Meng Wanzou, The Spanish Prison and the Human Firewall

The con went like this: There is a man, a very wealthy man, who is trapped in a Spanish prison under a false identity. I can’t tell you his name as it would put him in great peril. I am his dear friend and he has entrusted me to retrieve some funds that would secure his escape. Unfortunately, getting to those funds and then getting them to Spain will incur some expense… a very small amount, I assure you, compared to the vast treasure that awaits. This man has promised one third of the treasure for the person who can help!

So goes one variation of the Spanish Prisoner confidence trick, popular in the late 19th century. The people have changed, the technology certainly has changed but that old con and ones like it, are still paying spades for fraudsters.

The stories have changed too. Remember the Nigerian Price scam from around the turn of this century… the poster child of email fraud for the 2000’s. And just this week many thousands received this imperative plea from Huawei’s CFO, Meng Wanzou, who was arrested in Vancouver last week:

“Hello, I am MENG Wanzou. Currently, I have been detained by Canadian customs. I have limited use of my phone. Right now CIA is trying to get me into the hands of the US government. I bribed the guard of my room, and urgently need US$2000 to get out of here. Once I am out, I will reward you 200,000 shares of Huawei. I will be good on my word. if you are single, we can also discuss the important thing in life. The guard’s name is David, the account number is 52836153836252, swift 55789034. I will be good on my word.”

Wow – a promise of riches and ‘marrying up’! We can only wonder who would fall for this type of scam these days. Fact is, the reason we still see these is because they still work. And while it is possible that you might see one of these ‘classics’ show up in your Inbox, the reality is that the Spanish Prisoner scam is all growed up now, and there is a good chance you won’t be able to identify the ones being delivered today.

The term phishing was coined 20 years ago to describe these attempts to defraud via electronic means. Phishing is a progressive game… they cyber criminals are always improving. From phishing we advanced to spear phishing which were semi-targeted attacks. A good example of spear phishing is the UPS ‘There is a problem with your shipment’ email. For the 999 out of a thousand people who did not ship anything with UPS this week, we simply delete the email without a second thought. But if you happen to be the 1 in a thousand who did ship something with UPS … well, you might just double-click that attachment without even considering it. It’s been around for at least a decade and still going strong.

Recently the term phishing got another promotion… to laser phishing. Using AI, bots can collect information about you and generate a surprisingly authentic email direct to YOU and only YOU. Often these emails come in the form of CEO Fraud, also called Business Email Compromise (BEC). When the attackers know so much about you, it adds a level of authenticity to the email that can really throw you off. After all, they know your name, your bosses name, your emails, your title and responsibilities, your email… perhaps your travel plans. I know of one local attack this year where the victim did not fully check the legitimacy of an email because the writer knew the travel plans of the boss. ‘Who else would know that’ they thought. It was a mistake that cost the company over 100,000 US dollars.

How do they know this information? It’s child’s play. Social media is a huge vat of public information. Consider too the many hacks that have happened in recent years… Adobe, LinkedIn, Yahoo are a few of the big ones. Just last month Marriott gave up info on 500 million users. While the perps who orchestrate these attacks are elite hackers, all that information is then sold on the Dark Web to lower echelon hackers to do as they please.

Your privacy has gone public and practically anyone can buy the shares.

We need to assume criminals have your information and not be surprised when they use it to exploit you and your business.

The ‘Human Firewall’ has become the most important component of your business cyber security plan. If you are not taking staff training about cybercrime seriously, it’s time you did. Here are a few tips for your business to protect you against phishing scams.

1. Have regular security training. When I do training, I ask who knows what ‘phishing’ is. I would expect today that every hand goes up… but it rarely does. Ask your IT provider or call Tech Next Door about regular training on cyber-security.
2. Have a business class firewall with advanced malware protection. Attacks can often be stopped before even getting to your device.
3. Have firm but straight forward policies on communication especially regarding moving money. For smaller companies it can be as easy as ‘A sum greater that x dollars must be verbally authenticated by management/CEO’. For larger companies, analyze your policies and look for loopholes that can be exploited.
4. Enforce complex passwords. A large number of attacks happen when cloud services with simple passwords are guessed (or when everyone in the company uses the same password).
5. Have multiple data backups and make sure at least one of them is offsite.
   Be resolved to not be a statistic in 2019 and make sure your business is protected with robust business class hardware, firm policies and committed staff training.

Joel LaRusic is Founder of Tech Next Door, an IT solutions and support firm dedicated to security-forward results. Small business is often low-hanging fruit for cyber-criminals. Joel and his team all share the same mantra – We’re sick and tired of people getting ripped off and now we are dedicated to protecting the vulnerable!