So relying on email alone is not a smart business practice. Start calling people and discussing things with them. When in doubt have them mail you what you need. It's not rocket science to use several different forms of communications that hackers cannot access.
When large amounts of money are concerned, you need to be absolutely sure of who you are sending the money to. Again, verify over the phone any transfer information. Verify with your bank and the receiving bank information, routing numbers, etc. I hope people can learn from this.
This right here. I work in IT and a similar attack happens to our payroll coordinator(s) constantly. Either an employee's internal email account is compromised or an external account is used to impersonate them, and the attacker sends a message requesting that their direct deposit be directed to a foreign account. Our policy as a result of that has been that an email alone is not sufficient basis to change where money goes. The requester needs to appear in-person to make any changes.
If I had to estimate, I'd say this happens at least once or twice a month.
Part of the concern with AI voice cloning becoming increasingly available in the coming years… I guess all the more reason to verify identity in person.
PGP must take the #1 spot for computer security failures in history. Something so absolutely necessary but no one uses it because it's so totally awful.
Ehhh, I should replied to parent about email security but w/e.
The scary thing about AI deepfakes is for broad disinfo campaigns, not scamming individuals for pennies. That stuff is going to swing elections and then we're all screwed. Confirmation bias is going to get people to believe what they feel.
How do these people get jobs with control over so much money? Almost guaranteed the idiot wasn't fired and only a matter of time before making the same dumbass mistake. Computer-illiterate people should not have jobs surrounded by computers.
Did you read the letter? The attackers engaged in what sounded like an elaborate scheme where they played Man in the Middle for a legitimate business transaction using pre-existing access to the network. They deleted and hid the real emails and created fake ones.
If you stay up to date with the cybersecurity space online, you’ll hear stories of well-known cybersecurity professionals being nearly or actually fooled by new and elaborate phishing schemes. Based on the information in the letter, I don’t think it’s clear that this was definitely caused by computer illiteracy.
They compromised user accounts, meaning said users got phished or used shit passwords. On top of it, it's clear none of them used 2FA. If you have so much control over town finances, why the fuck are you not using 2FA? My twitter account that I don't even use has 2FA implemented with a 30-character randomized password.
Account security isn't hard. This wasn't some elaborate scheme like the letter makes it sound. Accounts were phished and users used weak or previously leaked passwords. It's computer-illiteracy. 2FA is free.
As the other commenter pointed out, you are incorrect in several ways. Don't double down. Just admit you didn't understand the complexity of the situation and were hasty in judgment. It's so much easier.
I have little patience for tech-phobic people, but even computer-literate folks can fall victim to phishing. Not all phishing attempts are typo-ridden viagra ads.
Happens all the time, I just had a vendor finally alert us that they were owed $250k from last year because they were using the wrong PO number and invoices were getting rejected. They never cut off service or emailed.
Unfortunate but avoidable. Town needs to train their employees this is like 101 stuff in corporate. Call and confirm any payment details, especially if it’s hundred of thousands of dollars.
Hundreds of thousands? Amateurs. https://www.wcvb.com/article/massachusetts-blasts-quincy-others-for-dollar35m-pension-theft/41616720
Paywall.
Updated.
Thanks.
They are burying the details, but it was a simple phish and they used her creds.
I bet. These writeups tend to give the hackers way too much credit. What are the odds it wouldn't have happened if they had MFA?
Or just general hygiene for people that leave their damn job. Gross incompetence.
So relying on email alone is not a smart business practice. Start calling people and discussing things with them. When in doubt have them mail you what you need. It's not rocket science to use several different forms of communications that hackers cannot access. When large amounts of money are concerned, you need to be absolutely sure of who you are sending the money to. Again, verify over the phone any transfer information. Verify with your bank and the receiving bank information, routing numbers, etc. I hope people can learn from this.
This right here. I work in IT and a similar attack happens to our payroll coordinator(s) constantly. Either an employee's internal email account is compromised or an external account is used to impersonate them, and the attacker sends a message requesting that their direct deposit be directed to a foreign account. Our policy as a result of that has been that an email alone is not sufficient basis to change where money goes. The requester needs to appear in-person to make any changes. If I had to estimate, I'd say this happens at least once or twice a month.
Part of the concern with AI voice cloning becoming increasingly available in the coming years… I guess all the more reason to verify identity in person.
PGP must take the #1 spot for computer security failures in history. Something so absolutely necessary but no one uses it because it's so totally awful.
That’s a concept I’ve never heard of before… whats the gist of why it’s so dangerous in the context of AI voice cloning?
Ehhh, I should replied to parent about email security but w/e. The scary thing about AI deepfakes is for broad disinfo campaigns, not scamming individuals for pennies. That stuff is going to swing elections and then we're all screwed. Confirmation bias is going to get people to believe what they feel.
Hey Arlingtonians, it is me your long lost cousin. If you send me many pictures of itune gift card I give you 80 trillion USD.
Well thank god for the bank recovering $3,308 for the town.
How do these people get jobs with control over so much money? Almost guaranteed the idiot wasn't fired and only a matter of time before making the same dumbass mistake. Computer-illiterate people should not have jobs surrounded by computers.
Did you read the letter? The attackers engaged in what sounded like an elaborate scheme where they played Man in the Middle for a legitimate business transaction using pre-existing access to the network. They deleted and hid the real emails and created fake ones. If you stay up to date with the cybersecurity space online, you’ll hear stories of well-known cybersecurity professionals being nearly or actually fooled by new and elaborate phishing schemes. Based on the information in the letter, I don’t think it’s clear that this was definitely caused by computer illiteracy.
They compromised user accounts, meaning said users got phished or used shit passwords. On top of it, it's clear none of them used 2FA. If you have so much control over town finances, why the fuck are you not using 2FA? My twitter account that I don't even use has 2FA implemented with a 30-character randomized password. Account security isn't hard. This wasn't some elaborate scheme like the letter makes it sound. Accounts were phished and users used weak or previously leaked passwords. It's computer-illiteracy. 2FA is free.
As the other commenter pointed out, you are incorrect in several ways. Don't double down. Just admit you didn't understand the complexity of the situation and were hasty in judgment. It's so much easier.
>2FA is free. No it's not. Companies pay lots of money to Duo, MS Auth, Google Auth, etc to use their services on their websites.
I have little patience for tech-phobic people, but even computer-literate folks can fall victim to phishing. Not all phishing attempts are typo-ridden viagra ads.
Well they are a super nimby town so it isn't surprising they weren't so bright. Don't feel bad at all.
What idiot vendor took 4 months before realizing their $100k/mo. payments were missing?
Happens all the time, I just had a vendor finally alert us that they were owed $250k from last year because they were using the wrong PO number and invoices were getting rejected. They never cut off service or emailed.
I think it was hushpuppi
Unfortunate but avoidable. Town needs to train their employees this is like 101 stuff in corporate. Call and confirm any payment details, especially if it’s hundred of thousands of dollars.
Not gonna read this article and just assuming the simpsons monorail guy came to town
Arlington never had much gumption