FIDI Affiliates have been urged to safeguard against phishing attacks, after senior industry staff were targeted by scammers
FIDI has issued an urgent call to its Affiliates to ensure they protect themselves from online ‘phishing’ scams targeting businesses or senior individuals in the moving industry, following serious attacks on at least two Affiliates since April.
Phishing is the criminal practice of sending emails pretending to be from authentic companies or people, usually to extract passwords, credit card numbers or money. While early scams were easy to recognise, typically featuring poor spelling and design, scammers are becoming more sophisticated, targeting company heads and other high-profile people with extremely convincing approaches.
Incoming FIDI Board member Gordon Bell was victim to one such ‘whale-phishing’ (targeting high-level personnel) attack, during which he lost a significant sum of money.
Shortly after returning from the FIDI Conference, Bell received a friendly-sounding email claiming to be from FIDI President Laura Ganon, with the subject ‘brief task’. The email asked for his help sourcing Amazon vouchers for staff on behalf of the FIDI President.
The email came from a Gmail account, different from Ganon’s usual address. Bell queried the address, but says he had no reason to doubt that he was dealing with Ganon herself. ‘She replied that this was her private email and, because of complications with her company server – and it being the weekend – she could only use this,’ says Bell. ‘I thought nothing of it. I wanted to pull out all the stops just to make sure she got what she wanted in record time.’
The next email asked Bell to buy 10 Amazon £200 vouchers on her behalf, which he did – exchanging several more emails with ‘Laura’ on the process. Having spent £2,000 on the vouchers, he sent the serial numbers and got an email back confirming receipt.
Three days later, Bell had an email asking for a further favour.
‘I received another email from Laura telling me she found out that she was terribly short of vouchers and asking me if I could purchase another 10,’ he said. ‘But she also asked if I had a Bitcoin account, as this was another way to send an incentive.’ The second request rang alarms – and Bell sent an email to Laura’s company address to ask if the emails were actually from her.
‘Of course, the answer was no,’ says Bell. ‘I literally cried. I preach awareness of scams to our offices – what a fool I had been. I wanted so desperately to find this person, to expose them, but it was too late. I lost £2,000 when all that was on my mind was to please my President.’
FIDI as a target
FIDI itself has also been targeted recently, with fraudulent emails sent to FIDI’s Finance Manager asking for an urgent money transfer to a conference supplier.
FIDI’s Secretary General, Jesse van Sas, says: ‘Our finance department received these emails, which appeared to have been sent by me and looked very legit. Luckily, we have strict payment processes, and payments are only made against approved invoices, and must be verified and co-signed, to avoid such issues.’
Van Sas adds that it’s vital for Affiliates to protect themselves, by having clear processes in place, a ‘healthy suspicion’ of all emails asking for money, and by verifying who the true sender is.
‘Never assume things; always verify, even when emails seem to come from the top,’ he says.
Bell adds: ‘It is difficult to understand that there are people out there who want to cheat you when any opportunity arises. In my case, they targeted a new member of a board, slightly excited at doing something to prove his/her worth.
‘However, if something looks suspicious, especially when it
has to do with money, go to the source, double check, and call if necessary. Don’t be shy to ask; even if it turns out to be an authentic request, you will have done your due diligence.’
Dealing with phishing
Microsoft gives some clear steps for identifying and preventing phishing attacks – and for what do if an attack on you is successful.
How do I know if it’s a phishing message?
Criminals can use emails, or messages on text, social media or even video games, to get people to reveal their personal information. The best defence, says the organisation, is knowing what to look for, which include:
- Urgent calls to action or threatening messages – Always be suspicious of messages that tell you to click on a link or open an attachment right away. Sometimes, they will tell you to act immediately to claim a prize or avoid a penalty. ‘A false sense of urgency is a common trick of phishing attacks and scams,’ says Microsoft. ‘They do that so you won’t think about it too much or consult with a trusted adviser who may warn you.’ If a message asks for immediate action, it’s important to slow down – and be safe.
- First-time senders – Getting an email from someone for the first time – particularly someone from outside your company – can be a useful red flag for a phishing scam. Examine new or infrequent emails carefully to make sure they are from who they claim to be from.
- Spelling and bad grammar –Professional businesses usually have good-quality, well-written content, so the opposite can be a clear sign of a scam. But be careful – criminals are getting better and more professional themselves.
- Generic greetings – An organisation that knows and works with you is less likely to begin an email with something like ‘Dear sir/madam’.
- Mismatched domains – Watch out for the domain name of your emails. Large businesses usually have their own registered domain name, so make sure the email is from that – and not a misspelt or completely different one.
- Suspicious links and unexpected attachments – Hover your mouse over – but don’t click – a suspicious link to check it matches the link in the message. Never open suspicious attachments or visit a website that you’re unsure about.
What should I do if I get a phishing email?
- Never click a link or attachment in a suspicious email.
- If you are worried that a suspicious email could, in fact, be legitimate, visit the organisation’s website – from your own search, not the email – or call them from a number on a membership card, or printed on a bill or statement, and ask them to verify it for you.
- If the suspicious message appears to come from a person you know, contact that person via some other means such as text message or phone call to confirm it.
- Report all suspicious messages – see below – and delete them, too.
How to report a phishing scam
Many email programs, such as Microsoft Office Outlook, have a ‘report message’ function. This is the fastest way to report and remove suspicious messages.
You can report the phishing directly to organisations such as Microsoft, which has a dedicated email email@example.com. Include the suspicious email as an attachment (don’t forward it on).
Many governments also have dedicated organisations to which you can report phishing, such as the National Cyber Security Centre in the UK (firstname.lastname@example.org).
What should I do if I have been phished?
If you think you have fallen for a phishing attack, you should do the following:
- Record it – While it is fresh in your mind, write down as many details as you can. Make a note of any personal details, such as passwords or account numbers, that you have shared.
- Change your passwords – Do this immediately on the accounts affected – but also anywhere else you may have used the same password. You should create new and unique passwords for each account.
- .Use multifactor authentication – This typically uses text confirmation or additional information, as well as your password. Use for every account where you have this option.
- Communicate – If the attack has affected your accounts at work, school or in other organisations with which you are involved, make sure you tell their IT support department. Alert your bank if you have shared any account or credit card information.
- Report it – If you’ve lost money or suffered identity theft, report it to local police.