Skip to main content

Phishing Attack. Clever!

During a recent board meeting I was informed that one or two of our larger clients (car manufacturers) demanded that our email passwords be renewed every month. Every bloody month! I hit the roof. Like a lot of people these days who live sleep eat and breath emails, I access them on every device possible including phones, tablets, laptops and other PCs. Each one would need the new password entered (assuming I could remember it!) 12 times a year. The world's gone mad. But despite the fact I own the company and therefore chair the board, I had no option. Comply or lose clients.

The next day I received the notification I was waiting for to renew my password. It was a typical Microsoft Exchange notification to click here and type in my current password which I duly did, followed by a web screen asking for my new password, which it confirmed had been changed. Now all I had to do was change the password in all my other devices which I would get around to doing later. Total pain in the whatever.

The next thing that happened was a call from my CEO asking if I'd requested a payment by our Financial Controller to a building company for several thousand pounds. Apparently I'd sent her an email asking if she'd rush it through.

I'd been hacked.

The password changing routine had obviously been a phishing exercise that thanks to my being alert (and still angry), I had reluctantly been waiting to happen. Of course I had received emails like this before, but this time the timing was unfortunate + the email and website it took me to were very convincing.

Luckily my team were on the ball - quite apart from them knowing I would never ask for personal expenses to be passed through my company. So we didn't lose any money. My email account was frozen and my password was immediately changed by our IT chaps, so no lasting damage done... except for one thing...

A few days later I received an email from the CEO replying to an email sent to the whole board by our Financial Controller - including me, but which I hadn't received. In fact after a number of tests, although I could send her emails, none of her replies came into my inbox.

The IT took a few days to find out what was going on but eventually they discovered that the Phishers had:
  1. Captured my password and logged into my email account through webmail
  2. Read enough emails to discover who controlled our payments
  3. Sent her an email from me requesting a payment
  4. Even more cunningly, they had also set up a rule that automatically forwards all emails to me, from her, into my RSS inbox (which no-one ever reads). So if she replied "OK" or something like that, which most people would have done to acknowledge they'd done what they were asked, I wouldn't be alerted to the fraud.
So all I had left to do was delete that rule from Outlook. But when I looked for it, it wasn't there...

Until I looked at the small print right at the bottom of the Outlook dialog window which said something like 'rules set up through webmail won't appear here'. Sure enough when I logged into my email account through webmail rather than Outlook on my laptop, there was the rule.


Microsoft had assisted the fraud by ensuring I would be oblivious to the rule the fraudsters had set up. Who goes into their webmail? I only ever use it if I'm at a public terminal and I don't have one of my many devices at hand ready-loaded with a logged-in, and password-enabled email manager.

This does seem a daft state of affairs where rules in one version of Outlook aren't the same as the rules in - for the same email account. And dangerous for exactly the reason I had discovered.

Turns out, this constant password changing ritual is more of a danger to security than sticking with a sensible one in the first place. I would love to wake up in a world where passwords have been consigned to history and tech has found an easier and safer way to ensure I am who I say I am.


Popular posts from this blog

Phillips screws - yes I'm angry about them too

Don't get me wrong. They're a brilliant invention to assist automation and prevent screwdrivers from slipping off screw heads - damaging furniture, paintwork and fingers in the process. Interestingly they weren't invented by Mr Phillips at all, but by a John P Thompson who sold Mr P the idea after failing to commercialise it. Mr P, on the otherhand, quickly succeeded where Mr T had failed. Incredible isn't it. You don't just need a good idea, you need a great salesman and, more importantly, perfect timing to make a success out of something new. Actually, it would seem, he did two clever things (apart from buying the rights). He gave the invention to GM to trial. No-brainer #1. After it was adopted by the great GM, instead of trying to become their sole supplier of Phillips screws, he sold licenses to every other screw manufacturer in the world. A little of a lot is worth a great deal more than a lot of a little + vulnerability (watch out Apple!). My gromble is abo

Introducing Product Relationship Management - it's what customers want.

Most businesses these days have Customer Relationship Management (CRM) systems which store and process vasts amounts of information about us. They use this information to generate communications, amongst other things, which target us to buy their products and services. CRM is all about how a business relates to its customers: Past (keeping them loyal through aftersales and service), Present (helping them buy through bricks and clicks channels) and Future (prospecting). Most businesses will at some stage have declared themselves 'customer-centric'. They will probably have drawn diagrams on whiteboards that look something like these: But there's a problem with this whole approach of keeping the customer at the centre of your world and the focal point for everything you do. Is it what the customer wants ? Of course companies who ignore their customers eventually go out of business. And those who treat their customers well, tend to thrive. But is it really in the best inte

The Secrets of Hacker Golf

Social media is awash with professional golfers selling video training courses to help you perfect your swing, gain 50 yards on your drive and cut your handicap. They might help a few desperate souls, but the rest of us hackers already know everything we need to complete a round of golf without worrying the handicap committee or appearing on a competition winner's list. What those pros don't realise is that for us hacking golfers who very occasionally hit shots that if you hadn't seen how they were hit, end up where the pros might have put them, we already know everything we need to know - and more. Unlike pros who know how to time the perfect swing in order to caress a ball 350 yards down the centre of a fairway, we hackers need to assemble a far wider set of skills and know-how to complete 18 holes, about which pros have no comprehension, need, or desire to learn. Here are some of them: Never select your shot until after you've hit it. A variation on this is to alway