Phishing Schemes are nothing new but here’s something that plagued our firm on the first Monday (Jannuary 7th) and it’s worth letting you know about it. It was a busy morning when all of our staff received the following e-mail –
“Hi First Name, Are you at the office? I am on a conference call & its not likely to end soon,Wondering if you could help me dash to the store quickly?”
Fortunately, just about every staff person ignored the email because they recognized it was “not my voice.” However, the next email requested that the individual(s),
“Okay First name,I am still on conference but will be rounding up soon & I need gift cards for a group of clients i will be meeting with this morning, Kindly confirm if you can help get 5 x ($100) =$500 of iTunes gift cards at any of these stores nearby (CVS,Walmart,Walgreen & Target) ? I need them emailed to me preferrably ahead of the meeting,So you can send them to me via email as soon as you get them. Have the PIN number at the back of each card revealed by carefully scratching off the film that needs to be scratched & clearly capture Pin Code on each card with your phone.You will keep the hard copies & invoice for accounts/reimbursement,I prefer the physical gift cards for reference & record purposes. Let me know if you understand this instructions clearly? Thank You”
Now there were clues which registered with our staff – first, if I needed someone to do something for me that involved spending firm dollars for the benefit of a third party, I would call that person.
Next, the idea that I would ask as staff person to take pictures of the gift card and send the pin code is not something I would ever do nor would likely any legitimate requestor.
If the clues were not enough, there are a number of actions the staff could and did take before following the fraudster’s request.
- Hover over the email sender purporting to be me. That will tell the staff person, that the email really was not from me.
- The staff person could call me or text me to see if this was really a request. They would of course find out that it was not a legitimate request.
- The staff if they thought about both emails would likely question the syntax, tone and request itself. Some people might ask one to dash off to a store or kindly confirm or clearly remove film and clearly capture Pin Code but that doesn’t sound anything like the way I communicate.
- The staff person could look at the calendar and in this case there was no evidence that I was in a conference, conference call or meeting scheduled that would possibly prevent communicating with staff.
As business owners –
- We sent out an email encouraging all phishing schemes be reported to the entire firm to avoid any one person being duped.
- We initiated a requirement that any email requesting funds must not be fulfilled prior to calling/texting the requesting party to confirm the request.
- We trained the firm on identifying phishing schemes and especially reminded staff that hoveing over the email sender’s address is critical if anything seems
Why am I telling you about this? Because the scheme could have resulted in tens of thousands of dollars in losses to our company. We hope you will avoid being the victim or your company or your assistant. Encourage communication, share schemes, put procedures in place to prevent these schemes, make your technology and IT consultants aware of any emails that make it through your spam filter.
Surprises may be great around birthdays but they are no way to start the New Year when they involve Phishing!