INDIANAPOLIS — Cathy Pitts, controller for Viking Plastics in Corry, Pa., saw a red flag when one of her suppliers emailed her an update about a shipment on its way to the injection molder of sealing systems.
The message said the supplier had a new bank account and requested that when she paid the attached invoice she should send the money there, and then change her vendor records.
The email addressed Pitts and a company colleague by name but still she was suspicious. She told Viking's program manager and project engineer, who are familiar with the supplier, about the payment change and they agreed something didn't seem right.
“Then we got another email,” Pitts told attendees of the Manufacturers Association for Plastics Processors (MAPP) benchmarking conference on Oct. 17 in Indianapolis.
The follow-up message addressed Viking's specific questions about the order they were awaiting last March.
“They were replying to our email and talking about the logistics of the shipment,” Pitts said. “All right, people change bank accounts every day. No problem. I sent the $10,000.”
She got a thank-you reply in return and an expensive lesson in the cyber crime of spear-fishing, which she shared in a unique way with the 450 people at the conference.
More than telling her story, Pitts wanted to raise awareness about how easy it is to fall prey to criminals who hack into an organization's computer network to get private information and official-looking emails that they use to bait a virtual trap.
With help from Viking IT manager Rob Prindle and the consent of Troy Nix, MAPP's executive director, Pitts sent a “spoof” email to 30 MAPP members supposedly from Nix asking for their birthdates.
“Of the 30 people, we got 22 replies. Seventy-three percent of you gave me your birth date. You gave me your personal information,” Pitts said. “Look at the email address. That is not Troy's email.”
Only one person, Jim Krause, vice president of new program development for Microplastics Inc. in St. Charles, Ill., questioned the email. He contacted the MAPP office and said he thought something was wrong.
Nix applauded the due diligence. He gave Krause $1,000 worth of books and tapes from the keynote speaker, Jack Daly, for doing his homework before replying.
Cyber criminals want birth dates because they are often used as passwords, personal identification numbers, and security questions sometimes ask for it to resend lost passwords. The personal information is valuable to identity thieves and other crooks trying to break into accounts.
In the case of Viking Plastics, the criminals hacked into the supplier's computer network to find out product shipment details to make their email and bank account request seem authentic.
“They did research on us and took over,” Pitts said.
She later learned a few steps everyone can take when an email comes with a red flag. First, let the cursor hover over the email address to compare it to the information in the pop-up box. They should be the same. Then, click on “file” and then “properties” and look at the “Internet header.”
The bogus email sent to Viking Plastics came from arabdoctors.ae.
“If only I had known to look, I would have seen that,” Pitts said.
She said the most important lesson she learned is to follow your instinct. She now recommends controllers and other finance officials:
• Have a pass code for you and your trusted contacts. It could be a phrase. Something only you know.
• Pick up the telephone and call a contact if you feel an email has a red flag.
• Have dual authorizations on fund transfers.
• Get to know someone in the fraud department of your bank.
“I didn't think it could happen to me,” Pitts said. “It did. Be careful.”
