Dawn A. Lissy, Founder & President, Empirical04.01.22
At first, I thought it was sweet that I was randomly hearing from people I’d lost touch with but still kept in my contact list. The initial two or three made me smile.
“So great to hear from you after so long! What? No, I didn’t email you.”
As it turns out, someone else did. My delight at reconnecting with old friends quickly morphed from confusion to concern. A hacker managed to invade my Outlook account. They spammed my entire list of 4,678 contacts as a first step in attempting to scam my friends and colleagues.
I was a victim of what the FBI calls Business Email Compromise (BEC), one of the most financially damaging and common cybercrimes. In 2020, the FBI estimated it cost American businesses over $2 billion.
I was lucky. Thanks to quick work from my IT managed service provider, this attack only cost me tremendous hassle and frustration. Tim Gregg of TruTech IT Solutions Inc. was able to lock down my account and counter the crooks so they never obtained sensitive information.
But the thieves did manage to set up a fake Empirical website with a URL close enough to the real thing to host an impressive clone of our actual site.
“It was a fairly elaborate hack once they got in,” Gregg said. “It looks like most of what they were trying to do was find out if there was any [email] correspondence for finances. They like to intercept those.”
When a breach like this occurs, cybercriminals usually set up a “back door” so they can maintain access. From there, they can reroute emails and dig through folders to find communication about payments, Gregg said.
“They’ll intercept it and make it look like their response is part of the email chain when it’s not,” he said. “A vendor will send a [purchase order] or invoice. They’ll intercept and say, ‘Here’s my information, send payments here.’”
And because they have full access to the email, they can cover their tracks by deleting those emails so the legitimate contact never knows.
It’s an updated version of the gift card scheme more common a year ago, Gregg said. In that scam, the cybercriminal sends out requests asking contacts to please immediately send them gift cards with the promise to reimburse. According to the Federal Trade Commission, 40,000 victims were fleeced $148 million in the first nine months of 2021 with that con.
But as authorities crack down on one scheme, another evolves. Previously, cybercriminals tended to impersonate CEOs and high-ranking executives in a company to urge colleagues down the ladder to send money or gift cards, Gregg said. A newer scam shifts to lower-level employees. The scammer poses as an employee and emails human resources with a request to change their direct deposit. If HR doesn’t confirm by phone and simply follows that email request, the paycheck is rerouted to the scammer.
“I think the reason they’re going that way is the CEOs were targeted so much, a lot of filters have been set up to protect [high-level executives],” Gregg said. “Now [criminals are] moving to lower levels. A lot of times it’s just casting a wide net to see what they can catch—volume over single payout.”
Software companies are doing their best to keep up with the changing landscape of cybercrime, Gregg said. Outlook continuously upgrades its two-factor authentication security processes, which will catch most attacks, he said.
“The chances of somebody hacking from a technical aspect then become very low; 99 percent of attacks are blocked by two-factor authentication, according to Microsoft,” he said. “It leaves the weak link unfortunately being the user.”
I’m more than a little embarrassed that I was that weak link. I was in the middle of setting up another email account when I got a text for Outlook’s two-factor authentication. I thought the call I received was for a personal account, so I authorized access. I didn’t see at the time that the authentication was for my business email.
And that was all it took—Gregg has since set up processes so I can’t be prompted via a phone call to authenticate. I’m now being notified via an app or text message.
“The user has to be diligent in what they do,” Gregg said. “It’s really hard. A lot of professionals in the security sector don’t like text messages [for fear of] phone spoofing or sim card stealing.”
Push notifications are another option, but also not impenetrable.
“I think that’s just as easy to get past those or hit ‘OK’ as a phone call,” Gregg said. “It’s still very secure. But in a real-world experience, users get busy and accidentally push [the wrong option].”
I’ve learned that lesson the hard way. After locking down my account, double-checking the rules of the account to correct the scammers’ changes, and changing passwords and two-factor authentication methods, I still had thousands of friends and colleagues sifting through fake emails they thought were from me.
Fortunately, many of them called to double-check. Gregg said a quick conversation is your best bet for ferreting out fake requests.
“Any time someone is asking to change the way something gets paid, pick up the phone,” he said.
And trust your gut. If an email looks legit but somehow feels wrong, double-check.
“It’s more work, it’s frustrating but it’s safe,” he said. “It’s hard right now. Technology has come so far. There’s a lot of sophisticated hacking out there. And the biggest problem for any company from a security standpoint is the users themselves.”
Dawn Lissy is a biomedical engineer, entrepreneur, and innovator. Since 1998, Empirical Technologies Corp. has operated under Lissy’s direction. Empirical offers the full range of regulatory and quality systems consulting, testing, small batch and prototype manufacturing, and validations services to bring a medical device to market. Empirical is very active within standards development organization ASTM International and has one of the widest scopes of test methods of any accredited independent lab in the United States. Because Lissy was a member of the U.S. Food and Drug Administration’s Entrepreneur-in-Residence program, she has first-hand, in-depth knowledge of the regulatory landscape. Lissy holds an inventor patent for the Stackable Cage System for corpectomy and vertebrectomy. Her M.S. in biomedical engineering is from The University of Akron, Ohio.
