Recently, a business owner contacted us because they were the victim of a social engineering fraud. To protect this client, we will call them “Client A”. Simply said… Social Engineering is the act of gathering publicly available information and constructing an email to specifically target individuals within the organization to steal information, money or gain access to privately held assets.
Understandably, the victim is usually incredibly angry. Oddly enough the anger is usually focused on the IT person. They assume the system was not secure and the “bad actor” gained access to the system.
Most of the time it is not that complicated. In today’s business environment you are pressured to update your digital presence in real-time while trying to make a personal connection to the audience.
Organizations hire a team of experts to supply a professional digital marketing presence while forgetting to rely on a security professional to ensure that the digital solution’s profile is secure.
Going back to “Client A”, we were able to conclude rather quickly how they were scammed. Through our initial discussion they revealed that they recently launched a new website and social media campaign. We requested to see the website and social media pages. It was very clear what had happened.
The new website had too much specific information about their company. For instance, under the “about us” tab, each staff member listed a full biography with core “named” client responsibilities. For instance, the CEO was listed with his core clients and his email and phone extension.
The CFO was listed with just as much information also including the clients, he is responsible for. This made it too easy for someone to devise an email that “sounded” legitimate.
So, the “bad actor” compiled a personalized email to both the CFO and CEO which was listed on the website. Once the “Bad Actor” received an “Out of Office” from the CEO it was “game on”. They knew that the CEO was on vacation.
The email below is from the CEO (not really) to the CFO (really) via urgent email. All names have been changed to protect those involved.
Hi Kevin (this is the Real CFO)
I am on vacation, and I received an email from “XYZ Client” (listed on the website), we need to send them $45, 302.16 for the credit I issued them back in January. (a post on LinkedIn revealed a large project that was performed for the client in December) Please send the funds via ACH# XXXXXXX, (the ACH account went to a bank in Cincinnati, which was then sent to an overseas account, Client XYZ is based in Cincinnati) and please do it ASAP.
I am on vacation! I won’t be back until next week. Please do this ASAP, if you can’t do it, please have Andrea do it (Director of Finance ‘listed on website).
This does not look good on our part. They are not happy. I don’t need to tell you how important this account is.
John (Fake CEO)
This email is a clear example of Social Engineering. They had all the information needed on the website. They had the Executive Staff, Roles, Client Names, and emails listed to send a reconnaissance email test.
The “Bad Actors” waited for the CEO to reply with an out of the office message and sent an urgent email to the correct staff members. The email compiled had a sense of urgency and placed the CFO in the uncomfortable position of having been the cause of losing a client.
When we asked the CFO if there was a credit issued in January he said, “No there was not… I wasn’t sure… I didn’t want to admit I may have forgotten to issue a credit.”
The email devised used the public information readily available, a sense of urgency, shame, fear, ACH number located in the same city as the client, and just enough doubt to sound legitimate.
Some simple steps to secure your digital presence:
- Only provide generic industries you work in
- Only provide types of clients you service
- Never provide specific staff responsibilities
- Use a Generic Email “info@” or use a Contact Form
- Use “Captcha” Technology when filling out contact information
- Keep your Company Information Private when presenting to the Public
Digital Marketing must keep a precarious balance between speaking to your audience and protecting your organization. Always use generic terms when talking about a client.
It is perfectly acceptable to say, “We have experience in the legal profession with many clients in the Metro Area.” You should never supply a client list or client names on your website.
Also, make sure your short biography is not a comprehensive resume posted on your website. This will inevitably provide “Bad Actors” with just the right amount of information needed to do harm.
In the end, we were able to collaborate with this client and found the Bank did not have certain security verifications in place for large ACH transfers. Although the scammers made off with over forty-five thousand dollars, the money was refunded to the client by the bank due to the lack of banking verification procedures in place.