Don’t believe an email just because it comes from someone you trust!
The amount of phishing and scams happening on the internet is really alarming at the moment, so don’t get caught out. At APL and James Noble accountants we run special internet monitoring tools to monitor if hackers are sending emails pretending to be us, and some weeks the amount is significant, coming from mail servers anywhere between China and the Netherlands.
This got us thinking to giving you context as to how you or your business could easily be compromised – we put our ‘hackers hats’ on and thought how would we scam a veterinary clinic. So you don’t have to get buried in technical jargon, just some simple examples of how you or your customers can get fooled in the veterinary space.
Step one – a hacker uses you email address:
Surely your email address belongs to you and is private? Well if you think this is the case then you are wrong – ANYBODY IN THE WORLD CAN USE YOUR EMAIL ADDRESS! Anyone can know your email address because you use it so much in the public space. In fact just knowing your web site address is enough to create an email that looks like it’s coming from your business. If xyzvets.com.au has a website, then a hacker can create a fictitious email from that business by prefixing the domain name with any name they please eg. [email protected] At our offices where we have a small amount of tech savvy it would take us 5-10 minutes to send emails from any of your email addresses! This hacking technique is called ‘spoofing’ and it is within the technical capabilities of a 10 year old. Emails were never designed to be protected or private and the only protection you have against this type of behaviour is your spam box. Most mail services that receive your emails check the route of the email (where it has come from), and if the route looks suspicious they put it into spam. How accurate this is depends entirely on who you use for your mail service and how your emails are set up.
Step two – a hacker starts sending invoices using your email address:
Knowing that your email address can be freely and easily copied, the next step is to start sending out invoices asking for payment to a bank account owned by the hacker. Of course this practice is initially very ineffective – if I send out 1000 invoices using the email address of [email protected] to a random list of targets, then the probability of it going to someone that actually knows and trusts XYZ vets is very unlikely, but if you play the numbers game correctly then you will get the occasional successful payment. This practice of sending random emails to the world at large is what we have been monitoring on the internet for some time now.
The scam is a lot more effective if you send emails from a business that is trusted by the public and that is widely used – this significantly increases the likelihood of a successful payment. For this reason medical professionals (including vets), accountants, government offices and banks are commonly used for this sort of scam.
A hacker can take this to an all new level of effectiveness if they can get their hands on another bit of ‘not so private’ information – and that information is a customer email list. On the surface if someone gets a list of your customers and their emails, its annoying but no big deal……..
However imagine now that the hacker sends emails from [email protected] to your entire mailing list pleading for a charitable donation to a pet sanctuary that has just burnt down. With this they provide a bank account information to transfer the money and your logo and branding on the email. How many of the 3000 clients of xyz vets do you think would make a donation – our guess is probably more than 300! And with that goes a complimentary big slap in the face to your reputation.
This is the vulnerability we think is currently the most significant for veterinary practices (and for any trusted professional service).
Step three – being on the receiving end of such a scam
If a hacker has your email address (which they do have because its public as explained above) they may put you on the other end of a scam like the one above. They may send you an invoice from your accountant or from the ATO asking for a tax payment or from a bank asking you to log in to verify a payment. With this they provide a bank account in which you can pay the money or even worse, a link that asks you to log into your bank to make a payment.
Receiving log in requests is a very dangerous scam that allows hackers to complete access to private places like your online bank account. They create a web page that looks EXACTLY like the bank’s log in page – once again, to do this would take our office tech team less than 5 minutes to do and is within the technical capabilities of a 10 year old, in fact is just a simply copy/paste of text from one web page to another, so the hackers site will look exactly like the banks. The only way you can tell it apart from the real thing is by looking at the web address at the top of the browser when you click the link. Below is an example of the legitimate login page for anz, the important thing being that the part of the web address before the .com.au is ‘anz’