors could be diverted, or payments to you from your customers could be the target.
There’s one thing that has the power to stop the success of this kind of attack and that’s a phone call.
Pick Up the Phone and Verify That the Request is Legitimate
Thinking back to our story, what would have happened if the accounts payable employee called the executive to verify the change in banking information? The attempted cyber attack would be stopped in its tracks.
There are all kinds of reasons why an accounting employee might not want to call the executive. They may not have routine communications with the executive and feel awkward calling them. They might worry that the executive won’t take their call.
The executive might not be available or on vacation and the urgency of the message from the bad guy might be too overwhelming for the employee to ignore.
Draft a Policy So Employees Know What to Do
While there are many variations to this cyber attack scenario, a policy that spells out exactly how employees should verify changes in financial or banking arrangements - person to person - would prevent this from happening.
How do you create this policy? Start by thinking of the different scenarios that could occur and the different people who would be involved. Then draft create some if/then statements that you can use to build your policy.
For example, if accounts payable receives a request to change banking information then they should call the CFO.
If the CFO isn’t available then they should contact the CEO… and so on.
Teach All Employees About Secure Behavior
When you have your policy built out, train employees – including executives – on how to follow it. Alongside your internal training, make sure that all employees – including executives – are participating in ongoing cybersecurity awareness training so that they can become better at recognizing those phishing attacks when they see one.
And when they don't see the phish, teach them to pick up the phone.
Up Your Security Game
Here at XPERTECHS, we help clients create a security strategy that includes both technical and non-technical components. If you never talk about the non-technical side of cybersecurity with your managed IT services company, then there may be other gaps that you don’t know about too.
Get in touch to schedule a security consultation.