Major NZ health and beauty company gets scammed.
Fake scams, false information and dodgy emails seem to be all too familiar these days to any of us who operate businesses online.
We hear these horror stories, and hope we’re smart enough to identify a scam when presented with one. But scammers and hackers are becoming increasingly more sophisticated in their approach.
Gone are the days when a supposedly long lost Nigerian relative, perhaps of royal descent, has passed away, and their lawyer suddenly gets in touch asking us to provide our bank details so they can transfer our new inherited fortune to us. Instead, online thieves, scammers and hackers use very slick and deceptive methods for gaining entry into our online systems.
New Zealand businesses and their employees are some of the top targets for online scammers and opportunists.
Below we outline how a large New Zealand business became a target of an online scam, and how to stop it from happening to your business.
The scam.
Recently, the Managing Director of one of New Zealand’s largest pharmacy distribution companies was targeted by scammers.
The scammers researched the company and the Managing Director before contacting them. Once they found the MD’s email address, they sent a fake email. Posing as her IT department, the email asked her to click on a link in the email to avoid having her email account deleted.
Judging by the look of the email, the MD naturally assumed it was a legitimate request. Not wanting to lose her email account she complied and clicked the link. Upon clicking the link, she was required to enter her email address and her password.
Once she had completed this updating of her credentials, the scammers could (unbeknownst to her) go to work.
The damage.
The scammers used the MD’s email login details to access her email account (without her knowledge) to set up auto-forward rules. This meant a copy of every email in her email account was forwarded to the scammer’s email account, as well as a copy of any new emails coming into the inbox.
After the scammer had copies of all of her emails, they were able to read through her entire email history. They discovered she was planning an overseas work trip very soon. They patiently monitored her emails over the next few weeks while the company and the MD remained completely unaware of the intrusion.
Once the MD had departed to go overseas, the scammers decided this was the opportune time to strike and exploit the company’s vulnerability.
They used the MD’s credentials, password and the relevant information they’d picked up from her email account to place an order for ten brand new iPhones. To do this they placed the order on the company’s business account with one of NZ’s major Telco companies, instructing the order to be shipped to the USA.
Getting caught.
This kind of scam happens all too often in New Zealand, and much of it goes undetected (which was nearly the case here).
Luckily in this instance, the Account Manager for the Telco company noticed the shipping address was for America and thought it was unusual for a New Zealand based company to be ordering phones to be sent to USA.
A little reluctant to second-guess the order, he made the decision to call the Managing Director to confirm she wanted them shipped to USA.
Upon hearing the details of the order and realising she’d never authorised such an order, the Managing Director became horrified and slightly embarrassed while cancelling the order immediately.
After thanking the diligent Account Manager, she called us at Swerve to investigate how the incident had occurred in the first place.
The solution.
After investigating her account, we spotted the auto-forwarding rules immediately and turned them off.
The solution was incredibly simple and something you can easily check for yourself and for employees of your business. Or you can install software to monitor for when auto-forwarding rules are instigated.
The next step we got her to complete was to reset her password, something you should complete at least once every 6 weeks.
If remembering your password, or changing it every 6 weeks sounds like a challenging task you’re not alone. Over 50% of the population rely on memory to recall their online passwords. To help you manage this you can use an online password generator and vault like LastPass.
LastPass is a secure extension for your computer that replicates across mobile phones and tablets. It securely stores all your passwords, so you never have to remember them. It can also generate incredibly complex passwords that would take forever to crack.
Lastly, we set up Multi-Factor Authentication (MFA) on the MD’s account. What this means is whenever she wants to log into her email account, a six-digit code is sent to her mobile phone which she enters into her email account in order to access it.
There are other methods of verification rather than sending a text message, but we went with this method as it’s simple and pops up on your mobile phone instantly. We also set up MFA across their entire business for all employees.
By setting up MFA, if a scammer were to gain access to the MD’s login credentials again, they would also have to physically have her mobile phone in their hands to access her account.
Using MFA is an incredibly simple, yet highly effective solution to help prevent you and your organisation from phishing scams like this one. It could save you hundreds of thousands of dollars, as well as your reputation.
To set up Multi-Factor Authentication for Office 365 users, click here for instructions.
To set up Multi-Factor Authentication for Google users, click here for instructions.
To find out if your organisation has been compromised, or to ensure your business is safe from these types of threats, book a free 20 minute Cyber Security Audit with us today.
We’ll assess how vulnerable you are to attacks, or if they’re happening we can set about ensuring you are safe.
Protecting yourself and your business.
You can easily find out if your business is vulnerable to these types of scams or attacks. Take this short, simple test to check whether you and your business are protected - just click the button to get started.
Many Kiwi businesses are unprepared when it comes to securing themselves from online theft. Most companies believe that having a dedicated IT consultant, or having their online systems set up professionally, means they're automatically safe. Unfortunately, this isn’t the case.
At Swerve, we hate seeing New Zealand businesses getting scammed and that's why we've set up user-friendly, easy to implement processes, which help to secure and protect your livelihood and business.
Our systems help to reduce the chance of human error when operating online. Whether it’s safeguarding your accounts team, setting up simple security systems, or familiarising your team with correct online policies and training.
Do you want to safeguard your business and reduce the risk caused by online thieves, scammers and hackers?
Book your free business security audit with us today by clicking the button below.
