How a small business lost over £10,000 in just a couple of minutes

By Bryan Parsons

Tech General
9 December 2016

email by spidergroupHave you ever googled yourself? Have you ever googled your company? If not, give it a go now and see how much information is readily available.It won’t take much effort to find out what the business does, the address and even some of the employees. You shouldn’t have any trouble getting a list of directors and, if you’re lucky, someone who works in the Accounts department. But if not, that’s no problem as most companies have a generic accounts@ email address.

So now what?

Email address spoofing is when you send an email from an email address that isn’t your own, it takes only a minute and is very easy to do. So imagine now that you want to get the accounts department to transfer some money, how would you go about this?

We need to send them an email from someone they trust, maybe one of the directors. We have a list of directors, we know what the business does so it won’t take much to put together a genuine looking email which appears to come from a director and asks for money to be transferred to an account. We can say it’s urgent too to get the Accounts department moving.
The Accounts department receive the email, it looks like it’s come from the director, there is no obvious way to tell it hasn’t and the director urgently needs money transferred, what are they going to do?

We’ll never fall for that!

This type of attack is taking place daily and people are being caught out and transferring large sums of money.
You might be an expert in spotting fake emails and would never fall for this, but what about Judy who works one day a week in Accounts? Or Harry the new apprentice who is working in the Purchasing department?

We’re telling you about this not to scare you, we’re telling you so you know about it and can take steps to prevent it.

emailHow do you stop it?

There are a few steps you can take to prevent this type of attack, we suggest implementing all of them to ensure you’re protected.

1. Have an internal Purchase Order process, make sure no money leaves your business unless a PO has been generated and approved. It may be a pain but most accounts systems have this built in and it ensures money doesn’t leave the business unless a PO has been submitted. Obviously, the system needs to be secure and should not be based on email approvals.

2. Speak to your IT department about adding an ‘SPF’ record to your domain. An SPF record lists all the servers that are genuine sources of email for your business. Emails sent from non-genuine servers (i.e. spoofed) will be identifiable.

3. Have a decent email spam and virus filtering system in place which checks the SPF record. Having an SPF record but no filtering system to check it is close to pointless.

4. Staff training, make staff aware of the types of attacks that take place, how to identify them and what to do if they spot one. This should be an ongoing process.

Following our steps will ensure your business is safe from email scams. If you’d like more information on keeping your company emails secure, get in touch with SpiderGroup. We offer IT support in Bristol and throughout the South West to keep your IT systems up to date, backed up and safe from scams.

Fill in our contact form for a swift response, or call us on 0117 933 0570.

This site doesn't support mobile landscape mode.
Please rotate back to portrait mode.