A case of fraud, negligence and an inside job maybe?
The TM Pick n Pay hack first reported last night has caused quite a stir in the news cycle due to its enormous amount of ZWL $22 million being stolen. The attack, which according to The Chronicle began on 28 January, had a currently unknown group of hackers use an email to extract money from TM’s Steward Bank account into 4 accounts of their own, all while posing as TM Financial Manager Mr Raymond Matsetsa. And while there has been a cooperative suspect apprehended in the form of Mr Tonderai Chagweda, one thing still really remains on the minds of most Zimbabweans hearing about this: how did this actually happen? And well, the most probable answer lies below.
Say hello to Business Email Compromise (BEC) scams.
The attack is what’s called a Business Email Compromise scam, a pretty common form of attack on businesses around the world that essentially consists of criminals sending an email that appears to come from a known source making a legitimate request, just like how these hackers claimed to be Tm’s Financial Manager Mr. Matsetsa. The criminals will then use this email to extract funds to certain accounts, usually “dummy accounts” that will only be used once then extract that money and essentially disappear. It’s a scheme that uses both actual engineering and social engineering as it works best when the hackers have an idea of the inner workings of a company as well. This is why the ZRP seem to suspect that employees from both Steward Bank and TM could be involved, though it is worth noting that current suspect Mr. Chagweda’s lawyer has stated that Mr Chagweda does not work for either TM or Steward. That’s essentially how BEC scams work but you can gain a little more info in the video below courtesy of security firm TrendMicro for a little more research.
A sign of an increasingly dangerous tech sphere in Zim.
Now while our last issue on cyber security was almost a year ago, this latest attack adds to the last point we talked about of the level of cyber security and need for Zimbabweans to be more vigilant about these matters. If massive conglomerates that move large sums of money can be hacked with a method that honestly seems too easy to believe it works, then more and more criminals will take notice of the vulnerability and relative ease of the cyber security of many Zimbabweans. After all we here of hacking, malware and account tampering issues ranging everywhere from personal individuals to social media icons to large conglomerates. Everyone needs to up their game here. In the TM case, both them and Steward Bank need to have a thorough re-examination of their online engagements, liaison protocols and of course financial transaction protocols. We’ll leave a few tips as to how to be careful about BEC scams below (courtesy of the FBI), and chances are you might want to take a look at them. But for now, the key takeaway here is that everyone should keep their eyes open, update their security standards and be wary of shady-seeming online engagements, it could literally save you.
How to Protect Yourself
Be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, links to family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.
Don’t click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing), and call the company to ask if the request is legitimate.
Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
Be careful what you download. Never open an email attachment from someone you don’t know, and be wary of email attachments forwarded to you.
Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
Verify payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. You should verify any change in account number or payment procedures with the person making the request.
Be especially wary if the requestor is pressing you to act quickly.