It only takes a moment to download a computer virus or open a phishing link. But the consequences for a company can take far longer to fix.
To learn about the perils your fellow admins have overcome, we asked members of the Staples InsidersNetwork: What was the most serious cybersecurity incident you’ve experienced at work, and how did you or your company respond?
Cindy, legal assistant: “Someone spoofed one of our vendor’s emails and invoices and asked for payment to a different account.”
The value of cybersecurity training became clear to Cindy when her company received a fraudulent emailed invoice. It purported to be from a vendor, complete with the usual signature file and company logo. Yet, thanks in part to a recent video on payment scams the staff had watched, they noticed a key piece of information was amiss.
“The sender had slightly altered the wiring account number, so if we paid per the wiring instructions, the money would go to them, instead of to our vendor,” Cindy recalls. The finance department held the invoice to check in with the purported vendor — a step that helped them avoid disaster. Now, the company requires verbal verification from vendors before invoices are paid.
“I will call the vendor and verify the invoice amount, their account number, when the invoice was sent and at what time,” Cindy says. She has also called each vendor to verify its banking information. “These steps take time, but these days, you can’t be too careful,” she says.
Desiree, receptionist: “A colleague got a computer virus that sent an infected email to vendors and customers.”
A single email led to weeks of chaos last year. An employee in the purchasing department at Desiree’s company received an email prompting him to enter his Microsoft Outlook username and password to read an incoming message. When he typed in his credentials, the same email was forwarded to everyone on his contact list: hundreds of customers, vendors and co-workers.
“People were calling non-stop saying, ‘Why the heck did I get this email?’ since it looked as though my colleague had forwarded it,” Desiree recalls. “We had to install another phone and have someone else help me answer the calls.” The company also took the step of calling people on the employee’s contact list to warn them not to open the infected email.
The incident spurred the company to enact new cybersecurity measures. “Now, in every email we open, there’s a button up top that you can click if you don’t recognize the sender or if the message seems suspicious,” Desiree says. “It will go to the IT department to check out.” Employees also are required to take a training class, and are occasionally tested through simulated phishing emails. Staffers who fall for them need to repeat the training.
Amber, sales administrative assistant: Cybercriminals “tricked us by sending a false flight confirmation.”
Amber books all of the flights for her company’s management. So, it didn’t seem out of the ordinary when she received a message from the CFO asking if she had booked a flight for him, along with an attachment that appeared to contain flight details.
“The attachment looked like it was from American Airlines, which we normally use,” Amber recalls. She clicked on it — and downloaded a computer virus. An IT staffer was already on the case, since the CFO had also downloaded the attachment and reported that his computer had stopped working. Both of their computers were unplugged, and the virus was isolated before it could cause further damage. But, both of their devices had to be replaced.
Amber was already careful in evaluating the emails she receives, and this experience has made her even more cautious. She checks messages for signs that something might be off — for example, by looking for slight alterations in senders’ email addresses. “I also never click on a link unless I’m absolutely sure the email is legitimate,” she says. “It just isn’t worth the risk.”
We asked members of the Staples InsidersNetwork to tell us:
How seriously does your company take cybersecurity?
Caption: Online security is a high priority for many of your peers’ companies. But there’s clearly room for improvement.