Almost every organization, and a great many people, have been the targets of phishing scams in recent years. One recently disclosed victim is Ann Scott, wife of Florida’s governor, who lost a total of $350,000 to scammers. The details of the story are in this article from the Miami Herald; the lessons from her case can help all of us remember to stay aware.
- Mrs. Scott had an accountant, Cathy Gellatly, handle her money. That’s not unusual, but there were no verification systems set up to make sure requests to transfer money were legitimate.
- Gellatly apparently didn’t notice the scammers’ phony email address, created by adding a third N to Ann Scott’s first name. This could have been caught by an email filter that “whitelisted” known client email addresses, or by more careful observation on Gellatly’s part.
- Merrill Lynch, where Ann Scott had stock accounts, did catch an attempt to gain information about those accounts. This attempt included a message that purported to be from Scott but was in badly written English and tried to convince the brokers to communicate only in email. Because the Merrill Lynch staff spotted signs of a phishing attempt, this one extracted no money.
- Scammers also put filters on Ann Scott’s email account, preventing her from seeing messages from two staffers at her money management firm. This is a technique that has been around for a while but requires a little knowledge to spot.
- At one point, the Scotts’ daughter opened a version of a spoofed email requesting wire transfers. While many people share passwords with family members, it’s best if every individual has a password known only to that person. (And of course, you should never share your company password with anyone! The only exception is if a help-desk technician is working with you on a ticket you initiated. Even then, you should change the password as soon as the issue is resolved.)
This story has a somewhat happy ending, in that authorities were able to get Mrs. Scott’s money back. However, they were not able to charge anyone with committing the crimes. Phishing and telephone scamming (sometimes known as “vishing”) continue to be persistent and dangerous threats worldwide.
If you receive a suspect phone call, do not give out any information. Tell the person you’ll call back, get a number, and report the attempt to the Technology Service Center. Likewise, if you receive a suspect email, don’t respond or click any links – just forward the email to the TSC for your region.