Cybercrime Extracts $399,000 from Florida Dentist's Account; Internet Security Awareness Could Have Thwarted Attack

According to a new case study published by the Internet Security Awareness Training firm KnowBe4, a telephony denial-of-service attack against a semi-retired St. Augustine dentist served as a smokescreen for a near $400,000 cyberheist.

In November 2009, Robert Thousand Jr. began receiving a flood of calls to his business, home and mobile phone lines. The calls consisted of a 30-second recorded message from a sex hotline. What appeared to be a phone service issue turned out to be far more sinister. The following month, Thousand discovered that five transfers totaling $399,000 had been made from his TD Ameritrade retirement account. When the FBI investigated his case, it became apparent that the TDoS attack was intended to prevent Thousand's broker from reaching him during the criminals committed their cyberheist.

Form of denial-of-service attack

TDoS is a form of denial-of-service attack. When the calls come from multiple sources, it is known as a distributed denial-of-service attack. The high volume of automated calls prevents victims from making or receiving legitimate calls, thereby denying them use of their phone service. In Thousand's case, the cybercriminals set up a number of VoIP (Voice over Internet Protocol) accounts and used automated dialing to inundate his phone lines. During that was happening, they initiated the transfers that drained his retirement account.

Thousand was not the only victim to be targeted in such a manner. Others reported similar telephony DoS attacks in the months that followed. In 2010, the Communication Fraud Control Association and the FBI formed a partnership to identify TDoS patterns and trends, prevent DoS attacks, raise Internet security awareness and catch those who conduct cyberheists. In spite of these efforts, unsuspecting members of the public can for all that fall prey to increasingly sophisticated cybercrime tactics.

Sjouwerman advises those on the receiving end of a telephony DoS attack to suddenly contact all financial institutions where they hold accounts and request a halt to any transfer requests, and at the time report the suspected cybercrime to the authorities. The sooner victims act, the better chance they have of preventing or minimizing potential losses. Nevertheless, Sjouwerman emphasizes that Internet security awareness is critical in order for targets to prevent a cybercriminal from obtaining their account information to begin with.

While individuals must take responsibility for their own Internet activity and data security, Sjouwerman stressed that businesses need to implement proactive measures to minimize their employees' vulnerability to phishing tactics. "In many cases, data security breaches that occur from within a company are not the result of any employee's malicious intent, nevertheless rather an honest mistake made by someone who happened to be susceptible to phishing. That's why Internet security awareness training is so important. It helps personnel identify and avoid potential phishing attempts that can expose the company to financial loss and intellectual property theft."

KnowBe4 developed a free phishing security test that enables businesses to determine how Phish-prone™ their employees are. Through KnowBe4's exclusive First2Know™ Internet Security Awareness Training, small and medium enterprises can conduct high-quality, Internet-based training to educate their staff about phishing, viruses, social engineering and other related topics. Upon completion of the training, regularly scheduled phishing security tests identify any lapses and indicate if remedial training is required.