Nex-Tech Blog | Technology Tips and Tricks | Industry News

DON'T Do What You're Told (Until you know the request is real)

Posted by Shannon Rothchild on Sep 30, 2020 3:50:57 PM

If you are like me, one of the first items you do each day is check your e-mail. Picture this, it is Tuesday morning and you have just poured your favorite drink and sat down at your desk. You open Outlook to see what fun things email has in store for you today.

As usual there are a few non-necessity, obvious spam messages that need deleted, there are the usual daily work emails that need filed in the “read later” folder, and there is one from the annoying colleague you would rather ignore than reply. Then you see one from Korah, the company CEO instructing you, the accounts payable clerk, to direct payment to Earth Movers and Shakers for moving soil to fill a huge crack in the ground at the Cabbage Hill location.

Funny thing is, you do not recall an invoice from Earth Movers and Shakers so you shoot a quick email back to Korah asking if he has a copy of the invoice. Within 10 minutes you get a reply from Korah with a copy of the invoice for $250,000, along with instructions on making the payment to Earth Movers and Shakers. At that moment you think to yourself, “I do not recall ever doing business with Earth Movers and Shakers, but Korah did ask that I send them payment, so, I’ll go ahead and process this real quick so that I can get on with my day.”

pngkit_police-icon-png_4484283Task complete.

Moving ahead to Thursday morning shortly after 8:00 a.m. that same week, Korah appears out of nowhere demanding to know who Earth Movers and Shakers was, and “Why did you send them $250,000?”

I reply, “Because you told me to.”

At that point Korah, holding back all the anger within him, sternly replies. “I did not tell you to do any such thing!”

So, I pull up the email from Tuesday and show him where he requested that I send the payment. Then I open the second email he sent with the invoice and payment instructions. Korah immediately leaves my cube and disappears.

What did I do wrong? Why is he angry at me? I just did what he asked me to do.

Korah returns 25 minutes later with Dathan, the company IT Security Officer, demanding that I show Dathan the two emails that I received from him. I’m thinking what is going on here? Why is Korah back? Why is Dathan here?

The second Dathan sees the first email from Korah he says with absolute certainty, “Yep, you are the victim of a classic phishing email.”

“What? How so?” I am confused, and continue to explain, “This message came to me from Korah. Are you saying I sent payment for $250,000 that I should not have sent?”

“That is correct. You sent money to someone that is not Earth Movers and Shakers. We have not had a strip mine covered in soil within the last month,” Dathan explains.

My heart sank and I wanted to crawl under the desk!

“Here,” Dathan said, “Let me show you how I know this to be the case. First, hover over Korah’s name in the From line. See, it is not really Korah’s email address is it? Now, read it out loud. Does that sound like how Korah would talk if you were in the same room?”

“No, it does not, now that you mention it,” I said.

Dathan goes on to show me that if I hover over the link in Korah’s signature line, which is supposed to be our company website, it is not.

At this point I felt like I had been swallowed by the earth.

Q2_7.25X4.75_NT_Cybersecurity_7.25x4.75 (1)This type of activity goes on every single day. Small businesses are the focus of email phishing attacks at an alarming rate. Small businesses just like yours. It does not matter what your line of business is, if you are open, you will be under attack. There are email security tools to cut down the amount of such messages coming to your inbox. But the bad guys are like a proverbial Hydra; when you cut off one head, two more spring in its place. So, the real answer is to educate and train your employees to recognize phishing emails and be the strongest line of defense for your business.

Nex-Tech has the capability to come alongside your business to train your employees to avoid falling victim to such attacks.

Reach out to Nex-Tech today for more information. www.nex-tech.com or 800.588.6649.

Topics: Cybersecurity, Managed IT, Business, Technology, Budget, Phishing