of information that can be highly lucrative and that tend to be
targeted most often by cyber criminals. Given that credit card
information is not or at least should not be stored at the club, it
is rare that criminals would be targeting clubs for these.
The more common way to target clubs’ information is to gain
access to their information and encrypt it. This is usually done
by sending illicit email, or someone gaining access to one of the
computers within the club. Criminals execute the program that
scans all computers at the club and encrypts all the files by adding
extra ones and zeros, almost like you protect your sensitive
financial files with a password. If you do not know the password,
you cannot access the files. The illicit program would put the
password on each file and leave you with the note to email criminals
to get that password.
It is almost like changing the locks on your house – everything
is in there, but you are not able to get it. With technologies
that we have today, it would take one billion years to break this
kind of encryption. Companies that claim that they can break the
encryption are misleading at best. The only way to get your data
is either pay the criminals to get the password or to restore your
data from a backup. This is why every club must have a backup of
a backup of a backup of their data.
The third way that is making its rounds is through
social engineering. Social engineering is a way to manipulate
employees of the club. An example of this would be tricking an
employee into believing they are getting directions from higher
management or getting directions from vendors. Criminals
would prepare by scouring the Internet, specifically the clubs’
websites as well as LinkedIn pages, to gather information about
its employees. For instance, an employee would receive an email
Unfortunately, we learn of
these attacks when someone
falls victim to them, which
is also when we learn and
develop ways to prevent
them from happening again.
alexandersikov/123rf
FEATURE
from a general manager asking to purchase gift cards. Usually,
these emails are poorly organized with the general manager’s
name but a bogus email address used, i.e., Denis Kateneff,
manager56234@icloud.com. Always check an email address
when receiving unusual requests.
More sophisticated attackers target accounting departments,
asking to divulge members’ information, and then later target
members asking for money pretending to be club employees.
Another well known but still effective attack targets controllers,
asking them to wire money at request of the general manager.
I’ve recently come across a new type of cyber-attack, where
criminals pretend to be a vendor asking accounts payable to send
payment to different bank. These require even more work on the
criminal’s end that usually starts with picking the password of
an employee and reading their emails. They will pretend to be
a vendor by creating similar domain name, i.e., clubsupports.ca
versus clubsupport.ca
Unfortunately, we learn of these attacks when someone falls
victim to them, which is also when we learn and develop ways
to prevent them from happening again. The IT industry always
plays catch-up – it is the nature of the relationship between the
cyber criminals and the guardians of the information. This is not
a unique set-up; the police and criminals they protect us from
have the same dynamic.
There is no simple plan that will prevent all the future
incidents, but there are a number of steps that should protect you
from known cyber security challenges. The real way of managing
cyber security is to go from incident to incident with minimal or
no losses.
CMQ § Spring 2021 § 33
/clubsupports.ca
/clubsupport.ca
link