When a Friend Really Isn’t a Friend: Phishing Scams and Manufacturing

It’s not that uncommon of a story. A contract manufacturer, let’s call them ABC Manufacturing, had been working with a trusted metal supplier, 123 Metals, for more than 20 years. They worked together on numerous deals and had honed their communication style over the years. In fact, it was completely normal to communicate through email on a variety of items, including price negotiations, purchase orders, invoicing and more.

The companies’ employees even got to know one another so well, they would ask about their families, weekend plans and so on.

Because a personal email was a completely typical exchange, Bob at ABC Manufacturing received the following email from John at 123 Metals one Monday morning.

Hi Bob, how was your weekend? Looks like snow is in the forecast again for you guys. Not sure if winter will ever let up.

I’m attaching this month’s invoice for order #592312. You may notice the invoice looks a little different. We are undergoing a software change and for this month only, are asking our customers to wire their payments instead of sending a physical check.

Let me know if you have any questions and I can help you through this process. I’m also working on negotiating a price for part #CO347 and will have that information to you later in the week.

Thanks!

John

Bob and John had worked together for a long time, so without much of a second thought Bob had the funds wired to 123 Metals. In total, following the supplier’s “wire instructions,” Bob sent a $500,000 payment to his trusted metal supplier and moved on with his day.

A month later, John at 123 metals called Bob as he returned to the office from lunch. He was inquiring why ABC, who was normally so reliable, hadn’t mailed a check for this month’s payment.

With a sinking feeling, Bob realized what had happened. The email and the electronic wire instructions were fake. Hackers had managed to walk away with $500,000, with a slim likelihood the funds would be recovered.

Tips to Help Protect Yourself from Email Spoofing

What happened to Bob is called phishing, and it’s a common tactic for hackers. While some phishing attempts can be easy to spot, many attacks are becoming extremely sophisticated and hard to spot. Here are a few tips to think about before you get spoofed:

1. Implement multi-factor authentication for your email login to add an extra step of protection to your email security. This is where you get a text message on your phone with a unique code anytime you try to log in. This prevents hackers from logging in to your email and sending fake emails like this one if you accidently give up your credentials.
2. Whenever something is meant to be transferred, such as wiring money, sending a check, shipping a part, or changing contact information, use a second method to verify the change or direction is correct. Had Bob picked up the phone to verify that John truly wanted the money wired instead of mailed by check, it would have prevented the entire disaster.
3. Simulate phishing scams with your employees and do it often. We need to constantly be on the lookout for these kinds of attacks. Continuous awareness training through simulated phishing scams helps end users become more aware and less likely to fall victim to such an attack.
4. Beware of any email with links. Avoid clicking on the links, and instead go directly to the website. For example, when someone adds you on LinkedIn, don’t click accept in the email notification, go to LinkedIn.com and accept from within the website.
5. Beware of emails with attachments. Only open attachments from trusted individuals when you are expecting them. If you weren’t expecting it, pick up the phone and call to confirm they actually sent you the attachment.
6. Only use secure websites, such as https:// and/or a security “lock” icon in the browser bar.

Why You Have to Always Be on the Lookout for Potential Scams

The moral of the story isn’t hard to figure out: you and your company must always be on guard for potential hacking scams. Hackers are becoming more sophisticated every day. Their impact is widespread and not based on industry or company size.

Email spoofing can happen to anyone. Now is the time to protect yourself and your company from hackers.

If you are concerned that you may have already been the victim of email spoofing, please contact your local IT team immediately. They can help to identify and limit the impact of any data breach that may have occurred.

If you have any questions about these services or would like to better understand how we help our clients feel more confident about their cybersecurity, please contact Anders Erickson, Director of Cybersecurity Services, at aerickson@eidebailly.com or (208) 383-4731.