IBM recently discovered a startling new scam being used by Eastern European scammers to steal money from the bank accounts of American companies. The scam is devilishly clever and pairs sophisticated malware with old fashioned social engineering techniques to complete the thefts which already total more than a million dollars. The scam starts, as do so many scams, with a phishing email that lures an employee of the targeted company to click on a link in the email that will download a type of malware called “Dyre” which once in the company’s computers will wait until someone in the company attempts to log into one of the hundreds of banks included in the Dyre malware at which point Dyre will bring up a phony website that appears to be that of the bank used by the targeted company. However, on the screen will also appear a message that the website is experiencing technical difficulties and advises the user to call a toll free number provided for assistance with logging on to the company’s bank account. The phone number is not that of the company’s bank, but instead is that of an English speaking scammer who answers the phone posing as an employee of the company’s bank. The scammer then asks for passwords and other information from the victim, who, thinking he or she is talking to the company’s bank, provides the information which the scammers then use to access the company’s bank account online and transfer funds electronically to accounts controlled by the scammers in other banks from which they then withdraw the funds.
The key to avoiding this type of scam is both avoiding downloading malware and never turning over personal information to anyone unless you are absolutely sure that it is legitimate. No one should ever click on a link in an email or text message unless they are absolutely sure that it is legitimate. Even if it appears to be coming from a legitimate source, that person’s email or smartphone may have been compromised by a hacker. Always confirm before you click on a link or download an attachment. In addition, you should make sure that your security software is up to date with the latest security patches and updates, recognizing, however, that those updates will always be at least a month behind the hackers’ latest malware. Also, you should never provide personal information of any kind to anyone over the phone unless you have independently confirmed that the telephone number you are using is legitimate. Calling a telephone number provided in an email or a text message and assuming that it is legitimate is a dangerous assumption that can lead to identity theft.