Please, all businesses on the Sunshine Coast (and abroad), take a moment and learn about a very real threat to your business.

We’ve all heard the phrase phishing, which is a term used to describe a broad, automated attack that tries to get email recipients to reveal confidential information. The attackers are on a phishing expedition. However, a much more insidious version called Spear-Phishing exists, whereby an attacker will spend time to learn about your business and your organizational layout and launch a sophisticated, targeted attack on a specific employee.

The objective: steal your money.

In the last 30 days, just over $100k has been stolen from local Coast businesses by attackers using this technique. That’s $100k that we at Mainstay are aware of… I’m sure there are more businesses affected.

How does it work?

An attacker (group) will learn about your business (scrape the information from your website) and then compose a well written letter from the CEO to the Finance department instructing them to transfer large sums of money to a destination bank account. There is usually some measure of urgency to the transaction involved, and usually some explanation why the Finance person should not try to contact the CEO as they are deep in negotiations. All the right words are used. All the right names are used. They will engage in a back and forth clarifying their instructions. No bots are involved. These are real people that have a vested interested in making sure the bank transfer happens. The money is transferred. And the attacker will immediately withdraw the funds. RCMP and the Banks may be able to put a stop if notified immediately, but in all our recent cases, it is too late. The money is gone.

How do you stop this from happening?

Educate your staff on identifying fraudulent email addresses. In every case we have reviewed, the attackers used the real name of the company CEO but an incorrect email address. These email addresses come from other domains that were compromised as part of the attack. Unexpected emails that are urgent in nature and involve transferring large sums should immediately raise suspicion and require verbal confirmation from the CEO. Talk to your staff; review this threat and give clear instructions on how fund transfers are to be authorized for your Organization. Also, remove staff directories with direct email addresses from your website. The attached image from Sophos does a nice job of saying this in a fancy and pretty way… and I could have just posted that… but I REALLY want you to read this and know that this is not just some vague internet security thing happening “out there”… this is here, happening to your local businesses on the Sunshine Coast, who are already struggling to make it through Covid.

If you have any questions about email security or setting up a business-class email system for your organization, we are here to help. If you believe you have been a victim of a cybercrime, contact the RCMP immediately.

Stay safe out there.

–Matthew and the Mainstay Team.