Barbara Corcoran Phished. PHOTO: Cybercrime Magazine.

Robert Herjavec: Phish Takes A $400K Bite Out Of Shark Barbara Corcoran’s Company

Unsuspecting bookkeeper falls victim to a sophisticated phishing attack and Business Email Compromise

Steve Morgan, Editor-in-Chief

Sausalito, Calif. – Feb. 27, 2020

Cybercrime Magazine connected with Shark Tank star and Herjavec Group founder and CEO Robert Herjavec to discuss the news of his co-star, real estate mogul Barbara Corcoran, being phished for nearly $400,000.

Herjavec also shares detailed and invaluable information on how you can mitigate the Business Email Compromise (B.E.C.) before it stings your organization.

Give us the backstory, exactly what exactly happened to Barbara?

Robert Herjavec: Barbara’s team fell victim to a sophisticated phishing attack. Her bookkeeper received a request for wire transfer that seemed legitimate. She validated the information by emailing back and forth with the “sender” who she believed to be Barbara’s personal assistant. Unfortunately she didn’t realize that there was only one letter missing from the correct email, and authorized a wire transfer or over $380K.

“It was only later when an email was sent to the correct address with a few additional questions that the team realized a mistake had been made. Unfortunately it was too late and the funds were gone. Initial investigation has shown the attack originated from Chinese IP.

Is there anything she or her team could have done to prevent it?

Robert Herjavec: We say it all the time but this is the perfect example of humans being the weakest link. It’s truly unfortunate but I commend Barbara and her people for wanting to share this story in order to make more people aware of how these attacks are maturing, and how diligent you really need to be.

Business email compromises are on the rise — accounting for approximately 50 percent of cybercrime damages in 2019 according to the FBI. That’s over $1.7 billion. We also know that more than 90 percent of phishing campaigns contain some form of ransomware so making sure we mitigate the risks of phishing, and improve security awareness across our teams, is critical.

To prevent an attack of this nature I recommend:

1. Being diligent in verifying sender name, email and source. This attack occurred because just one letter was out of place. Phishing attacks today aren’t just full of bad grammar and poor spelling. We have moved well beyond that so we need the recipients to be extra diligent before opening, clicking or downloading any content from an untrusted source.

2. Always have voice verification in place, particularly when it comes to large wire transfers. Had Barbara’s team had a voice protocol (or even text message) to confirm the authorization on the wire, versus simply relying on email communication for approval, this situation could have been avoided.

3. Develop a protocol with your financial institution to contact a finance team representative (CFO, VP, etc.) to approve any transfer over a certain amount.

4. In the event you believe you have been targeted or have sent a wire to an unintended source, notify your bank within 48 hours for domestic transfers or 24 hours for international transfers to put a stop on the send.

5. Advance your internal security protocols and educate your teams. I recommend:

  • Use multi-factor authentication for any corporate applications.
  • Ensure external email monitoring is set up on your corporate network to showcase when communications are from External vs Internal sender.
  • Network administrators should block all attachments from being downloaded onto corporate devices.
  • Whitelist acceptable file extensions as this list will be smaller and easier to manage.
  • Beware of being emotionally exploited by hackers for natural disaster or terror attack relief funds as they take advantage of people’s goodwill and use phishing emails to ask for “donations.”
  • Conduct random internal phishing tests for your employees to test how likely they are to fall for phishing scams.
  • Always check the spelling of the URLs in email links before you click or enter sensitive information.
  • Watch out for URL redirects, where you’re subtly sent to a different website with identical design.
  • Validate the sender name, email address and source diligently — including spelling.
  • If you receive an email from a source you know but it seems suspicious, contact that source with a new email, rather than just hitting reply. Even better — call them!
  • Don’t post personal data, like your birthday, vacation plans, or your address or phone number, publicly on social media.
  • “Sandboxing” inbound email, checking the safety of each link a user clicks.
  • Inspecting and analyzing web traffic.
  • Pen-testing your organization to find weak spots and use the results to educate employees.
  • Partner with a 3rd party service provider for 24/7 Threat Monitoring and Managed Phishing Support.
  • Look to automate your email gateway responses by leveraging SOAR tools to advance your phishing playbooks.

What do you advise her and anyone going forward?

Robert Herjavec: This is a really unfortunate incident but we are talking about it so we all learn and remain diligent.

Security Awareness is no joke. As business leaders, we are accountable for training our people to be diligent and protecting them with proactive cyber tools wherever possible. Even a Shark can get phished — it can happen to anyone! So be diligent, test your teams, put the processes and tools in place to detect fraudulent activity and slow down. Take the right steps so you aren’t the next victim of a phishing attack or business email compromise.

Watch Robert and Barbara speaking about this incident on Good Morning America

Steve Morgan is founder and Editor-in-Chief at Cybersecurity Ventures.

Go here to read all of my blogs and articles covering cybersecurity. Go here to send me story tips, feedback and suggestions.