Barbara Corcoran is known for being a tough no nonsense judge on the hit show Shark Tank. On the show, entrepreneurs present their ideas to the judges to try to get funding. Mistakes during the presentation are magnified for a national audience by the often times ruthless judges. Now Ms. Corcoran’s $400,000 mistake has hit the national media this week, and it all comes down to one misplaced letter in an email.
Phishing attacks are easily the most successful type of cyberattack used in data breaches. What makes phishing attacks so popular among hackers is their simplicity. Firewalls, virus protection software and even the most sophisticated cybersecurity systems will do little to prevent a phishing attack because these attacks target the weakest part of any security system, the people.
Phishing does not even necessarily require any special knowledge. All a bad actor needs to do is send an email posing as a trusted person to someone who has access to sensitive data. Often times the attacker may pose as a law enforcement figure like a federal agent, a financial figure like a bank, or an authority figure such as a supervisor or executive at the victim’s place of work. Then the bad actor may urgently request access to sensitive data or ask that the victim download malware that will allow access.
In Corcoran’s case, a hacker posing as her assistant sent her an email with a fraudulent invoice for real estate renovations for FFH Concept GmbH, a marketing agency in Germany. Corcoran said she did not even think twice about paying the invoice as it is common practice for her to make such payments. Said Corcoran:
There was no reason to be suspicious as I invest in a lot of real estate.
Corcoran’s bookkeeper continued to communicate with the hacker and ultimately wired $388,700.11 under the fake assistant’s instructions. The ruse was not uncovered until the real assistant was copied on a subsequent message and it was discovered that the sham email address misspelled her name by one letter. At that point, however, it was too late as the hackers had withdrawn the money.
The scammer disappeared and I’m told that it’s a common practice, and I won’t be getting the money back.
Protecting Your Business
After the fact, Corcoran’s IT department was able to trace the emails to a Chinese IP address. Another prominent business executive, Frank Krasovec, chairman of Dash Brands, was also the victim of a $450,000 phishing attack with links to China. Dash Brands owns Domino’s Pizza franchises in China and a hacker intercepted Krasovec’s emails and sent messages to his assistant requesting money be wired to Hong Kong.
Krasovec is now suing his bank PlainsCapital for not having anti-fraud measures in place. PlainsCapital in a court filing states the stolen funds were “undoubtedly the fault of [Mr. Krasovec’s] own failure to implement appropriate internal controls to prevent his company and its employees from falling victim to a third-party scam.”
Banks generally do not refund money sent over wire transfer when a consumer has been hacked. According to the FBI, $1.8 billion was lost in 2019 from similar scams. It is the responsibility of business owners to adequately protect themselves from phishing attacks and it is usually small and medium sized businesses that suffer the most from phishing. Simply training yourself and your staff on what to watch out for can potentially go a long way to saving your company a fortune.