Cyber Security: The First Line of Defence

In Cyber Security, your first line of defence is always your employees.
Can they spot phishing attempts?
Can they identify fraudulent activity?
Do they know the common signs of a sketchy situation?
Do they know where to report scams and risky scenarios?
What is the risk you run if they are under-educated or complacent?

According to the Canadian Anti-Fraud Centre, just this year there have been over 61,305 reports of fraud & scams, and over $332.7M lost by businesses. Of this total, the hardest hit segment is small business. People often think it’s a single person on the other side trying to launch these attacks but are often surprised to hear that scams are usually executed by a team of dedicated professional cyber criminals. As cyber crime continues to increase in both volume and size, and awareness increases, these cybercriminals are also getting more intricate with their methods and strategies, and that is where employee training and awareness is of utmost importance.

TP Communications recently had an incident with fraud that we were able to circumvent after taking a step back and analyzing the situation. Pictures and greater detail is included below.

The First Touch

The TP Sales team received a lead from its website with an individual looking for some specific equipment.

Acting quickly, the sales team looked up the company, found a legitimate website, and began sourcing lead times and created a quote for the individual. A quote was given, and the individual asked for another one that included “system expansion” which was a large amount of processors and hard drives. The sales team updated the quote, but was leery as there was no project description, they were just passing through equipment. The equipment’s total price ended up at approximately $70,000, and as such qualified under TP’s standard practices to be confirmed with a 50% deposit. The individual on the other end claimed they would need to be approved for credit (net-30 or net-15) and would not provide a deposit. 

This is when the sales team escalated the issue and began to dig into the company a little bit further. One of the more intricate scams to date that TP Communications has seen, it was challenging to decipher if the claim was legitimate or not. 

Steps Taken Included:

1. Searching for the individual on LinkedIn
2. A deep dive into the company’s website
3. Reviewing the domain of the individual’s email address as the website
4. Calling the number listed in the individual’s signature

The Results of This Initial Inquiry Were:

1. Niall Anderton is a real person on LinkedIn, in a position with the company that the individual was posing under. We messaged this account, and it was the real Niall. He confirmed that it was fraudulent activity. (Thanks Niall)
2. The website was developed and is almost identical to the corporate website it was trying to mirror, the photo is below, see if you can identify the differences in the browser windows. 
3. The domain website looked the same, but did not forward to the main site, and instead directed to its own URL (large red flag).
4. The phone number on the signature was different from the company in question’s corporate office number, but it was close. When the number was called, it was set up to try and mimic the company’s real auto attendant (poorly at that). 

At the end of the day, the TP team did its due-diligence and reported the scam to the Canadian Anti-Fraud Centre, likely saving a large financial loss. Our team hopes that our story provokes thought, and hopefully encourages you to implement employee training and cyber security policies to protect from scams such as this one.

Lessons We Learned Included:

1. Always question the legitimacy of a new source, and do your due diligence
2. Know the signs of a “spoofed” website 
3. Don’t be afraid to loop others in for their opinions
4. Ask the right questions of the individual to assess the situation fully
5. Set up processes where multiple people have to touch the situation before anything is agreed to (ie. deposits, approvals, etc.).
6. Have a policy in place that is always evolving so that as scams become more intricate and expand, your policies capture them as well.
7. Audit your security processes and test your employees to know what to look for.

Conclusion

Need a hand setting up a policy? Our team of experts can help! Cyber Security is a mix of hardware, software and policies put in place to ultimately protect your business, if you have part of it, you are on the right track, but all of it is required to be fully protected! Talk to a TP team member today!