Barbara Corcoran, a world famous Shark Tank host, was scammed out of nearly $400,000 in late February. Barbara Corcoran, a renowned real-estate broker and business expert, admitted last month that she was swindled out of $380,000 by one of the most popular forms of fraud: a phishing scam. Nearly 30,000 people reported being a victim of phishing last year. The FBI has reported nearly $50 million in losses from phishing alone.
The Shark Tank star was fooled by a cyber criminal that pretending to be Corcoran’s assistant emailed a fake invoice for a real estate renovation to Corcoran’s bookkeeper. The scam was found out only after the money was wired and the bookkeeper sent a message to the real email address of Corcoran’s assistant to let her know that the payment was made.
These sort of attacks are known as phishing attacks, but more specifically this was a spear-phishing attack. A spear-phishing attack is a form of phishing attack that targets a specific person or organization, seeking access to sensitive information. Similar to phishing, this is done through spoofing emails that appear to be legitimate, but not to a bulk list of random email addresses. Whaling is similar as well, but is done by targeting high-ranking executives and attempting to gain access to their information or data. If the attack was directly sent to Corcoran’s email address, that would be a whaling attack, but since the attack was directed at her organization and her employees rather than only her, this is considered a spear-phishing attack.
What Can Be Done?
As a business owner, one should be concerned about phishing attacks that your employees can fall for. As previously mentioned, these attacks accounted for nearly $50 million in losses last year, it is important to understand what can be done to reduce the likelihood of becoming a phishing victim. Phishing attacks are actually one of the easiest things to train your employees on how to spot and avoid. Follow these best practices listed below to reduce your likelihood of being breached by a phishing attack:
- Train your employees on how to spot, avoid and delete phishing attacks.
- Test your employees with Phish Testing attacks; re-train those that fail in your tests.
- Purchase and train your employees on how to use a Password Manager. If you visit a phishing website and try to enter your password credentials using a Password Manager, you will NOT be able to. Employees reusing passwords will absolutely enter their credentials.
- To protect the Internet from phishing attacks using your domain name, setup SPF, DKIM and DMARC records to block the receipt of emails masquerading as your domain name.
The moral of the story here is that these sort of attacks can happen to anyone, even a multimillion dollar businesswoman that is a host on a world famous TV show. If this attack can happen to her and her employees, it can definitely happen to you and your business.