How Two Recruitment Business Owners Lost Over £150k Of Their Own Personal Wealth Due To A Classic Phishing Attack
In insight / By Mark Flynn / 05 July 2018
The fact is 90% of all successful cyber-attacks start with a phishing email and in this article, I’ll share with you how two recruitment agency business owners were defrauded for an eye watering £150k.
There are several different types of phishing attacks, but the one recruitment business owners especially need to worry about is a whaling attack which is netting fraudsters millions.
A whaling attack typically starts when your account details get compromised, not your company username and password but by the virtue of you using the same username and password somewhere else. For example, if your LinkedIn username and password gets hacked, which is typically the email address and the password that you use everywhere, you become very exposed!
Once fraudsters have this information they are not necessarily going to do anything with it other than to see who you are and to see if it is useful. We had a Managing Director of a recruitment firm who was taken for £127k during a property transaction. His details were stolen via a fake LinkedIn request via email, it wasn't from LinkedIn, he clicked on it thinking he was logging into LinkedIn but in this case he'd simply provided his username and password to some fraudsters.
As an MD he instantly became a target and for 6 months before the eventual fraud happened, they just tracked him, monitoring his email account logging in every now and then to see what he was up to. Six months later he was selling a £3million property and was communicating with his lawyers on email and he got to a point where he was about to go on holiday and the transaction was nearing a point where there was a financial transfer.
Essentially the bad guys logged in to his email system, created a rule in Gmail to prevent his lawyers sending him emails and copy and pasted the entire thread into an email originating from the cybercriminals system basically saying if you use these bank account numbers to make the transaction now while you are on holiday we will get the house sale completed and provide a discount. At this point he transferred £127k.
It was 5 days before he noticed there was a problem. The money was lost, it was classed as a legitimate transfer and therefore did not get refunded by his bank.
Another example is a CFO of another recruitment client who was again selling his house and emailed his wife on her personal Hotmail account with the bank account details for the transfer, she transferred the money. When she checked and found the transfer had not happened she transferred it again, doubling the fraud!
Nasstar first got involved because the CFO was worried that the incident had happened in the systems Nasstar host. That was 10pm and in 4 hours we had identified over all his login activity over the previous two weeks, locations and browsing activity and ran it past him to check for any unusual behaviour.
We were able to track his email all the way through our systems and identified the point it left our systems to ensure the email was still intact. Therefore, we knew that the breach had not happened in the client systems we host. We were then able to work with his wife to work out where the interception had happened. Essentially the hackers got her Hotmail username and password from her PC at her place of work. It transpired the hackers had her usernames and password for several months and were monitoring her account all that time. The hackers noticed her husband had started talking about moving house, so every day they were keeping an eye out for a transaction email. When the email came the fraudsters deleted the email and created a new one with different bank account details. A £25k fraud!
This is how high net worth fraud occurs in the recruitment sector and it is very simple, it isn't brain surgery, it is old fashioned fraud but executed on-line. Don’t assume because you believe your company data is of no value to cybercriminals that you are not on their radar.
For more information on anything in this article, please contact me.