A Typo cost hackers $ 1 billion

In a presentation I was giving to the Certified Fraud Examiners last month, an audience member pointed out that in many phishing emails that are designed to steal our username and password, there are typos and common sense errors. A point well taken. However, I have seen many phishing emails that are devoid of any blunders that might stand out. Constant vigilance on all of our parts is the key to avoid clicking on links or attachments that may steal our credentials. Don’t click on them in an email from an unknown sender. When in doubt, throw it out!

A story broke this past weekend about a hacker group who already had the stolen the credentials of a financial institution and may have gotten away with a cool one billion dollars if they watched their spelling. Here is a link to the story in The Washington Post:



Check washing is alive and well

According to the Wall Street Journal, stolen checks from mailboxes netted crooks in New York more than $ 30,000. The crime is called check washing and it involves crooks stealing outgoing mail from your mailbox. If they find a handwritten check, they “wash” the amount and payee off of the check and make it payable to co-conspirators, who cash the checks.

To keep your checks safe, pay bills online and forgo check writing to the extent possible. If you write checks to pay bills, take the envelope to a blue box or post office. Also, as an additional layer of security, use gel pens to write checks. The gel is a liquid, which is absorbed into the cotton fiber of the check paper and it can’t be washed off like ball point ink, which sits on the surface of the check paper. You can buy gel pens pretty much anywhere, try CVS or across the street at Walgreens.

IRS does not call to demand cash

Coming off of very busy weeks presenting in Columbus, Cincinnati, Durango, Sarasota,  Kansas City, Columbus (again) and Kansas City (again). A few times the question was raised about fake phone calls from someone pretending to be an IRS agent and demanding money for past due taxes. The IRS of course, doesn’t do this sort of thing.

One person told me that she thought the call was a fake until the person on the phone told her his “official badge number”. That made her think it was real although in the end she still didn’t send any money, thank goodness.

The New York Times columnist David Segal wrote about this fraud in last Sunday’s Times. Here is a link to the column.


40 Bitcoins equals $ 17,000

Hollywood Presbyterian Medical Center is aware of this bitcoin conversion because that is what they said they paid to hackers to get the encryption key to unlock their data. The linked article provides more details, but to prevent this from happening to you personally or to your organization, do two things:

  1. Educate employees/family members about the phishing emails that download the ransomware/cryptolocker on the network.
  2. Maintain offline backups of all essential computer files.

No person or business should ever have to pay ransom to get their files back. All cases like this do is encourage the hackers and more attempts to victimize us.