I was on a Zoom call when the email dropped into my inbox. It came from a clerk in our accounting department. I didn’t bother to check the subject line as I idly clicked it open, hoping for a brief distraction from yet another video meeting.
“We’ve already printed checks for this week’s scheduled check run,” the message read. “If you are asking for a ‘special’ check to be done, you’ll need to talk to [a supervisor in the accounting department].”
Huh? I had no idea what she was talking about. But a quick scan of the forwarded message attached to that one clued me in. It was directed to the accounting clerk.
Beneath a subject line of “Due Invoice,” the message asked, “Is there any possibility that you can cut check today?” It was signed by me.
Wow. The position of interim president of the Oklahoma Medical Research Foundation hadn’t come with a lot of bells and whistles. I still sat at the same desk and tapped away at the same 7-year-old laptop to compose these columns. I continued to order the same lunch in our Research Café and took it out into the same courtyard, where I continued to eat with my same coworker pretty much every day.
But I guess I’d finally made it. Because scammers were now impersonating me, trying to use my status in the organization to prod our accounting folks to cut them a bogus check.
In the realm of cybercrimes, this effort was pretty crude. And it didn’t go anywhere. But it was far from an isolated episode.
According to the FBI’s Crime Complaint Center, complaints of suspected internet crime climbed by more than 50% from 2019 to 2020, to almost 800,000. All told, they resulted in reported losses of more than $4.2 billion.
Among the top ploys were, not surprisingly, phishing scams. OMRF Vice President and Chief Financial Officer Tim Hassen (my aforementioned lunch buddy) says it’s a rare week he doesn’t get at least one bogus request to wire funds, cut a check or otherwise siphon money from the foundation.
To combat the constant barrage of scams, OMRF’s information technology department runs regular tests for all employees. These consist of fake phishing emails whose goal is to get recipients to bite. Although OMRF Chief Information Officer Brent Keck regularly reminds us, “If in doubt, don’t click,” we don’t always listen.
Or at least we didn’t. From 2016 through 2019, Brent and his team did such a good job creating clickbait that OMRFers consistently fell for the fake scams at rates of 10% or more. But in the last two years, we’ve wised up, to the point that our institution-wide failure rate is only 1.4%.
“This is good news,” wrote Brent when he delivered the latest statistics, calling them “a significant milestone.” And they are. But they’re anything but a signal that we can rest easy.
We recently retained a cybersecurity monitoring firm to police our network against potential attacks. OMRF is in the process of upping our insurance coverage for losses stemming from cyber events of all types. We also have coverage for so-called “social engineering” scams, which the federal agency in charge of cybersecurity describes as an attack that “uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems.”
Still, we hope never to use these policies. The best defense is to stop cybercrimes before they happen, both through the latest technology and regular training of our workforce.
To avoid the plight of my father, who had to hire a cybersecurity firm to unlock his iMac after hackers hijacked the computer and demanded a ransom, medical research provides a useful model. Like the pathogens scientists spend their careers studying, cyber criminals’ attacks continue to evolve. If we want to keep them at bay, we must do so as well.
Adam Cohen is OMRF’s senior vice president & general counsel and interim president. He can be reached at firstname.lastname@example.org. Get On Your Health delivered to your inbox each Sunday — sign up here.