This is how easy it is for a business to be scammed. "Julie from accounts" posts on her Facebook page that she had a great time at the beach over the weekend with her dog "Milo", along with friends "Maria and Steve".
Back at work, she receives an email from her CEO: "Hi Julie, I hope you enjoyed your weekend at the beach, and that Milo has recovered from his sore stomach. I am travelling today, but need you to urgently transfer $50,000 to this account number - the payments team have already authorised it, so please have it processed by 10.30am.
"I am out of cell phone coverage - and this needs to be paid urgently to ensure we replace our depleted stock."
Only thing was…it wasn't the CEO. It was scammers, mining gold from Julie's social media and accessing her email to earn themselves a cool $50k. It's called spear-phishing, according to Bronwyn Groot, lead investigator of fraud and scams at QRisk, a New Zealand-based company specialising in this type of investigation.
"Julie" is fictional – but the scenario is all too real. Spear-phishing is a step up from phishing, where emails target people's credit card or internet banking details, personal information (like driver's licence and passport) and passwords for online accounts – all with the aim of relieving the target of easy money.
It is a growing "industry". CERT NZ say that in 2020, nearly $17m was lost in about 8000 reports of cybersecurity incidents – up a staggering 65 per cent from 2019. Even that doesn't give us the full picture, says Groot – quoting another internet scam authority in Netsafe, who have estimated in recent years the real figure is more like $400m because so many breaches go unreported.
"It's the embarrassment factor," says Groot, relating the tale of a general manager of a large New Zealand private business who found out the company had been scammed only when their large monthly salary run did not get paid. The scammers managed to have it routed elsewhere.
"Staff were told, 'This doesn't go anywhere, just correct it and forget it', says Groot. These crimes have a stigma which keeps victims from reporting them to authorities. Embarrassment, a feeling of stupidity and brand damage all prevent the true cost from coming to the surface.
QRisk offers a full end-to-end client care service and response to scams, fraud, extortion and other criminal activity or businesses – focusing on what Groot says is easily the prime factor in such incidents: people.
CERT NZ says phishing and credential harvesting (where an attacker collects personal data) were the most reported form of attacks, up a whopping 76 per cent on 2019 – and that 65-70 per cent of all cyberattacks can be prevented if people take simple behavioural steps.
That's where QRisk comes in, says Groot: "People talk about cybersecurity and the technology and that is all very well. You can have the smartest and best cybersecurity systems in the world – but they are no good if a person on your staff makes a simple mistake. Human error is so often the root cause."
Those errors are easy to make. Scammers are clever, educated in their craft and play on human psychology. They fool even the best of us.
"So often I hear, 'How could I have been so stupid, there is no way this should have happened to me'," says Groot. "They are not stupid, they are victims of an organised criminal enterprise who are good at what they do."
Emirates Team New Zealand lost a seven-figure sum last year when scammers altered a single character in an email address. The giant US health insurance company Anthem fell victim to a staff member caught out by a phishing email in 2015 – and 78m customer records were exposed, leading to scam emails being sent to many of those customers. In another US company, a payslip left on the photocopier led to a US$22m staff embezzlement.
QRisk educates staff on how to recognise scams and what to do to avoid falling victim, with education is "way better" than the need for investigation, says Groot. The company also investigates scams as well as having HR and culture specialists who come into an organisation after a scam to help mend morale, inevitably punctured after such an intrusion.
"These things can put a big hole in a brand," Groot says. "I think Team NZ suffered for a bit and big companies like Anthem get a huge dent in their brand. But it's about people too. Typically what happens after a scam or a data leak is that the executives go into full 'how did that happen' mode, and impose excessive controls that don't address the core issues.
"That causes a bad operating environment, with people looking sideways at each other, and there is often an accusatory environment and a flow-on effect with morale. We come in, understand what has occurred, lift the financial scam awareness through training and address the culture of the company, with a view to move from a blame culture to one of empowerment, awareness and team work."
"Prevention is what you want – staff doing the simple things well, on a consistent daily basis, supported by good internet security systems. That helps build layers of resilience in your security.
"People are an organisation's strongest asset but, if the culture, awareness and training isn't right, those people can be the link that breaks, creating that gap for the scammers to come in and cause massive financial and disruptive costs."
For more information: www.qrisktraining.co/business-frauds-and-scams-situational-awareness