Tech Support Horror Stories: An $80K Phish Attack


By Karl Bickmore, CEO

In the hopes of educating business owners and IT managers about the real dangers of cyberspace, we’ve created a new blog series we’re calling “Tech Support Horror Stories.” Each post recounts a story of a horrible event that actually occurred, and then explains the best practices you can adapt to make sure events like this don’t happen to you. The names have been changed to protect the innocent. In this first post, we describe a phish attack that happened to one of our clients.

Gone Phishing

Walter was closing his books for the previous month. His company had done reasonably well, and he was excited to see how the final numbers tallied. During this review, he noticed something strange. The numbers were off; by a lot. He glanced at the income accounts on the P&L. Everything appeared to be normal. Then he took a close look at the costs of goods. The gross margin was right on target. Why was the net profit so much lower than he expected? He looked closer into the expenses and found an anomaly. There was a very unusual entry for a money transfer from the operating account for a little over $80K. He didn’t recall a transfer of that size going anywhere.

He immediately called his accountant to find out what it was for. She said she wasn’t sure, but that he was the one who requested it. This came as a shock. “What do you mean, I requested it?” he asked her. She grew concerned, and promptly forwarded the email from him specifying the amount to transfer, the bank account and routing number to use, and the passphrase he would use to authorize this transfer. Poof, that money was gone.

Many of you reading this may know of someone who experienced a similar ordeal. In the case of our client, the email was, in fact, sent from his email account, and the person who sent it clearly had monitored his email enough to know who to send it to and what to say to get the transfer done.

After we investigated the incident, we discovered he and his accountant had fallen prey to a phishing attack. His email account password had been compromised. We found ID theft forums on the dark web auctioning it to the highest bidder. The attacker had accessed his email remotely and set up a forwarder. All emails sent and received now were copied to the attacker. The hacker was able to monitor his communication, learn who the right people were, and crafted a believable message that would not be stopped by a spam filter.

How to Prevent a Phishing Attack

  1. Implement dual-factor authentication. This technology prevents others from logging into your email by requiring an additional factor such as a code texted to you during login, or the use of an authentication application.
  2. Make sure your IT service provider monitors email forwarding on your email accounts. Any forwarder setup should trigger an alert that causes your provider to investigate.
  3. Leverage a dark web monitoring service that will tell you when a password is being passed around the dark web with your user account or email address as the source.
  4. Establish verbal-only approval process within your company and with your vendors on wire transfers. It is highly risky to request them over email or text.