24 May 2018

Phishing and email security: An email data breach cost this company dearly

At SYNAQ, we have encountered many instances of customers who are too late to realise the importance of phishing (where criminals send emails that appear to be from legitimate companies so they can obtain personal information, including passwords and card numbers) and email security protection.

The threat of email breaches and having your email account hacked are all too real. If someone hacks your personal email account, which hosts your personal information, the effects are serious but the extent of the breach might be limited to just you. But if your business email is hacked, it will open the door to scam artists in ways you cannot imagine, until you become a victim. When Kate Goliath of Goliath & Goliath shared her story on The Money Show on 702 this week, we felt it was a great opportunity to share a few of our team’s insights on a real-world breach.

Fraudulent invoices and emails

Kate Goliath, who runs Goliath Comedy Clubs, spoke to Bruce Whitfield on the Money Show on 22 May 2018. She was defrauded when her email accounts were hacked. At about the end of April, Kate was alerted by a client who had received emails which appeared to be from Goliath & Goliath. The emails said the account number on the invoice was incorrect and that the client should use an alternate account number. The client then received numerous emails asking for payment. The bank flagged and highlighted that the account could be fraudulent. Kate then found two more invoices with fraudulent account numbers that had been sent from her email account and sent to her (on separate occasions).

The cost of insufficient phishing and email security

The money which was taken by the fraudsters totalled a substantial sum that could have crippled the cash flow of this small business. Kate said they were not making any headway into how this crime could have happened or how it could be stopped. This is what prompted her to appear on the show so she could warn other small businesses to be aware of this kind of crime. Most businesses only realise how important email security is once a breach has occurred. This is because cybersecurity measures are not on a business owner’s mind and businesses often believe they are covered through their internet service provider or standard software security features. But these are not enough. All owners should ensure that they have email, internet and data security in place to ensure the different touchpoints in their business.

Scams become more sophisticated

Bruce said this was not internet banking fraud where a criminal has gained access to your account by stealing your card or account details and taken your money. This kind of crime is more frightening because it means that a criminal has hacked your email account via your internet service provider. Bruce said these criminals get in through the back door, gain access to your information and manipulate it to get your clients to pay them, not you.

Kate agreed. She said the fraudsters had logged in and changed PDFs of invoices that were prepared on invoicing systems. They cloned her email address and forwarded all her emails to their email address. They flagged all messages with the word, “invoice”, and also messages from specific clients. Kate found deleted emails from clients in a separate ‘deleted emails’ box which was created (and was also different to her trash box). This sneaky manipulation went undetected until clients pointed out the scam. As a result, business owners should think seriously about the data that’s housed in their employees’ emails and the damage it could do if it was used against the company.

Costly and time-consuming

Once criminals have gained access to your email account, it is difficult, costly and time-consuming to undo the damage. Kate was alerted when she received a proof of payment from a client which had Goliath & Goliath as recipients. The criminals had added the name as part of their payment process. But she was suspicious when she noticed that the account details were different to hers. Kate asked her bank to track the account number but they said before this could be done, she had to lay a fraud charge with the police. The bank would then stop the account, but it was already emptied. Kate was told she could only get information about the bank account if she obtained a subpoena from the police officer investigating the case.

How SYNAQ helps to mitigate these risks

At SYNAQ, we have spent years developing our email phishing protection and security measures to help businesses like Goliath & Goliath protect themselves from this kind of crime. SYNAQ Securemail offers a 99.5% spam protection, 100% virus protection, and comprehensive phishing protection. Our email security services are smart and provide a true insight into email usage, top threats and bandwidth savings with the benefit of integrated advanced reporting.