This case study explores the risks of using email and social media to send personal and financial information.
Case studies are based on real events. All names and identifying information have been removed.
Mr B has been finance manager of a medium-sized law firm based in the south of England for several years.
He was implementing a new case management system which involved delivering staff training when he received an email from one of the senior partners, Ms A, who was on a business trip in Barcelona. The email instructed him to make a £40,000 payment to Firm Z.
Over the next few hours Ms A sent several more emails discussing specific details of the trip she was on, as well as the new case management system and the training Mr B was delivering that day. She also referred to the airline she had flown to Barcelona with as well as the weather and the hotel she was staying at.
With all these specific details, Mr B had no reason to believe the emails weren't genuine, so he transferred £40,000 to Firm Z as requested.
It wasn't until the end of the day when the accounts were being reconciled that the payment was questioned by Mr C, another senior partner at the firm. To prove there was a genuine reason for the payment, Mr B showed him the emails he'd received earlier from Ms A.
On closer inspection, however, the email address was found to be bogus. It contained an additional letter in the firm's domain name, making it look similar enough to the real email address to avoid being noticed.
Earlier that day, both the firm and Ms A had posted several messages on social media about the business trip and the timing of the case management implementation.
First meeting down and now enjoying the sunny weather on the Ramblas before my next.
Grabbing a quick lunch at La Boqueria.
Case management training day today – can't wait!
This had given the fraudsters enough information to target the firm.
Unfortunately the payment could only be partially retrieved, leaving the firm with a substantial financial loss.
The firm has now improved its cybersecurity, including having an internal code word for the release of funds (changed weekly), developing a training programme for all staff and monitoring the content of its social media posts.