June 23, 2022

How we lost €10,000 to a Social Engineering scam

Email sent from Dan Malone to accounts stating, Good morning, what are the charges for same day transfer to Europe, Kind regards, Dan Malone
Email sent from Dan Malone to accounts stating, Good morning, what are the charges for same day transfer to Europe, Kind regards, Dan Malone

Before we start I want to call out that the only way something like this succeeded is a failure of the process. Humans make mistakes.

A process that allows people to make mistakes is a failure in the process, not the individual's failure.

Setting the scene

  • Last week we were victims of a social engineering/phishing attack.
  • The attack was successful in retrieving €10,000 from us.
  • I noticed a notification on our Slack that a transfer had gone out of our bank to a payee I didn't recognise, and it was outside our normal payment cycle
  • wtf?
  • I checked our invoices, emails, and bills but couldn't find a reference
  • I contacted my accounts team first by slack, and then they called me
  • We both realised immediately we'd been done.
  • We got to work on damage mitigation.

How did the attack work?

  • Our accounts email received an email from an account that had set its name to Dan Malone.
  • The message itself didn't ring any immediate alarm bells, it was just a simple question.
  • The email address was some random email that didn't resemble mine, but the name was right.
  • By just asking a simple question, and getting into a conversation they bypassed the first level of 'this is a scam' mentality and the guard was dropped.

It is possible also to mimic an email address, but Google and other email providers will usually auto-mark that as spam as the signatures won't match. So this person didn't even bother, they didn't even try buying a similar domain, this was just a shotgun attack and likely part of a larger email campaign.

Seems like a pretty obvious attack, how did it succeed?

It hit us at the right place, at the right time, when we were in a vulnerable process position.

  1. It was a Friday
  2. I was away at a wedding
  3. My co-worker who would authorize normally when I'm away doesn't work Fridays
  4. So accounts were on their own.
  5. They saw the email a few hours after it was sent, noticed the urgency 'same day transfer' and thought 'uh oh, he asked for same-day and its hours later'

What was the failure in the process?

  1. We have a process for paying creditors which was not followed
  2. We didn't have an approval process to require a second sign-off on payments over €1,000

On point #1, we have a process:

  1. An invoice is received, with 30 days payment terms
  2. A creditor is created
  3. A list of creditors is presented to leadership at the end of the month to sign off
  4. Then payment is created in Revolut Business

The first mistake here is on me — this process is on occasion side stepped, either for creditors who refuse our 30 days payment terms or for once-off payments that need to be escalated.

Our new process for this will require verbal communication to confirm AND a second sign-off in our banking software.

On point #2, we had a process:

In Revolut Business you can set a limit to individuals or roles that require a second person to sign off a payment. We initially had that, and it was set around €1000.

I must have removed it at some point, because it is tedious, and probably thought to myself that I would reinstate it the next day, but I never did.

The biggest mistake here is that it puts all the responsibility on one person, which is unfair.

So what now?

Something like this is a gut punch to anyone or any business, that is a lot of money to anyone. I think the obvious reaction by anyone is to get a bit emotional. To get angry, to get sad, to get frustrated, and I was.

But I wanted to be professional about this, and treat it healthily. There was no value in playing blame games or giving negative thoughts any space.

My priorities were to:

  1. Alert the bank - which we did within the hour.
  2. Alert the authorities and our insurance - we did this within the hour
  3. Reassure my staff - within minutes

#1 Alert the bank

We bank with Revolut Business, which up until now has been bumpy but overall good. We reached out to Revolut but they only had chat support, which let me tell you.. when you're under pressure you want to speak to a human, nothing pisses you off more than having to deal with chat on your phone with a disinterested call centre person.

The bank essentially said that they would see what they could do, and they made it sound hopeful, but they insisted that I speak to the authorities and get them a 'crime reference number'.

They eventually got back to me and said that they followed all their process and it wasn't their problem.

Revolut Business was unable to freeze the transfer, and the receiving bank Deutsche bank/Post Bank hasn't responded.

#2 Alert authorities and insurance

I called the Guards but they refused to create a case or take a report over the phone. I was at a wedding and in no state to present at a station so they told me to come into my local tomorrow. I did this, and haven't heard a peep since.

Insurance - Cyber cover

I also notified our insurance company Hiscox, and they moved a lot faster. By Monday they had a legal team working with me, offered to bring in a cyber professional, and had made direct contact with the Garda Economic Crime Bureau to get me a case number and a lead on their side.

I only bought a cyber cover as an afterthought due to all the HSE leaks over the last few months, boy am I glad I did now.

#3 Reassure my staff

I had several calls with my accounts team that day and the following days, and my message is clear on this.

It was not their fault. This is a business, a mistake was made, and the process allowed that mistake to go through.

When you are dealing directly with money things feel a lot more real and emotional. Would I feel the same if someone told me a feature would be a week late? It might cost us the same amount, but I probably wouldn't be as cut up about it?

Humans are just weird about money.

I wish I could say I know what is going to happen but I don't. I doubt Revolut or the authorities will retrieve the money, and I don't hold out huge hope in insurance covering this.

So I'm taking it as a learning experience. We're going to focus on our process, our security and tightening things up. This could have been way worse and we're lucky it wasn't.

I hope you can learn something from this.

More interesting stuff

3 steps we’re taking to become a $1million ARR business

2021 Year in Review

Man in a suit with no head
Man in a suit with no head

Why Your Business Needs to Use Headless CMS Solutions.

Pages

Contact

  • HQ: Dublin, Ireland. UK: 1 Customs Wharf Leith, Edinburgh EH6 6AL. Copyright 2022