How scammers use phishing and social engineering to steal your money and data.

Hello there—you’ve found your way to another episode of Design Under Influence!  

This is Boris and Alex, here to give you as much information as we can to make technology your competitive advantage at your architecture, design, and engineering firm.  

Improper use of technology is about as good as designed under the influence of drugs or alcohol, a method that might not always be optimal for productivity.  

Today we’re talking about something that everyone has been dealing with for the last six months with the pandemic—phishing.  

Yesterday, Alex got an email from ‘Netflix’ claiming that they had canceled his subscription.  

If this was an error, please click here to resubscribe 

Right as Alex was about to click the button, he realized that he doesn’t actually have a Netflix account (he’s using his brother’s account—don’t tell anybody).  

Nevertheless, the email looked legit.  

It can be very hard to distinguish spam and phishing attacks from the real deal.  

We have some crazy phishing stories to tell you today and hope to give you some essential steps to avoid these attacks at your firm.  

With so much communication taking place online due to the pandemic, these scummy attackers are more prevalent than ever before.  

Phishing is the modern-day diamond heist—the cast of Ocean’s 11 has migrated to a dark basement with a 6 pack of Red Bulls.  

All jokes aside, these groups are highly organized and capable of siphoning huge amounts of money from businesses.  

We’re going to give you a story of how a phishing scheme stole $1.8 million.  

It all began with Boris getting a phone call from a friend who ran IT for a commercial real estate investment firm. He asked Boris to investigate suspicious activity that looked like phishing, as invoices that the firm had already paid reappeared in their systems.  

There are various types of phishing. This particular case is one of spear-phishing or a tailored attack directed at an individual or business. These attacks are more robust and take longer to plan, but can reap greater rewards for the hackers.  

In this particular case, the commercial real estate company was working with a contract to do a project for their tenants.  

The project cost millions of dollars and was to be performed in one of the buildings that they owned.  

One day, an administrative assistant at the firm got an email message from a project manager at the construction firm.  

Basically, that message said: Hey there, with the onset of COVID-19, we’d like to get our people paid as soon as possible. You guys have a couple of outstanding invoices with us, and with all the uncertainty, it would be really great if you could pay us.  

The email was written following the format and tone of the actual project manager(s) from the construction company. The spear phishers even copied the signatures but changed the phone numbers to their own.  

When the administrative assistant responded saying that the invoices would be paid, the phishers responded with new routing numbers with a claim that were applying for a PBB loan.  

The assistant then sent the new account information up the ladder to her boss, who is responsible for approving the finances in the company.  

He tried calling the actual project manager but was sent to voicemail. He then responded to the phisher´s email thread asking if they could jump on a call to discuss and confirm the account information.  

The bad guys then obliged, providing an incorrect cell phone number of which was the final straw to make the heist successful.  

Two days later, $1.8 million was transferred into the wrong account.  

A week after the transfer, the real project manager from the construction company called and said that the invoices hadn’t been paid.  

Obviously, this is devastating for any company. And if you are a business owner right now, you should be alert to the potential dangers of phishing.  

The problem is, as Alex notes in the management of his own digital marketing agency, your employees hold a lot of keys to the secret boxes of your business.  

So how can you protect yourself?  

These three essential steps can help to keep your business safe.  

  1. Educate your employees: Quarterly, hands-on training workshops, or coursework to demonstrate examples of commonly used phishing techniques. Sending fake phishing attacks can also help to identify who is most susceptible to additional instruction.  
  1. Get additional protection: Most security events initiate from email. Make sure that you have proper protection for your email—you need more than the basic spam filter on your email platform. For Boris’ clients at ArchIT, these filters are mandatory and a part of the service. This can help to alleviate some of the stress put on your trained employees, and let technology do some of the filterings.  
  1. Implement URL filtering: Should a phishing attack breach the first two layers of security resulting in a clicked link, the bad URL needs to be blocked from executing on your computer.  

Keep your organization safe from phishing attacks.  

If you have questions or need help please reach out to us.  ArchIT specializes in providing IT services for architecture, design, and engineering firms

Thanks for checking out the pod, and have a good one. We’ll see you next time!