This story is going to sound all too familiar... A small town has been victimized by scammers via a Phishing Attack and $2.3 million of tax-payer money has been stolen. This time the town in question is rather local, Peterborough, NH, about an hour and a half northwest of Boston.
Hackers were able to forge a series of emails from two entities the Town of Peterborough does business with regularly. The first, ConVal, is the local school district. The second, Beck and Bellucci, are contractors hired by Peterborough for construction work being done on the Main Street Bridge.
Hackers were able to steal the $1.2 million that's sent monthly to the school district first (around July 26th according to the Monadnock Ledger-Transcript). The remainder was taken around August 18th.
The Department of the Treasury and the Secret Service are involved in the investigation, which is ongoing. Five finance department employees are also on paid leave until the investigation is complete.
Details are scarce regarding exactly what happened but the Ledger-Transcript does confirm it was via a Phishing Attack. Some poor employee was convinced, via email, to change some routing numbers and make an ACH payment to the scammers instead of the intended bank account.
Woof. It's a tale as old as time. Or at least it feels that way, as we've covered this exact same type of thing for YEARS. So, ultimately, saying stuff like that doesn't help anything. Honestly, it doesn't. What does help people is offering up a means, or set of instructions designed to help people AVOID these sorts of attacks. So without further ado...
What is Phishing?
Phishing is the fraudulent attempt to obtain sensitive information or data, such as usernames, passwords, and credit card details, by disguising oneself as a trustworthy entity in an electronic communication.
Typically carried out by email spoofing, instant messaging, and text messaging, phishing often directs users to enter personal information at a fake website that matches the look and feel of the legitimate site.
Phishing is an example of social engineering techniques used to deceive users. Users are lured by communications purporting to be from trusted parties such as social websites, auction sites, banks, colleagues/executives, online payment processors, or IT administrators.
Attempts to deal with phishing incidents include legislation, user training, public awareness, and technical security measures (the latter being due to phishing attacks frequently exploiting weaknesses in current web security).
How to Stop a Phishing Attack:
Slow Down and Control Your Emotions
Remember the attacker is trying to manipulate your emotions into making a quick reaction. The more time you take to think about the situation the more likely you’ll start to realize something’s up.
We might be animals when it comes to our emotions, but we’re also brilliant. By slowing down, our rational brain allows us to overcome our feelings.
Think About What You're Reading, Seeing or Hearing
The more time you give yourself for rational thought, the better off you are when it comes to seeing through the attacker’s ruse.
Look for things like strange word choices or misspellings. Look for visual clues like off-brand graphics (if it comes from someplace like your bank or a store you frequent).
You’re more astute than you might give yourself credit for. If something seems off, it probably is.
Check to See Who Sent the Message
Email masking is incredibly prominent in today’s world. Most email clients format the sender address so that it’s easier to discern who it’s from. The problem is attackers leverage this.
If you’ve got the feeling the message you’re reading isn’t on the level check to see who sent it. If the name is familiar, but the email address isn’t there’s a good chance you’re experiencing a social engineering attack.
Don't Follow Blind Links
Links are easy to hide, just like email addresses. If you can’t discern where a web-link is going to send you don’t click on it.
Always make sure to hover or right-click on an email link (whatever your email client is set up for) to see where it might send you.
Be Wary of Attachments
If you’ve gone through the steps mentioned above, you probably know what I’m going to say here. Don’t download attachments from people you don’t know.
Sometimes it’s a bad idea to download attachments from people that you do. Be on the lookout for e-mail attachments that appear to be Microsoft Word or Excel files. They might contain pretty nasty surprises.
Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.