How much information should you disclose about your staff on your website?

Email scams | Securious.010

Recently it has been reported by the Devon and Cornwall Police  on their cyber threat news, that there was phishing attempt on a business based in Plymouth, Devon.

 “The emails purported to be from the CEO of the company and were directed to the Finance Department. They received the email on two occasions, both times when the CEO was away from the office.” Devon and Cornwall Police

We have also recently heard of similar attempts and it would appear that criminals are targeting members of staff specifically in finance departments.  Staff information is often freely available on company websites and these are a great resource for email scams or worse.
It is interesting to see how attackers shape these attacks.  I had a first hand report of this occurring recently and the approach was very similar, targeting a member of the finance team, and pretending to be the Director.  In this case several emails went backwards and forwards whilst the, fortunately “savvy”, member of the finance team went the extra mile to get details about who the money was to be transferred to, and crucially picked up the phone to confirm.

The director was out of the office, and the email looked ‘real’

Up to this point they were convinced that, though an unusual request, this email was from their director, the email address was correct, the style of how the email had been worded, and also that they were not in the office at this time. Scary really. Firstly that the criminal knew that the director was out, and then worked out who to approach in the finance department. The member of staff said it was almost unreal that they were having a ‘live’ email conversation with the criminal. Fortunately that phone call saved the company paying away funds, as the director, when called, was obviously, completely non- plussed  about the email and any transfer, and at that point the Police were called.

Targeting less ‘experienced’ members of finance staff

Recently the Police had warned that junior members of finance staff were being targeted, this person was not junior.  So I had a peek at the website, which proudly introduced their staff, giving us details of what they did and how long they had been with the company. This particular member of staff was the last in the list being the most recent joiner, and had a generic ‘account department’ title, so looked like the most junior. From there-working out the email address is simple.

Websites could provide information for social engineering

So when we are introducing all our staff on our websites, maybe some consideration needs to be given as to which staff we really need to include. Educating our staff around cyber threats is obviously key, as there are so many ways that criminals can target and attack your company, but as companies we need to look at the information we give out on our websites and how this could be used for social engineering purposes and cyber attacks like this.

Advice from Devon and Cornwall Police website about prevention:

  • Do not click or open unfamiliar links in emails or on websites.
  • Check the legitimacy of the email with the company that has supposedly sent it. It is a good idea to find a telephone number for them independently from the email as the phone number provided may be fake or go straight to the suspect.
  • Ensure you have up-to-date anti-virus software and perform regular scans.
  • If you have clicked or activated the link you should seek professional advice from a reputable company.
  • Be aware of any financial requests via email.  People can easily pose as management in emails – call the person if in doubt.

Visit the Devon and Cornwall Police website for more information about preventing crimes like these.

Becoming Web Safe - SWCSC event hosted by The University of Exeter
Becoming Web Safe - hosted by SWCSC and University of Exeter