Shark Gets Phished

“Shark Tank” panelist and real estate investor Barbara Corcoran got spear-phished for nearly $400K. While you may dismiss this as “rich people problems,” the fact is you don’t have to be a big business or a highly visible investor to fall victim to this scam. Here’s how to avoid getting taken.

The big news in cybersecurity this week included “Shark Tank” panelist and real estate investor Barbara Corcoran getting spear-phished for nearly $400,000.  While you may dismiss this as “rich people problems,” the fact is you don’t have to be a big business or a highly visible investor to get scammed.

According to the FBI, companies of all sizes have lost $26 billion through email wire fraud–meaning, they have been duped to believe they are being contacted by a trusted business partner–since 2016. Small businesses and individuals have always been targets, and phishing of smaller organizations is getting more specific and personalized every day. Here’s how you can spot and prevent becoming a victim of a similar scam.

What It Looks Like

You can’t avoid what you don’t see, and phishing can come in many forms, making it difficult to spot sometimes. In phishing scams of this type–the trusted business partner scam–the purported sender is someone (individual or business) known to the target. The request can be for money (in this case a wire transfer), but phishing can also involve malware. That is, the attached “invoice” contains malicious code that can impact the target’s systems, including unleashing ransomware, when opened.

The name on the sender’s email address is often correct, but the email address is something completely random, like PrettyKitty@randomemailprovider.com. When viewing your inbox on a mobile device, often only the name  of the sender (not the email address) is visible, so this can go unnoticed by some recipients. Or the address can be similar to the trusted business partner’s address, but different in some small way the recipient is not likely to notice.

In the case of Corcoran, it was the latter. Various sources report that her bookkeeper paid an invoice she received from an account she thought belonged to Corcoran’s assistant. In fact, the email was not from Corcoran’s assistant, but a bad actor who had crafted an email address similar to the assistant’s (it lacked a single “0”). The bookkeeper replied to the email for confirmation the invoice was to be paid.

The bookkeeper didn’t notice the discrepancy in the email address. She was, in fact, seeking and receiving approval for the payment from the scammer.

How Can I Avoid Phishing and Spear-Phishing?

Corcoran told ABC News, “Someone sends you a bill. It’s paid. In this one instance, it was not a good strategy.”

What?

Paying your bills is not a bad strategy. The bad strategy is not having appropriate safeguards in place to prevent loss. Losing $400,000 is more than just an oops, it is an opportunity to review and improve protocols–because there’s obviously a gap large enough there to drive $400,000 through.

Here are some best practices for avoiding falling prey to scammers, regardless of how vast your empire or small your solo practice (profit or non-profit) may be.

1.  Follow best practice with opening email attachments, regardless of origin. You know to spot the cheesy bad phishing from random sources, full of typos, etc. But what about phishers running the trusted business partner scam, as in this case?

My clients are great and smart and savvy, but you can bet the ranch that I verify addresses on emails (not just the name on the email), and I scan every attachment they send before opening it. If I’m not expecting a document from a client (or a vendor), I contact them to confirm they sent it (that is, that their account hasn’t been spoofed). You would not believe the number of times that has prevented phishing.

Cast a jaundiced eye on everything.

2. Exercise a preference for online portals. I find attached invoices creepy, so I go straight to my online account and print the invoices from the portal when the option is available. Even the largest, most professional vendors can have imperfect systems with unaddressed vulnerabilities. Breaches are evidence of that.

3. Review your organizational structure. Have a series of checks and balances to control the release of money or data, disallowing unilateral approvals of payments or transfers of data. Whether it’s double signatures on checks or a series of reviews, do what’s appropriate to the scale of the venture.

4. Limit the amount of funding or data available for disbursement. Whether it’s a limit on company purchasing cards or data management systems that strictly limit who can see specific data (e.g., employee SSNs), implementing these restrictions can avoid not only the actions of external bad actors, but also save your employees from committing inadvertent breaches. Not everyone in HR, for example, needs to have access to employees’ SSNs and birth dates. Requests for that sensitive information should be brokered by a few individuals specifically trained in privacy laws and cybersecurity best practices.

5. Keep contact information for key personnel off the web site. It is amazing how much removing contact email addresses from your organization’s web site and implementing a contact form can cut down on phishing attempts.

6. Most Effective Safeguard: **Make Direct Communication the Default Protocol.** If you can’t walk down the hall to verify a request for payment or sensitive data, pick up your phone. Don’t rely on email. In the Corcoran case, the bad actors crafted an email address one letter off from the colleague’s real email account, a difference many will miss. But a quick chat between the bookkeeper and the assistant she believed had forwarded the invoice for payment likely would have uncovered the scam and prevented the financial loss.

Direct communication may seem old school, but it works (and it can help build a collegial work environment–employees are not automatons). At one of the data vaults I’m familiar with, employees may not use email to communicate internally–all requests and verifications must be handled face-to-face, precisely because of the vulnerabilities inherent in email.

It’s ironic but true in many cases: The key to security in this high-tech cyber world is the most old-fashioned communication method, conversation. The upside? Sitting is the new smoking, so you can kill two birds with one stone by getting up from your desk and taking a walk down the hall.