“It was a dark and stormy night. All was quiet except for the keyboard clicks in the office. Okay, let’s be honest: It wasn’t at night, it wasn’t darkness – it was in the middle of the day when we got phished.”
That’s how Dan Singh, CEO of Dial Rent To Own, began his scary “Big Phish Story” during APRO’s pre-Halloween webinar, Nightmare on RTO Street: Cybersecurity Tales to Save Your Neck and Your Networks.
Singh’s encounter with cybercrime was a terror for his company and a classic example of being “phished” – tricked by an email into giving away sensitive information … and more.
Here’s how Dan related the rest of his unfortunate phishing story:
“The GE representative Dial works with called us and wanted to know where their $9,064 payment was. We sent them the confirmation of a wire transfer. GE did some research and said the wire transfer didn’t go to their account.
“We investigated and discovered that our inventory clerk had received an email that looked very legitimate, [appearing to be] from Microsoft Office 365. It said that her emails were being held, and she needed to enter her password to release them. So she entered the password and all problems seemed to be diverted.
“At that point, the ‘phisherperson’ had access and the password for our inventory specialist’s emails, and they used it to exploit real-life situations. They started sending emails back and forth saying we needed to not pay the way we had been, but rather to transfer money to an alternate bank account.
“Then, using [Microsoft] Teams, logging in under the inventory specialist’s password, [the criminal] sent messages back and forth to the accounting office, repeatedly following up on the payments, making sure they were paid, putting pressure on the accounting department to make the payment to this bank account.
“The hacker deleted all traces of conversations immediately after sending them, so there was no record of it from our inventory specialists.
“Long story short, we transferred money, GE didn’t get it, and we lost $9,064.
“We tried to file fraud charges, and the bank told us there were so many cases, there was just nothing that they would do. They told us we wouldn’t get the money back.
“Warning signs that we learned from this incident included:
- Our inventory specialist did get emails [seemingly] from GE that had the correct name, but if she had clicked on the email address, it was funky. It was a funky name and a funky domain.
- They wanted us to change our payment method and wire the money to a bank in Dubai. We missed that one, too.
“All of this could have been avoided had we just made some simple phone calls within the office or with GE and verified the information.
“So we were phished, we were hooked, and we were cooked.”
APRO is committed to educating its members on cybersecurity. Cybercrime is real, costly, and hits all industries, including RTO. This webinar was a benefit of APRO membership – if you are not yet a member, join today at https://www.rtohq.org/join-apro/
Read the rest of our Nightmare on RTO Street stories: