Hacking

A complex, social engineering attack exists and it targets job seekers. Folks make bad decisions when they are desperate and scared, criminals know this. Numerous intricate social engineering cons happen, look out for one called a “Mule Scam.” These attacks target the unemployed, mostly through job boards, LinkedIn groups, and resume posting sites.

An acquaintance of mine shared his story with me to help others protect themselves. This man is an intelligent, conscientious man, that was scared and desperate, who saw what he wanted to see, and, in the end, it cost him thousands of dollars. Before you judge, understand the fear and anxiety that goes through the mind of a successful individual that can’t provide for his family.

The con started with a foreign business asking him to translate communications between their European business and the “new,” American market, they are trying to penetrate. He simply took email messages and re-wrote them into proper English. He performed this task about a half dozen times and earned a couple hundred dollars. The deal seemed harmless, turns out, this was the hook.

The email messages were basic, telling the story of a European online auction site that provided high priced items to collectors. Some notes thanked customers for their purchases. Other communications discussed activity with “representatives” who were “financial intermediaries” that took money from buyers and, after taking a small cut, sent the remainder, via wire transfer, to the business based in Europe.

My source was happy with this small amount of money and hoped the business would ask him to become a “representative” as he would make ~$2,000 per month in addition to the commission on all transactions, simply by taking money into his PayPal account and transferring it via wire to their business in Europe. He believed the activity was a good will gesture as, he was told, PayPal has low dollar limits in Eastern Europe. His work was “kindness” as this business wanted to supply their goods to American’s and “nice” people allowed them to do this by acting as a “financial intermediary” to get around PayPal’s limitations.

After a couple of weeks rewriting bad English, the offer came forward. My acquaintance provided screen shots showing his PayPal account had no limits and that he was a “preferred” member. He also sent a photo of a redacted driver’s license showing his new employer that he was a human being and did exist. He even had a phone interview and discussed the opportunity. He did Google searches on the company and the position and even found Scam Advisor rate the business as 100% safe.

The first deal came forward. A simple eBay transaction for goods that cost around $2,250. His contact with his new “employer” provided shipping information and when the buyer received the merchandise, he sent the money, minus fees, from PayPal to his bank account. After the money arrived, he then wired the money to a bank in Eastern Europe. He was allowed to keep hundreds of dollars for the typing and his commission. It all looked great.

The following week another transaction came into his PayPal account, this time for a larger sum. He was pleased. This meant another couple hundred dollars in “salary” after PayPal took their cut, money for his family, or so he thought. The “employer” contacted him with shipping information and his American contact called to follow up as well. The phone call made sure he would promptly move the money to his bank account and wire funds as soon as possible. No problem, all was on the up and up, as far as my associate was concerned.

While the money was in transit from PayPal to his bank account he received a call from eBay. The customer service department noticed strange activity on his account and wanted to know what was happening. After about 30 minutes on the phone, and validating through questions that eBay was really eBay, it turns out my acquaintance is the victim of a “Mule Scam.” He’s the middle man for criminals, taking money for false transactions and then wiring the money to con artists in Europe.

Thanks to eBay, my contact was able to move the money for the second transaction back to his PayPal account. Unfortunately, since my acquaintance was neither a buyer nor seller, PayPal does not insure the money and he now owes PayPal for the first transaction. Since he already wired money to Europe, he has to come up with this money lest PayPal “take him to court.”

My contact is intelligent, diligent, and thoughtful. He failed to follow the basic tenant that if something seems too good to be true, it probably is. He also didn’t pay enough attention to realize the con artists used email from a 3^rd party, not the domain they were supposedly working for. Lastly, he should’ve wondered why eBay was involved when the auction house was supposed to be in Europe.

There are many morals to this sad tale, not the least of which is beware of social engineering. Con artists are smart, detailed, and they prey on scared and desperate people. Pay attention, be alert, and listen to your inner self, if something seems amiss, it probably is. Don’t fall prey to scams and be especially aware during desperate times.

Cyber security falls under the responsibility of everyone, not just information technology professionals. As with personal security, individuals must pay attention to their surroundings and their actions.

There are a number of areas that businesses and employees fail to pay attention to regarding cyber security. These are in no order of importance as all are critical.

Lack of training for staff

When we raise our children we make sure they know to look both ways before crossing the street, not to take candy from strangers, and never to get in a car with someone they don’t know. To all of us, this is common sense as we received this same education ourselves.

With cyber security, the same principles apply. Don’t open attachments from unknown sources. Don’t go to websites that appear suspicious. Don’t tell anyone your password(s).

Businesses must make sure they have education for all employees regarding these, and other, basic cyber security concepts. The training should occur at new hire orientation and it makes sense to have annual or semi-annual reviews.

Failure to limit/log access

Who has access to what data? What IT Administrator modified the directory structure? Who changed permissions? Do all employees have access to HR files? Does any unnecessary person have access to financial records? Are there logs showing who accessed what data?

Most of the answers to these questions will be “we don’t know” and that’s a problem to acknowledge and address. Companies need to utilize built in tools to log access, and, when necessary, purchase third party software for greater control and granularity. Not only can tracking access prevent a data breach, it enables organizations to find out what happened when data loss does occur.

Caring about corporate data

Most employees simply focus on their day to day job, they are not necessarily concerned with intellectual property at their company. Vast numbers of employees don’t even know what data is critical to the success of their business.

With a myopic focus on what’s in front of us, it’s extremely difficult to protect that which truly matters to an organization. Employees understand financial and human resource records deserve protection, that’s not enough.

Staff must also know about core data critical to the company so they can make sure and take proper action when dealing with that information and when dealing with others who have responsibility for protecting that data.

Understanding cyber threats

Phishing. Spoof. Worm. Trojan horse. Pharming. Hijack attack. All key terms in the cyber security world and, with few exceptions, most people do not know what these expressions mean.

Along with basic education, it makes sense for organizations to make sure staff knows what these attacks are and how to protect against them. There are a number of terms and threats that individuals are familiar with, it’s the responsibility of businesses to help employees understand additional dangers. Common sense goes a long way, and with adding simple communication, businesses can ensure employees know what to look for and how to act when issues arise.

Spending money in the wrong areas, or not at all

Too often businesses focus on revenue generation opportunities and ROI when spending money. Companies must take a defensive posture as well. This doesn’t mean only spending money on networking equipment and edge devices to protect their information assets, they must understand the extent of the threats and spend in numerous areas.

Firewalls, extranets, and intrusion detection systems are all well and good; however, they only protect companies from specific types of attacks. Businesses must take a holistic view of cyber security and invest as necessary. Cyber security is an investment and should be viewed as such through the budgeting process.

Everyone must take ownership for cyber security. In today’s world with major data breaches occurring seemingly weekly, impacting millions of people, it’s imperative to pay attention and share in the responsibility for data protection.

Through education, logging, understanding corporate data, knowledge of threats, and proper cyber security investments, companies will find greater security. When companies have data protection, investors, employees, and consumers receive peace of mind and clarity that they are as secure as possible.

Like Gungon Consulting on Facebook

Eric Jeffery has 20+ years’ experience with Information Technology including stints in the Retail, Aerospace, Defense, Hardware, Entertainment and Healthcare industries. Eric has a Bachelor of Arts degree in Economics from the University of Colorado at Boulder. Mr. Jeffery recently founded Gungon Consulting to help businesses solve the exact problems mentioned in this article. You may contact Eric at eric@gungonconsulting.com.

Gungon Consulting Services Overview

Gungon Consulting

Information Technology Professional Services

5 Cyber Security Mistakes Most Companies Make