My name is Nathan, and for those of you who don’t know me, I oversee all technology services for Morsecom. Sadly, I’m here to tell an all-too-common story in today’s technology landscape.
Recently, one of our Managed Service customers reached out to us with something they uncovered with one of their clients. Their client alerted them they had made a big mistake and wanted them to be aware. Extremely alarmed, our customer engaged with them. It turns out while our customer was assisting them with insurance needs over the last several weeks, someone was quietly watching all of their email correspondence. This someone was a malicious attacker looking for the right email to take advantage of. Once this attacker found an email discussing insurance policies, they quickly acted. The attacker registered and set up a “spoofed” domain by simply changing one character in the domain name our customer owns. At a glance, this new domain could have fooled most of us. Since the attacker had access to their client’s mailbox, they had everything they needed to mimic a new email. The email sent from the newly created domain looked just like emails from our customer regarding formatting, spacing, everything … right down to the signature line. Since these email exchanges were now between the attacker and our customer’s client, the attacker had time to negotiate and work towards getting exactly what they set out to get. At the end of the exchange, the attacker successfully exploited over $130,000.00 via wire transfer.
Now, I could sit here and tout Morsecom making our customer safe, but there is so much more to it than that. We are all in this together, and these types of Cyber Security threats are very real. My personal perspective in mitigation is a simple one. You can have all the best security measures on the planet, but employee behavior and education are often the ultimate fault. See, this attacker leveraged large scale phishing attacks in an attempt to get an employee to think they were logging into or resetting their business email password. Often even a simple click can expose sensitive personal or business data to external threats. If you don’t have education standards in place for employees to learn about protecting themselves and your business, you are figuratively opening the door for this to happen. If you don’t think this can happen to you, ask it again from the perspective of everyone that has an email account for your business. Still feel the same way?
Ultimately, education always wins. Picking the right products and Managed Service provider comes in a solid second place. In this story, our customer’s client had some of the best technology in place and a respected Managed Service Provider managing day-to-day. As an employee or business owner, if this doesn’t make you think through your employee education, policies/procedures and security technology, then something is very wrong.
My ask is very simple … reach out to us, or whomever manages your Cyber Security efforts. Figure out what you have in place and what can be further secured. Look past the flashy hardware and software solutions and focus on use-cases, like the one I just gave you. What will ultimately protect you from a simple employee mistake and what can you employ to ensure you don’t end up losing intellectual property, assets, time or revenue. If whomever is in charge of security leaves out the need for education, get another opinion. Don’t allow yourself to be the victim…
To all our customers, you are in our thoughts daily during these trying times. Please stay safe and healthy out there.
Click HERE to get in-touch.