During the run-up to the US election there’s been a lot of talk about who’s for real and who’s faking it. Who you would like to have a beer with, and who you’d trust with the economy. When I saw a headline about a ‘Fake President Scam’ the other day, I thought it was about yet another alleged scandal within the political class. Turns out it’s something that might just have got the CEO of an Austrian company fired.
I shivered when I read about the ’14-hour board meeting’ where this guy was confronted with poor sales figures and not-great performance stats - but it seems the last straw was the fact that cyber-security hadn’t been a high priority for him.
The company had been hacked. Not by some clever malware but by a ‘Fake President’ scam. It’s a simple email that turns up in an employee’s in-box looking like it’s come from someone important within their company, hence the ‘President’ in the title. The email asks for funds to be urgently transferred to pay a debt or to make a deposit to seal a contract - anything, so long as it sounds plausible.
The email is often so convincing that it’s hard to blame some finance guy, late on a Friday, getting this urgent request and just, well, doing his job. That’s how the scammers get what they’re after. They’re clever at social engineering and impersonation. It’s how I got into trouble within my own business. I got an email with an attachment that purported to be a great picture of me acing it on the 18th hole at a corporate golf event. It seemed to come from someone I’d met there. So, I downloaded the attachment. Big mistake.
It felt horrible to have been socially engineered (to put it politely - some would say I was just a ‘chump!’), and the consequences have been dire ever since. You can follow the story in Whaling for Beginners Books I and II.
Cyber security and resilience can be a bewilderingly technical area. But by following a few simple measures you can mitigate many of the most common threats. Train your people to be wary and alert. Put in checks - if in doubt, if a request is unusual, then seek verification: a phone call should quickly establish whether an email is actually what it purports to be. Stay safe and secure. Are you doing that right now?
Read the full story of the 14-hour board meeting.
Read other posts in this series
Reputation, reputation, reputation: what matters most to us all
Board meeting from hell
The perils of personal passwords for LinkedIn accounts
Get the full story: Whaling for Beginners Books I and 2 available now.
See our RESILIA™ section for more information about cyber resilience.