“So great to hear from you after so long! What? No, I didn’t email you.”
As it turns out, someone else did. My delight at reconnecting with old friends quickly morphed from confusion to concern. A hacker managed to invade my Outlook account. They spammed my entire list of 4,678 contacts as a first step in attempting to scam my friends and colleagues.
I was a victim of what the FBI calls Business Email Compromise (BEC), one of the most financially damaging and common cybercrimes. In 2020, the FBI estimated it cost American businesses over $2 billion.
I was lucky. Thanks to quick work from my IT managed service provider, this attack only cost me tremendous hassle and frustration. Tim Gregg of TruTech IT Solutions Inc. was able to lock down my account and counter the crooks so they never obtained sensitive information.
But the thieves did manage to set up a fake Empirical website with a URL close enough to the real thing to host an impressive clone of our actual site.
“It was a fairly elaborate hack once they got in,” Gregg said. “It looks like most of what they were trying to do was find out if there was any [email] correspondence for finances. They like to intercept those.”
When a breach like this occurs, cybercriminals usually set up a “back door” so they can maintain access. From there, they can reroute emails and dig through folders to find communication about payments, Gregg said.
“They’ll intercept it and make it look like their response is part of the email chain when it’s not,” he said. “A vendor will send a [purchase order] or invoice. They’ll intercept and say, ‘Here’s my information, send payments here.’”
And because they have full access to the email, they can cover their tracks by deleting those emails so the legitimate contact never knows.
It’s an updated version of the gift card scheme more common a year ago, Gregg said. In that scam, the cybercriminal sends out requests asking contacts to please immediately send them gift cards with the promise to reimburse. According to the Federal Trade Commission, 40,000 victims were fleeced $148 million in the first nine months of 2021 with that con.
But as authorities crack down on one scheme, another evolves. Previously, cybercriminals tended to impersonate CEOs and high-ranking executives in a company to urge colleagues down the ladder to send money or gift cards, Gregg said. A newer scam shifts to lower-level employees. The scammer poses as an employee and emails human resources with a request to change their direct deposit. If HR doesn’t confirm by phone and simply follows that email request, the paycheck is rerouted to the scammer.
“I think the reason they’re going that way is the CEOs were targeted so much, a lot of filters have been set up to protect [high-level executives],” Gregg said. “Now [criminals are] moving to lower levels. A lot of times it’s just casting a wide net to see what they can catch—volume over single payout.”
Software companies are doing their best to keep up with the changing landscape of cybercrime, Gregg said. Outlook continuously upgrades its two-factor authentication security processes, which will catch most attacks, he said.
“The chances of somebody hacking from a technical aspect then become very low; 99 percent of attacks are blocked by two-factor authentication, according to Microsoft,” he said. “It leaves the weak link unfortunately being the user.”
I’m more than a little embarrassed that I was that weak link. I was in the middle of setting up another email account when I got a text for Outlook’s two-factor authentication. I thought the call I received was for a personal account, so I authorized access. I didn’t see at the time that the authentication was for my business email.
And that was all it took—Gregg has since set up processes so I can’t be prompted via a phone call to authenticate. I’m now being notified via an app or text message.
“The user has to be diligent in what they do,” Gregg said. “It’s really hard. A lot of professionals in the security sector don’t like text messages [for fear of] phone spoofing or sim card stealing.”
Push notifications are another option, but also not impenetrable.
“I think that’s just as easy to get past those or hit ‘OK’ as a phone call,” Gregg said. “It’s still very secure. But in a real-world experience, users get busy and accidentally push [the wrong option].”
I’ve learned that lesson the hard way. After locking down my account, double-checking the rules of the account to correct the scammers’ changes, and changing passwords and two-factor authentication methods, I still had thousands of friends and colleagues sifting through fake emails they thought were from me.
Fortunately, many of them called to double-check. Gregg said a quick conversation is your best bet for ferreting out fake requests.
“Any time someone is asking to change the way something gets paid, pick up the phone,” he said.
And trust your gut. If an email looks legit but somehow feels wrong, double-check.
“It’s more work, it’s frustrating but it’s safe,” he said. “It’s hard right now. Technology has come so far. There’s a lot of sophisticated hacking out there. And the biggest problem for any company from a security standpoint is the users themselves.”
Dawn Lissy is a biomedical engineer, entrepreneur, and innovator. Since 1998, Empirical Technologies Corp. has operated under Lissy’s direction. Empirical offers the full range of regulatory and quality systems consulting, testing, small batch and prototype manufacturing, and validations services to bring a medical device to market. Empirical is very active within standards development organization ASTM International and has one of the widest scopes of test methods of any accredited independent lab in the United States. Because Lissy was a member of the U.S. Food and Drug Administration’s Entrepreneur-in-Residence program, she has first-hand, in-depth knowledge of the regulatory landscape. Lissy holds an inventor patent for the Stackable Cage System for corpectomy and vertebrectomy. Her M.S. in biomedical engineering is from The University of Akron, Ohio.