I often talk about cybersecurity awareness: I share concepts and best practices, but today I’m writing from another point of view: that of the person who has been made aware!
Yes, experts are not exempt from awareness initiatives… let me tell you a story, I’m hoping that it will help you to get the message across to your organization.
It all started on a Tuesday at 3:34 pm. I received a WhatsApp from my CEO (or that’s what I think at the time!). The message read:
“Hi Noémie, are you available? I need to talk with you about a confidential acquisition in Belgium. Pascal”.
I picked up the message 10 minutes later and replied that I could free up my time and have that call. In my head, I asked myself a few questions: an acquisition, but who could it be? at what stage of the discussions are they? our priority areas are the US and UK, so it would be a bigger firm?… In short, the stress level was rising but I wanted to know more. At this stage, nothing indicated the slightest hint of a fraud or scam and I didn’t see any particular risk. I was more intrigued by the opportunity…
2 minutes after my message, the following answer appeared:
“No need, but I will need you to prepare a transfer quickly, I will send you the bank information in a few minutes. Thanks”
At that moment, it all clicked into place. One thing was clear: it was a trap! It was urgent that I did nothing 😉
I then decided to investigate because something wasn’t right in this situation:
- The phone number of the WhatsApp contact was not the one I have in my phonebook
- The photo is indeed Pascal’s but it’s a common photo, so easy to get
I then sent 2 messages in parallel:
- The first one to my CEO, to the number registered in my directory. I took a screenshot of the WhatsApp discussion and asked him “Hello Pascal, obviously it’s not you! Can you confirm?”
- The second was to the mystery sender on WhatsApp: “Are you testing me?”
The response on WhatsApp soon arrived, “Well done!”, and a more comprehensive message then followed which clarified:
- This was a campaign to raise awareness about Fake President Fraud.
- That the cases are unfortunately frequent and that several attackers have tried to impersonate a member of the executive management, by SMS, social networks or email by simply changing a photo or name
- What Fake President Fraud is and the objective of the attackers: to make you believe that they have a priority and confidential matter for you to deal with, such as an acquisition, which requires an urgent payment out of the normal processes.
- Rules to follow in case of an attack, clues to thwart attacks, and the security contact to alert.
As you can see, this story has a happy ending. In the cold light of day, you might think that it is quite simple to thwart the attack, but unfortunately that is not always the case.
Beyond the example, it is the management of emotions that I want to emphasise. This exercise was well done and very credible; it first gave me confidence with an important request but without asking me to take any risky or suspicious actions. The importance of the request generated questions and a little stress – emotions I needed to master in order to keep my decisions and actions logical and reasonable. I am personally familiar with this subject; I know the theory, but I assure you that the real-life situation was very different! I now know that a flood of emotions appears (although they won’t be so new next time!), but I am reassured that my common sense allowed me to keep a level head and investigate without rushing. I thanked my CISO after the exercise – I understand the benefits of practice and this experience was a good test, especially for those experts who may feel safe as they know what to do (to be clear: I don’t put myself in that category!). It tested in a very realistic way whether they would know how to put the theory into practice and recognise the messages for what they were: a scam.
Training your people, even the experts, allows them to be better, to be ready (although not necessarily to be perfect!), because the situation will no longer be new, and the emotions will not be unknown… To shine on the big day, preparation is an essential ingredient, and this is true for everyone!
Some key elements of Fake President Fraud:
- Confidence building (photo, tone of voice, choice of words, etc.) by the attacker or climate of authority
- Urgency, stress: emotions that create pressure and disturb lucidity
- Demand for unusual, abnormal actions to be carried out within a short period of time