A few weeks ago, I sent out an article sharing how Verne Harnish lost $400,000 on a wire scam. Literally– POOF — $400,000 of his hard earned money was gone. Here is a link to that previous article in case you missed it: Defrauded out of $400,000
I wanted to share Verne’s follow-up to that article because he talks about what he learned from the experience. It is a must read for everyone. Please forward it to your friends and family who could be in danger of getting scammed. Like Verne says, “Don’t think that it couldn’t happen to you.” – Greg
(PLEASE READ)— Wow, first, hundreds of you emailed and shared similar stories – this problem is rampant. And we hosted a roundtable of CEOs at the Growth Summit to further discuss. So, what are the lessons:
- I became cavalier/lax about security, thinking it couldn’t happen to me. HUGE mistake – and something the hackers bank on – we’re easy prey. Read Mark Goodman’s bestseller Future Crimes if my experience didn’t wake you up!
2. Assume ALL your email is being read – and with the “hole” announced yesterday in Microsoft Windows 10, giving hackers deep access (likely the source of my breach), I’m not sure you can keep email safe even using VPNs (strongly recommended, so I’m using more diligently when I travel).
3. I say MIGHT because we don’t know. So, I’ve taken the position of Google and I’m building all our financial and sensitive information protocols around one assumption – NO email is safe. I’ve heard of many scams where invoices were intercepted and bank account info changed – so your payables department thinks it’s paying a regular bill and wires the funds to the wrong account – ugh. One firm was defrauded $10 million this way.
4. So, what do you do? It sucks, but ALL financial transactions are now reviewed by me via a PHONE call with TWO people. Then, I have to take the time, via my CEO Portal, to use my dongle (key) to OK the transactions.
5. NO sensitive info is sent via email – account numbers, credit card numbers, etc. – I make a phone call.
6. ALL bank wire info included on invoices is verified by PHONE with the supplier we’re paying before it is entered into our CEO Portal for dual authentication approval. Once it’s in the system, we then pay that vendor via that account – not what might be on a future invoice. And if they send a change of bank info, it’s verified via a PHONE call to the vendor (verifying the phone number online).
7. Sadly – 90% of theft is an internal job! So, build your protocols with this in mind as well. TWO people have to verify everything.
BTW, this is another use of the daily huddle – to verbally verify information. The short of it – you can’t trust email, no matter what you do.
And please read J. Paul’s email to me (figure the hackers already have!) – lots of additional info and stats around this cybersecurity problem. He shares how one company was defrauded $47 million in a similar scam to mine.
Verne – it’s been awhile since we talked. I think we were doing an Acetech event together. Looks like all is good on your end, minus the hacking.
My firm, eSentire, is a cybersecurity as a service organization that I joined 6 yrs ago. So I feel your pain on the loss. There is even an acronym for it called business executive compromise (BEC). If you want to feel slightly less bad about it, check out the story on Ubiquity Networks where they lifted $47m = one quarter’s earnings using a similar technique.
We were doing 800k per year when I started 6 years ago. We will finish this year with committed SaaS revenue of $30m. We secure over $3.5 trillion of Wall Street assets in hedge funds, PE firms, broker dealers as well as law firms, hospitals and many others. Point is everybody needs help. Ransomware will be the biggest challenge we have had to face as it has the best of the nastiest methods all rolled into one.
Day one we adopted the one page plan and it has been the only management tool/thing that survived the growth. I use with new staff orientation and to get alignment. Call me old school – I like the retro version for us growing at 15-20% per quarter.
The reality is the government knows this is the single biggest threat to the US economy and we see the attack attempts 24×7 every single day. Mid-sized and emerging companies (majority of your subscribers) are the easy prey. Consider this – ransomware will generate $300m in Q4 alone – pays no taxes and outsources development. That leaves a lot of free cash to perfect their tradecraft. What a perfect business. And they probably stole the one-page plan to boot!
Anyways let me know if there is a way I can help.