Dear Healy Consultants Team,
In October, Healy Consultants Group PLC experienced a cyber-crime.
I recommend you read below to help you be on alert for future fraudulent emails.
The server of a Dubai Client got scammed by a hacker. They saw the communication between Apurv and the Client.
The hacker communicated with Apurv via Client emails and requested the Client’s in-house Accounting and Tax Department to pay US$ 5,000 to a Spanish bank account.
The Management Team and IT Department and Dubai office investigated this matter.
Warning to all Staff
Find below a list of guidelines to follow to protect our e-commerce business against cybercrime:
- Do not share your email and Dropbox passwords with your colleagues (except with Venkat, Donovan, Jessie, Mark, when requested via video call).
- When you forward a confidential email or share a Dropbox folder with your colleagues, create a new email / Dropbox folder and share only the required and relevant information. Do not forward the entire email thread or give access to the entire folder.
- Make sure you protect your outlook and drop box access by a password that cannot be easily guessed. Do not share this password, except with Donovan, Mark, Jessie or Venkat.
- On a regular basis (each 3-6 months), change this password to a new one. New password should not be similar to what you used before. Use password generators to generate strong passwords.
- Make sure you have anti-virus software on your desktop, laptop(s), phones and update it regularly. Please contact the IT team if you are unsure that an antivirus program installed in your PC.
- Do not access your HC email address or drop box from an unsafe location (eg. public wifi in shopping mall or restaurant) or from a device that you do not normally use for office work (eg. spare personal PC, spouse’s/friend’s/roommate’s PC etc.)
- Do not download or store confidential information (eg. Client corporate documents) on your computer / phone / tablet. Clear your Downloads / Desktop / Documents / Recycle Bin folders weekly once.
- If any item that you used to access HC data is stolen or lost, report the same immediately to the IT team and Management Team. We will assist you to i) file a police report ii) determine legal and litigation risk and iii) mitigate the same.
- Never disclose any confidential information re Healy Consultants or our Clients outside of Healy Consultants, unless the Client authorized you to do so. This includes but is not limited to i) your family ii) your friends.
- Before clicking on a link or downloading a document, ask always yourself if there is a risk of a phishing attempt / malware. Be extra vigilant when you work on emails in your Junk folder. Make it as a practice to hover and read the link before clicking on it. If you suspect you may have been the victim of phishing, report the same immediately to the IT team and Management Team.
- IT Team usually will not send password expiry notice or any notice related to your email account or Dropbox account without notice. If you receive such emails, report to the IT team for investigation.
- Always make sure you are replying to the Client’s/bank’s original email address. Hackers that want to impersonate a Client may do so from an email address that is 99% similar to that of the Client or bank.
- Take note of any inconsistent, unusual or changing communication patterns from your Client, for example suddenly using wording or writing styles which appear unusual or which are out of character.
- Ensure that you lock your laptop screen when leaving your desk (Ctrl + Alt + Del or Windows + L). Set up auto lock after X min.
- As general practice, add the correct/original email ID to your Outlook Contacts (right click on the email and save).
- Do not select stay logged in when you access Office 365 online or save a password. Always clear the log in historical and clear browser.
- Check your email rules in Outlook and rules on outlook.office.com. If you find any inappropriate rules or ones you did not create, click on them and then click the Delete button. Report the same immediately to the IT team and Management Team.
- Inform IT team and Management Team when you receive email notification from Dropbox stating your account has been logged in from another country.
- Print personal and confidential documents only when necessary. Collect the printed papers as soon as you have initiated the print request. Do not leave the documents unattended in the print area. Discard – tear into small pieces / shred confidential documents from the Printer area, do not mix those papers with other wasted printed papers.
- Always contact the IT team when you plan to give access to your Dropbox folders to outsiders (Clients / Suppliers) with read, edit and upload access. When the task is complete, revoke access, delete the folder.
- To reduce incoming spam, refrain from using Healy Consultants email address for personal use. Do not submit your email address in a public domain. Do not subscribe to newsletters or groups created by Suppliers or third parties unless necessary.
- Beware of well known phishing emails like – password expiry notice, voice mail notice, SharePoint access email, WeTransfer, access email, Dropbox access email, google group email etc.
- Get to know about multi factor authentication. Contact the IT team for implementation.
- Use app locks for our email app when using them on phone and tablets.
- Report all spam/phishing messages to Microsoft using the Report tool. This helps Microsoft to fine tune their spam protection.