It will never happen to me – again
The first business day after our robbery, which I reported on last week, we dodged a very near bullet with an email scam attack.
The circumstances were that I was out of the office travelling to film an episode for our YouTube channel when our financial controller received an email from an email account set with the name ‘Allan Manning’, reportedly me, asking if our they had time to process an urgent electronic transfer.
The staff member was stressed because her office had been ransacked from the robbery just days prior, another staff member had emailed to resign and another in the department was on leave. All of this on top of business as usual with urgent requests for invoices to be raised etc. The controller did not carefully read the email but thought that the recipient of the funds was to be a lawyer and that the email was from me.
In hind sight there were three things that were wrong. First, the Australian resident had LLC after their name which stands for Limited Liability Corporation, a UK term meaning the same as Pty Ltd in Australia. The email, while saying it was from Allan Manning, was actually from a gmail account and it did not have my usual footer. Having said this, the wording could easily have been from me as it was a polite business style.
The staff member wrote back and said ‘yes’ they could do that and then an email came back giving details of where the money was to be sent and I would bring in the invoice when I returned. Believing it to be genuine, the controller processed the payment. Fortunately, I returned from the trip just a short while later and in passing the member mentioned that she had processed the payment that I had requested. I then said ‘what payment?’ followed by her ‘Well you have written me two emails about it’. I then explained that I had been out and what I had been doing, I had not sent any emails at any time during the day. We then went to her computer to immediately discover it was fraudulent and were able with the help of both our bank and the receiving bank to stop the payment.
I can say without reservation that the staff member would not have been caught but for the stressful conditions we were all working under at the time. The person is well educated and dedicated, with a very high IQ. What this shows is that anyone can be caught and no matter how busy you are, you need to be on your ‘A game’ when it comes to cyber security.
Still feeling ill over the near miss and the effect it would have had on the business, the staff member was in the bank and in the time that they were there 5 people came in distressed that they had been scammed by either email or through Linked In, Facebook or text messages. Five people in under forty minutes at just one branch of one bank is a terrifying statistic.
The human mind sees what it expects to see.
For example, if you read the next sentence:
Most people will read this as ‘spring time in the park’ they completely miss the second ‘the’. The mind does not pick up every single word, but only picks up what it expects to see. So when the email came in from Allan Manning, they did not pick up the wrong suffix or usual footer.
Further, this is not a usual request, it is only because we are doing some renovations in the building that they thought it was legitimate. Normally they would ring me to check it was legitimate and get the second check before authorising payment.
During this whole process, I found that our own bank, the Commonwealth Bank were a bit ordinary whereas the Cranbourne Branch of Westpac were fantastic as were Victoria Police.
My final comment is that we can all have the very best procedures in place but the biggest risk is people risk when it comes to cyber security. I’m just so thankful that we dodged a second bullet only two days apart.