Local businessman Walter Mitchell felt powerless last week when he started receiving inquiries from acquaintances about an email that supposedly came from him, even though he never sent it.
“It’s a frightening experience,” said Mitchell, owner/operator of Mitchell Financial Group, an insurance, financial and estate planning firm.
“I’ve been in business 40 years and never had anything like this happen.”
Imposter emails from familiar contacts, friends and family have become commonplace, but this one was different.
With a subject line, “action required: file,” the email said Mitchell had used OneDrive for Business — Microsoft’s online file storage service — to share a file with the recipient. It contained a link to view the document, saying it would only be available for 48 hours.
If the email had stopped there, it would have been more obvious it was a scam to get recipients to click on a link that could expose their technology to a virus or other malicious software.
But this one continued:
“Let me know if you have any questions. Thanks.” It contained Mitchell’s name, business title and business address followed by business phone, fax and cell numbers that closely resembled the real ones.
Mitchell said he does not use OneDrive.
“I never heard of OneDrive before,” said Mitchell, a well-known local resident who also serves as Bear Creek Village mayor. “I have no affiliation with the company stated in the email.”
He subsequently learned that some replied to the email asking for more information or to let him know they believed he was hacked. Even though it appeared as if the replies were going to his correct email address, they went to the scammer. Someone pretending to be Mitchell sent a reply letting them know that the email was legitimate and it was OK for them to click on the link.
“This is very unnerving to me because this is my reputation at stake,” Mitchell said last week as he was still trying to sort through how it happened.
Mitchell stressed his business has firewalls and “layers of security” to protect client information.
He wanted people he knows to realize he would never send an email with information that was not prefaced by a personal, individualized greeting explaining the reason.
Aware of the ever-present possibility of scams, Mitchell said he personally avoids clicking on any links purportedly from people he knows if they are preceded with comments like, “Check this out,” or “You won’t believe this.” The communications sent in his name last week were craftier, he said.
Luzerne County detective Charles Balogh, who specializes in computer crimes, said the email is an example of the increasingly devious ways hackers, scammers and perverts are trying to hurt people of all ages through a window that can opened each time a computer, tablet, cellphone or even smart television or gaming system is turned on.
The perpetrators often use logos of real banks and businesses to make it appear the communication is coming from them to obtain personal information, sometimes including warnings and exclamation points as alerts to try to fool recipients into thinking it is an emergency situation.
“When people see that, they panic,” Balogh said, adding that the same techniques apply to phone scams.
Balogh pleads with the public to avoid revealing any personal information or clicking on any links unless they are certain the communications were validly sent.
The easiest verification technique, Balogh said, is calling the person or company to check. As evidenced in Mitchell’s case, he stressed recipients should look up the correct phone number and not simply call the one in the email, which usually is incorrect or linked to scammers.
Often, the senders are trying to get recipients to click the link so they can place software on their computers and devices to access personal information, such as passwords to credit card and banking accounts, Balogh said.
Anyone who accidentally clicks on a bad link should immediately turn off and unplug their computer or device and consult a reputable professional, he said. Anti-virus programs can block some damaging threats, but Balogh also warned people to be careful about purchasing such programs because some online services appear to be legitimate but are actually scams as well.
Saved by technology
A Luzerne County Children and Youth worker recently verified to a reporter that an email sent from her county account sharing a link to a document was not sent by her and had stemmed from hacking.
Although some corrupted emails went out, county Information Technology Director Mauro DiMauro said the infiltration was quickly detected and shut down by a new $26,000-a-year advanced threat protection program added in this year’s Microsoft Corp. contract renewal.
DiMauro had informed county council the coverage was needed due to more attacks attempting to access confidential data or disrupt operations.
“The cybersecurity community has been reporting a steady increase in the level of sophistication employed by cybercriminals,” DiMauro said. “Over the last year or so, attacks have become more targeted and include more familiar details to fool victims into thinking an email or web popup is legitimate.”
The county has started to flag all incoming emails from non-county senders with a notice reminding staff not to open attachments or click links unless they are sure it is safe, DiMauro said. A Luzerne County has a cybersecurity training program for all staff to help them better identify scam email messages and other suspicious computer activity, with refresher courses planned.
Posing as coworkers
The practice of scammers masquerading as a work colleague to obtain company secrets or money is a real threat, Balogh said.
He provided an example in which a worker at an area business was coerced to wire money after receiving an email from someone pretending to be the boss. The email said the boss had lost or broken his cellphone.
“I found it very odd that this company believed without calling to check, but in their everyday life, they don’t really communicate except through email. That’s why they thought it was so real because most of their interaction was through email,” he said.
Balogh advised companies to discuss protocols for the release of money or data.
Businesses and families also can come up with a code word that is not stored in any device so they can ask for it to verify the authenticity of requests, he said.
Some illegitimate emails even appear to come from an employee’s own company seeking login changes due to an alleged security breach, he said.
“People are actually hitting the link and filling out their user names and passwords, which could allow someone to get access into their company servers,” Balogh said.
Reach Jennifer Learn-Andes at 570-991-6388 or on Twitter @TLJenLearnAndes.