At the quarterly Toledo Infragard meeting, the Special Agent from the Cleveland Division of the FBI discussed a current case.  The victim lost a substantial amount of money from a scheme so sophisticated... a well groomed "customer service" agent called - to help with the login issue.

This scheme was so sophisticated that the malware installed from an email "phoned" home to the hacker when the user went to their banking web site.  The hacker was able to put together the company, bank, location, and "jam" up the bank web site.  The user was not able to login to the bank web site... and then a "customer service" agent called the victim.  They spoke fluent English and all the pieces match so well to the victim that there was no indication of anything suspicious.  The "customer service" agent was "helping them get logged in" and tried testing the login on their side.  The agent was able to talk the user into giving up their user id, password, AND number on the key fob.  Being so helpful they were able to talk the victim into "testing" another user id - thus giving up the SECOND persons user id, password and key fob.  With this information the "customer service" agent was able to share this information to the "hacker" so they could log into the account and perform wire transfers and ACH transactions and make them all fly under the radar.

Hindsight being 20/20...  the lessons learned:

  1. customer service never calls you
  2. customer service never "tests" your login
  3. never ever break rule #1 of Passwords - Never give up your user ids, passwords, or especially your keyfobs - these are YOUR identity!

The company did not realize this happened until some time later.  Their bank invoked its fraud procedure which was able to stop many of the ACH transactions, but the wire transfers could be "gone".

I am sure the "middle man" in this case the customer service agent was hired as a "work from home" job for customer service login issues.  The hacking industry has created its own business structure and many of its employees are hired to do a job... a job they do very well.  They don't ask details and they are paid very very well.

Can you employees, or you detect a compromised email?  Can your job with stand this type of test?  Can your company withstand a complete bank account depletion?

Let us help you with security awareness training and putting all the pieces in place to protect the network and the company!  Call us today!