This case involves a law firm based in the south of England. The firm was of a reasonable size and, like most law firms, held a lot of very sensitive customer data.
One morning one of the solicitors received a Facebook message purporting to be from a young law student. The message read:
I am a huge fan of the work your law firm do. I am in my penultimate year of law school and I was hoping I might be able to do some summer holiday work experience at your firm. I see you also attended the same law school! I have attached my C.V for your consideration”
Jennifer, opened the C.V. It looked like a blank word document. She replied requesting her to resend the C.V. Quickly forgetting about the entire experience Jennifer went about her day as usual.
Unbeknownst to Jennifer, the attachment had dropped malware known as a trojan onto the system. It gave the attackers a view of the firm’s online banking account. They could see what money had gone in from clients and all the payments and direct debits going out of the account.
Fast forward a few days. Two clients had paid in money for the purchase of a house. The attackers, still watching the law firm’s bank account, saw this happen.
That morning the receptionist received a call from the “bank”.
“Hello, we are from your bank. There is a problem with your account and it needs to be validated. If this isn’t done today then no payments can leave the account”
The helpful receptionist transferred them to the finance team. Beth in finance was a bit suspicious of the caller and asked them to prove that they were in fact the bank. This was easy for the attackers to do as they were watching the bank account.
“We can see you have a direct debit to Virgin Media going out on the 2nd of every month for £69.70”
Convinced that this must mean they were the bank, Beth asked them what she needed to do to validate the account.
“We need you to put the card into the card reader and add us as a new payee. Then transfer £1 out of the account, which we will transfer straight back, and it will be all validated”
Beth did as instructed. She was due to be heading home for the weekend at 3pm and it was already 2:45! Beth thanked the “bank” for being so helpful and started packing up.
The attackers emptied almost £2 million out of the accounts. This was only discovered on the following Monday. The real bank refused to re-imburse the money that had been stolen and so the partners of the firm had to re-mortgage their own houses to re-pay the clients.
What can we learn?
- Invest in social engineering training for your staff: Jennifer should never have opened that C.V. Facebook messages can contain attachments just like email so you need to be just as cautious. Beth from finance should have put the phone down on the attackers and called the bank back on a number she found herself.
- No social media on work devices: you can pay for amazing email filtering but if staff can click links or open attachments sent in a Facebook message it can be money down the drain. Set up a guest Wifi and allow staff to access their social media on their own devices.
- Company policy: Make staff aware of their duty to report suspicious emails or calls to your I.T or security team.
- Have a 4-eyes payment policy: this means that you need 2 people to approve payments. The attackers would not have been able to unilaterally transfer all that money if this had been set up. Speak to your bank to set this up.
- Consider a separate banking machine: having a separate device that you use for internet banking only and that doesn’t have any email/social media access could reduce the risk of this type of attack happening.