Anti-fraud training could keep you from getting peeled like The Onion

The Syrian Electronic Army strikes again, in a case that could have been avoided through anti-fraud training. 

Satirical news site The Onion has a reputation for fooling people with its outrageous fake headlines, but earlier this month, it was The Onion’s turn to get tricked. It may not be the Associated Press, but The Onion’s Twitter feed has more than 4 million followers, and that’s undoubtedly part of why the SEA targeted it in another phishing scam that led to that account getting compromised. As it had previously, the SEA used the opportunity to post its own damaging tweets before order was restored (although one questions the wisdom of crafting fake posts for an organization known for being sarcastic anyway).

On its official tech blog, The Onion gave a detailed description of how the hack took place.

  1. First, the SEA sent emails with disguised links to different members of the organization— these links redirected users to a fake prompt to enter login information. Although the blog reports that most didn’t fall for the scam, at least one apparently did, and that was all it took.
  2. The hackers then used that employee’s account to send the phishing email to more Onion staff members.  That email, seeming more credible coming from a trusted account, got a lot more employees to click.
  3. Two of those employees fell for the request to enter login information, but one of those two had access to all of the Onion’s social media accounts.
  4. Using that login information, the hackers had the key they needed to start tweeting fake information as The Onion.
  5. Even after The Onion adjusted its password, the SEA was able to strike again and phish a few more employees, despite efforts to kick out the intruders.

These aren’t very sophisticated methods. The hackers probably wouldn’t have succeeded if The Onion had followed the anti-fraud training advice they later offered on their site.

A Crash Course in Anti-Fraud Phishing Training

  • If you don’t recognize the sender, or are suspicious, don’t click on any links in emails or social media posts. If it comes from an unidentified source or seems suspicious,  everyone in your network not to click.
  • Use the Hover Technique: when you hover over the link or the image with an embedded link, does the URL match the place where you think you are going? For example, if it looks like you should be going to The Washington Post but when you hover over the link it reads something entirely different, you know that you will likely be redirected to a website that will either request that you fill in confidential information or will install malware on your system.
  • Confirm the supposed source. If a link looks dodgy but comes from a trusted email contact like a co-worker, send a separate message in reply or call to confirm.
  • Use a social media aggregator app like HootSuite, as those programs allow you to restrict user-based access and control the damage more quickly. It also keeps the hacker from taking over total control of the account.
  • Don’t use company email addresses to register your Twitter or other social media accounts. By using a separate email (e.g., a Gmail account setup only for the purpose of that one social networking account), you quickly limit the damage creep of registering everything with a single, organization-based email.
  • Make sure you are using long, strong and site-specific passwords for every account).

Tips to avoid getting hacked that you should not take seriously, also courtesy of The Onion, via National Public Radio:

  • Move site to a new web address every few minutes.**
  • Reduce interest in your website by avoiding popular subjects.***
  • If you receive an email asking for your password, dig deeper by entering information.****

[**This is impossible.]
[***This is inadvisable if you want anybody to read your site.]
[****No, no, no, no, no.]

Luckily, The Onion caught the breach fairly quickly before too much damage was done.  It was then in a unique position to respond and was soon back to doing what it does best—cracking jokes about the incident. Without anti-fraud training, your company might not be so lucky and it won’t be a laughing matter.

John Sileo is an anti-fraud training expert and in-demand speaker on digital reputation, identity theft and online privacy. His clients include the Department of Defense, Pfizer, Visa, and Homeland Security. See his recent media appearances on 60 Minutes, Anderson Cooper and Fox Business.

Tax Fraud Can Happen With Anyone's Data…Even Yours

Fraud prevention isn't just about building a wall: It's about making sure you have the right bricks.

During tax season, anyone who sees your pay stubs or tax forms could put them to nefarious use, and could do so without you being aware. As former clients and relatives of one California tax preparer were shocked to find out recently, the stability of their "brick walls" against fraud were filled with weak spots.

Imelda Sanchez of California confessed to using the names and personal data of other people to file fraudulent tax returns. She also used other falsified tax documents to apply for a loan worth more than $1.5 million. Her sentencing is scheduled for May, when she could be slapped with a prison sentence upwards of 30 years or more. As a tax preparer, she was in a unique position to set this plan in motion. Sanchez could also be given a fine around $1.25 million – just a touch under the amount of money she tried to steal. 

In this case, the criminal ended up in cuffs. But tax fraud like this happens all the time, and the bad guys don't always get caught. 

Doing taxes can be a headache for anyone, but as this incident shows, it can also be a time of great risk. There are many different types of identity theft, and while some thieves are content simply to swipe your credit card numbers or bank passwords, others have bigger goals. Someone could use fraud to try and beat the system – with your information.

It's important that you ensure your information and the corporate information you're responsible for is in the hands of someone trustworthy. Anti-fraud training can help a company be prepared to identify the weak points of their security fortresses before it all falls down. 

John Sileo is a fraud prevention expert and keynote speaker on social media privacy, identity theft and fraud. His clients included the Department of Defense, Pfizer, and Homeland Security. See his recent work on 60 Minutes, Anderson Cooper and Fox Business.

Anti-fraud training critical to avoiding betrayal, losing trust of customers

The havoc wrought by insider fraud can have far-reaching consequences for both your company and clientele. Several recent examples have proven how damaging fraud can be in the financial sector. But, in truth, there isn’t a single industry today that can afford to forego implementing safeguards.

According to an article at online news source Bank Info Security, one such incident in Ohio earlier this month lead to the collapse of a credit union and a man being sentenced to 37 months in prison for loan fraud and money laundering. About a week prior, two former employees of Chemung Canal Trust Company Bank pleaded guilty to masterminding a seven-year embezzlement scam that cost the bank roughly $325,000.

Insider fraud, also known as friendly fraud, is a difficult topic for many businesses to tackle because it involves trusted employees betraying the companies they are supposed to be – and often appear to be – loyal to. However, the dangers are far too real to be ignored, and fraud detection must be a top priority.

When an employee commits fraud, there are obvious legal entanglements, not to mention the loss of money they’ve stolen. But, there’s much more to it than that. Not only will clients begin to question your company’s dedication to keeping their information secure and the safeguards you are willing to put in place, but they will also question your ability to assess your employee’s character. And if they cannot trust your judgment in hiring reliable individuals, how can they expect to trust you with their business and their money?

Companies must be proactive and pursue the most effective measures of fraud prevention, or face the uphill task of earning back the trust of their customers. Any business owner who has not strongly considered a fraud workshop to help bolster the company defenses should take a look at recent news stories and give it some more consideration.

John Sileo is a fraud detection and prevention expert and will be hosting a FREE Fraud Webinar on Thursday, January 31 at 2 p.m. EST.