According to authorities, an Atlanta resident, recently convicted for his part in a huge phishing scheme, helped to cause losses as high as $1.5 million at financial institutions. Targeted banks include the Bank of American, Chase Bank, and the Branch Bank and Trust Co, as well as ADP, a payroll processor. The man convicted, Osarhieme Uyi Obaygbona, had been charged with a variety of crimes including identify theft and two varieties of conspiracy. Obaygbona could receive fines as high as a million dollars in addition to five decades in prison for these offenses.
Although the convicted phisher has not yet received his sentence, the severity of the possible consequences indicates the government's determination that these crimes are very serious indeed. Small and medium-sized businesses would do well to take just as seriously the prospect that eventually their own operations could be subjected to similar attacks. Indeed, IT security is one of the most pressing needs facing many SMBs during this time of rapid transition to ways of doing business that rely more and more heavily on IT solutions such as online workflow, unified communications, cloud computing, and virtualization.
The phishing attacks in this case sent users to webpages that used spoofed addresses or that had been faked in some other way. The webpages in question had been designed to have the look and feel of a legitimate banking or other financial site. Consumers who visited the spoofed sites believed it safe to enter information such as user names, passwords, and even Social Security numbers, mothers' maiden names, and dates of birth. With this type of information, cyber criminals can readily access accounts to withdraw or transfer funds; they can also commit identity theft against account holders.
Such schemes affect business users as well as end-consumers since phishing attacks can also be used to lure employees into accidentally disclosing information that could be detrimental to the company. A phishing attack that successfully harvests user log-ins for a remotely accessible network could open up private databases filled with customer information, for example.
Although no IT risk management system can be guaranteed to be 100 percent foolproof, SMBs can more effectively protect their information assets through a managed security approach. Through managed security, internet sites accessed by employees can be monitored and even blocked. This can help to reduce the incidence of visits to spoofed sites because entire ranges of internet addresses known to belong to IT security ‘trouble spots’ around the world can be blocked en masse if desired.