Common Sense: The Best Defense from Cyber Fraud at Work

By Susan Hoffman
Contributor, InCyberDefense

Note: This article is part of a university series for National Cybersecurity Awareness Month in October. This week’s theme is It’s Everyone’s Job to Ensure Online Safety at Work.

Recently, a case of spearphishing occurred at MacEwan University in Edmonton, Canada. In the summer of 2017, MacEwan was constructing a new fine arts building. Emails involving million-dollar transactions were traveling back and forth between school employees and vendors.

One day, a university employee received a vendor email asking for payments to be rerouted to a new bank account. The email appeared legitimate because it had a person’s name and a company logo. It also came with an attachment, which was a letter signed by the vendor’s chief financial officer.

A university employee made the change. However, when a second payment was sent to the same account, it bounced. The university employee became concerned and asked the vendor to send new banking account information. A second email was sent from the vendor and contained an updated version of the CFO’s letter.

The sender of the original vendor email replied and asked for payments to go to yet another bank. The employee then sent some more money to the new bank.

Unfortunately, MacEwan University was the unwitting victim of a fraud, which was discovered when the real vendor contacted the school asking to be paid for work the company had done. However, the school was able to recover most of the stolen funds — $10.9 million out of $11.8 million — and has implemented mandatory security training for employees.

What Could MacEwan University Have Done Differently to Prevent the Fraud? 

Spearphishing emails can be very convincing and the story of MacEwan University is a classic case of spearphishing. It is easy to see how university employees were fooled by the physical appearance of the hacker’s email containing a person’s name, the vendor’s name in the email address and the presence of the company logo.

Also, the hacker’s choice to include a letter supposedly written by a high-profile senior executive at the vendor company (a “whale” in cybersecurity terminology) made the email seem even more legitimate. The hacker probably found the CFO’s name at the vendor’s website, LinkedIn or some other online source.

In retrospect, MacEwan University employees could have taken several actions to avoid the being defrauded, such as:

• Contacting the CFO’s office to check on whether or not the CFO’s letter was legitimate
• Looking for the person who sent the vendor emails on LinkedIn to see if that person was a legitimate employee
• Calling the vendor directly to see if the banking information really needed to be changed, especially since a large sum of money was involved

Preventing Fraud Starts with Feeling that Something Isn’t Right

Ultimately, the prevention of fraud starts when you feel that something isn’t right. For emails, the giveaway may be an email address that doesn’t match a company name, a request to “confirm” or “update” information that a company should already have or a notification that a financial account was “suspended” without warning. The email may also have misspellings or grammatical errors.

In many cases, a hacker may create a fake deadline within the email or use wording that creates a sense of panic, such as “your account has been suspended.” The hacker’s purpose is to get you to act before you discover the fraud.

If you have even a single doubt that an email hasn’t come from a legitimate person, it’s worth investigating further. Do some online research to check out any email sender claiming to be a company employee or have your IT department review the email as potential spam. A little extra time spent checking can save a lot of money later on.