Industry player robbed of $100k in email scam
The PVCA is warning printers to stay alert, and make sure their accounts departments never make urgent payments without the verbal authorisation of the boss, following $100,000 being scammed from a print industry business.
The company was robbed of the $100,000 last Wednesday, victim of the so-called CEO email scam. The scam targets accounts departments, financial controllers, and managers with an email purportedly from the managing director asking for an urgent payment to be made.
Print21 is hearing of increasing attempts to rob print businesses with the scam, although usually for sums around $10,000, with the modus operandi always the same. Bigger businesses will be hit with attempts for larger sums.
The CEO of the robbed print entity, who naturally wishes to remain anonymous, said, “The scammers managed to hack into my email account (through Office 365). We assume that they were watching activity for a number of days if not weeks. While I was in a meeting at the end of the day, the scammers sent an email from ‘me’ to accounts requesting urgent payment of an invoice.
“This was queried by accounts by replying to the email, and they got an immediate email back from ‘me’ confirming in their mind the request was genuine. The payment was authorised by another director because it was from ‘me’ and had some relevance to projects occurring in the business.
“During Covid-19, I have been monitoring all payments and receipts daily. However, last week we were on a three-day week so this wasn’t identified until Monday by which time there is nothing anybody can do. Of course my email account had been modified so that I was not copied on the email thread.
“We were also to learn that our cyber insurance does not cover criminal theft, although this is an option.
"It is unlikely we will see the money again.”
Andrew Macaulay, CEO at PVCA said, “PVCA itself has been subject to attacks, which we have only thwarted due to constant increase in our IT security procedures.
“We urge all members to review their cyber security with their IT service provider immediately, and follow these steps:
- Install dual factor authorisation on all email accounts.
- Introduce personal checks in payment processes that require verbal staff interaction, not just email interaction.
- Ensure you have appropriate insurance.
- Continually update yourself on the types of scam that are going around.
- Do not trust any emails in the first instance.
PVCA says if your business does not have a reliable IT advisor, it can refer you to one.