Most hacking relies on social engineering, which manipulates us into doing something that let’s a criminal gain access to our data or money. They prey on our human vulnerabilities – eager to please and rushing a response to the sense of urgency created by the false request.
A very common method that makes vendor hacking successful is gaining access to EMAIL. So much of our work is done by email.
A cyber-criminal accesses a vendor’s email account. The hacker reads communications to and from vendors to clients and learns processes and people. They learn who is responsible for invoices and payments and use names, terminology and styles that are familiar. The hacker creates a fake account that very closely resembles a legitimate one used. Example: firstname.lastname@example.org might be spoofed as bilIing@integrityky.com (replaced one of the L’s in billing with an I). Next, an email is created that appears exactly as the vendor might send.
A scammer might also use the phone, pretending to be a vendor and changing the process of making payments.
Ways to Protect Yourself – Make Policies and Procedures to Confirm and Verify
- Call your vendor representative to confirm any changes made by phone, fax, mail or email.
- Require high-dollar payments received and managed electronically be confirmed by a phone call to the vendor prior to payment. Call their main phone number and speak to contacts which you are familiar.
- Learn how to spot phishing emails and be suspicious of things that are different from the normal process – a new email, phone or person.
- Work with your bank to establish a “double check” processes when it comes to transferring large amounts of money – banks are well educated in fraud and criminal behavior – they are a great resource to keep your money secure.
Even if you are not responsible for financial loss, you are still losing money that you need to run your business. If you accidentally pay a criminal, you don’t get the money back.
Here are some other resources about vendor and supply chain attacks.