One wrong click with the mouse cost DKK 100,000
An IT fraudster found out the log-in code and password of an academic assistant at AU via a so-called phishing mail. The fraudster then ordered trips costing DKK 100,000 from a travel company called CWT, charging them all to AU.
“This kind of serious IT fraud when things go badly wrong is rare,” reports information security manager Ole Boulund Knudsen from AU IT.
The academic assistant concerned did not wish to contribute to this article, so Ole Boulund Knudsen explains what happened – his main point being that this kind of thing could happen to anyone in the course of a busy working day.
“The member of staff concerned wanted to change his password, so he looked in his in-tray for a mail explaining how to do this. He opened a false mail, known as a phishing mail, which sent him on to a false site looking very much like AU’s web mail portal.”
He still didn’t smell a rat, so he entered his user name and password and was sent to AU’s real web mail portal. This made him think that he had entered the wrong code. So he tried again, and this time he gained access to his in-tray.
“It wasn’t until he started getting mails from AU’s travel company CWT that he realised something was wrong. These mails deleted themselves automatically, but he couldn’t see them in his list of deleted mails. So he changed his password again,” explains Ole Boulund Knudsen.
The member of staff contacted CWT, who told him that his user name and password had been used to purchase trips from South Africa costing about DKK 100,000. This was possible because he had a non-active account at CWT which could be activated by using his password and user name. The fraudster had gained access to this information via the phishing mail, so the account could be activated and trips could be ordered and charged to AU’s account.
Change of procedure
The event means that the AU Accounts Department may change its procedures to prevent similar cases in future, explains Arne N. Skov, who is a senior consultant at the AU Accounts Department.
“The fraud was made possible by a series of unfortunate coincidences. The fraudster was able to assume the identity of a member of the AU staff by using their user name and log-in code. They also gained access to a non-active travel profile and were able to utilise it. And finally, they got hold of the department’s EAN number and used stolen credit card information.”
“This is the kind of case that makes us review our security procedures so we can prevent similar situations in future. And we have now adjusted the set-up of our IT systems and procedures to try and achieve this,” explains Arne N. Skov.
Be on your guard
Ole Boulund Knudsen wants both staff and students to protect their user name and password with extra care.
“People should regard it as a pin code. It gives you access to a great deal of sensitive information and internal IT systems. Fraudsters are getting better and better at producing mails and websites that look exactly like the real thing – so we all need to be on our guard,” he concludes.
Don’t get caught out
- Check the sender of all mails. You should only open mails and links sent to you by people you trust. Mails about changing your password will only be sent by an AU sender.
- Check the links. Links to AU addresses will almost always end in “au.dk”.
- Got any doubts? Call and ask the department in question whether they have sent you a mail – or contact your nearest IT support desk.
- If things go wrong contact your nearest IT support desk as soon as possible.
- Read more about phishing mails and get good advice about how to make a good password at informationssikkerhed.au.dk