A suburb of Green Bay, WI (where we’re based) is Ashwaubenon, home to over 17,000 people. Recently, Ashwaubenon village finance employees signed over an electronic funds transfer for $293,000 to a phishing scammer pretending to be a contractor performing work at Klipstine Park. The scammer called the village offices pretending to be the contractor, and stated that their bank account had changed. They then provided new account information, which the village employees failed to recognize as suspicious. It was not until the actual contractor inquired about payment several weeks later that the village realized its mistake. While Ashwaubenon has been able to recover a portion of the money so far, the rest remains missing. The employees responsible have apparently been disciplined over the matter.
Village of Ashwaubenon Phished: Loses nearly $300K of taxpayer money
While we recently posted a detailed blog post on how to recognize and avoid phishing (Phishing: Don’t Get Caught), we wanted to bring this up since it was so close to home. It’s absolutely vital for any employees with access to sensitive information or capital to be constantly aware of scammers and potential threats. In the case of Ashwaubenon, the scammer likely was able to find out relevant information from public records. This allowed them to be convincing enough to trick the village employees into sending the money. When businesses are targeted, scammers are often able to determine enough information by simply browsing the company website, doing a few look-ups to determine who owns the website, and figuring out related vendors or partners. From there, all they need to do is send a few emails or make a few calls, and often enough they fool someone into giving up confidential information, sensitive credentials, or funds.
There have been countless examples of phishing attacks in both the public and private sectors lately, and their popularity will only continue to increase. Educating employees about the risks and frequency of phishing attacks is the most important first step. Another great way to prevent damage is to limit employee access – the fewer people with access to critical information, systems, and funds, the less attack space there is for a scammer. Devising a system for authenticating outside parties requesting sensitive information is a good way to lower the potential for an attack, such as requiring customers or partners to have a PIN, in addition to their account information.
We’ve seen attempted attacks at some of our clients as well. By having robust network security and informed employees, our clients have been able to avoid falling victim to phishing. If you’re concerned about phishing attacks, network security, or just need a trusted IT advisor for your business, Contact Us today.