Ransomware. ATO. Wannacry. Spearphishing. Those four terms should scare the life out of anyone with an e-commerce merchant account.
We’re immersed in the World Cup here at General Dynamicx Payment Processing, and several of us are hardcore European soccer fans. Recently, we received an e-mail appearing to be an invitation to join a fantasy World Cup pool, with a link to click to join. Fortunately, we’re well-educated when it comes to suspicious, unexpected e-mail messages. For those who are not, however, we understand that sometimes e-mails can be convincing and even look familiar, prompting them to click.
Too often, that one click enables ransomware to take control of their website, usually followed by a creepy message demanding an ungodly sum in bitcoin by a certain date for its release. Failure to comply within a certain time frame usually sees the ransom double.
All from one click.
Occasionally we chuckle and sadly shake our collective heads at the creativity (and level of deceit) of hackers and other online criminals. At times, we’ve got to give them an ‘A’ for effort. It’s just a shame hackers and fraudsters don’t put such ingenuity and effort into something constructive.
A Ransomware Story
Roughly three years ago, a colleague of ours clicked on an e-mail touting very low interest rates for a business credit card. He had seen similar offers in the past, but never clicked. In the few seconds he took to glance at the messaging, it seemed authentic enough.
Within minutes, his business’s website was down, leaving him helpless, his business without functionality. He contacted his provider and a couple web-savvy colleagues who informed him he may have been a victim of ATO (account takeover). Within an hour, a ransom note arrived from his in-box, from someone representing a Eastern European hacking group seeking the equivalent of about $8,000 in bitcoin (with a transfer address) due the following Tuesday by noon. Meet the deadline, the note said, and his website would be released. Failure would result in double the ransom each week.
After careful thought and consideration, our colleague paid the ransom, and, luckily, the hacking group released control of his website. He then spared no expense in securing the proper protections and security, and was able to salvage his business.
6 Things An E-Commerce Merchant Should Ask Oneself Before Clicking
Our colleague represents thousands of e-commerce merchant account holders victimized by hackers, many not so lucky. It’s always good to have a third party security provider that has filters in place, those that recognize and quarantine suspicious e-mails.
For e-commerce merchants unable to use third party providers for whatever reason (affordability), knowing the signs of phishing and ATO attacks are paramount. When a questionable e-mail message arrives, it is recommended merchants use the below six-point assessment before clicking. If the merchant answers yes to 2-3 of these points, s/he should simply delete the e-mail
- Is the e-mail unexpected? This is usually the first red flag, but not the be-all and end-all factor. We understand unexpected e-mails arrive quite often.
- Does the sender reference me personally or generally? If it is the latter, that’s another bad sign. We’ve seen, however, phishing emails that do address the recipient.
- Is it urging me to click or to open a file? This is a major red flag. Merchants are advised not to click whatsoever.
- Does the e-mail contain spelling or grammatical errors? This is usually a sign that the sender is from another country and/or English is not their first language. There are several regions of the world known for fraud (Eastern Europe, African and Asian nations).
- Is there anything odd about the sender’s e-mail address? In the few instances that phishing e-mails seep through our spam filters, we look at the sender’s address. Bogus and phishing e-mails often have long prefixes that reek of spam; or attempt to emulate a legitimate company such as ‘microsoftIT@gmail.com.’ Legitimate businesses have their own servers and branded e-mail addresses. A well-known company such as Microsoft would never use a ‘Gmail’ address.
- Is the URL for the link or attachment unrecognizable? Carefully hover over the link or the attachment, but do not click. Is the URL destination strange or unrecognizable? Consider it another warning sign.
Protect Your E-Commerce Merchant Account — Do Not Click
We once received an email Janet Yellin, Chair of the Board of Governors of the Federal Reserve Bank alerting us that our ‘approved’ funds were ready to be released in exchange for some personal information (name, address, mobile, e-mail contact and passport number).
We’ve also won the lottery in Burma (it’s called Myanmar now…the fraudster must’ve missed the memo) and are the beneficiary of millions from a distant relative in the Ivory Coast.
We’ve always felt the sharing of such phishing and ATO attempts is important, so that others can be alerted to the warning signs.