4 min read

How Botkeeper does IT security

You hear a lot about the technical end of cybersecurity—two factor authentication, fire walls, encryption—but not nearly as much about what is often the weak link in any cybersecurity plan: people.

When your staff isn’t familiar with what a scam looks like when it crosses their communications, they can be inadvertently tricked into making a mistake that opens your business to theft and a world of hurt. When they are familiar, however, you have a great line of defense against the things that go bump on the internet.

And sometimes, those employees get a little sick and tired of dealing with scam artists, and fight back the only way they can—by stringing the crook along until they give up. A Botkeeper employee recently received a text message purporting to be from our CEO, Enrico Palmerino. They recognized it was a scam, and rather than just blocking the caller and reporting the incident, they decided to entertain themselves for a bit by engaging the criminal a little.

 

What follows is the text of the conversation.

 

Scammer:

Hi, [name of employee redacted]
Do you receive my text?

 

Employee:         

Who is this, please?         

 

Scammer:

Enrico
This is Enrico Palmerino
I need you for an urgent task

 

Employee:         

Oh wow, urgent, huh?         

 

Scammer:

Where are you right now?

 

Employee:         

I’m at the office still         
Where are you?         

 

note—this employee is not located near our offices,  and works from home. 

 

Scammer:

I need you to check something for me from the nearest store.

 

Employee:         

You mean the Walgreen’s downstairs?         

 

Scammer:

Yeah.
Help me confirm if they have apple store cards in high quantity.

 

Employee:         

Oh yeah. They do, I grabbed one this morning for the new client.         
What do we need, like $10,000 worth?         
They probably have about that much.         

 

Scammer:

Text me when you get there to confirm what they have in stock.

 

Employee:         

Oh okay.         

 

Scammer:

Send me the pictures of the denominations they have.

 

Employee:         

Hey, so I was wrong. But they do have cards for Williams Sonoma.         
Clients like those.         

I got this great crock pot once.         

I think they carry all kinds of sauces, too.         

Do you think the client might want sauces?         

There’s BBQ, Hoisin, Sweet and Sour…         

 

Scammer:

Send me pictures of what they have on the racks.

 

Employee:         

Oh wait, I’m just thinking about the Asian sauces.         

                   We could probably get Mexican sauces. You know, like hot sauce.         

                   Okay sure.         

                 

 

Employee:         

Oops wait, that’s not right. Hold on.         

         

 

Scammer:

It is easier to send picture.
Send me pictures of what they have.
I need to confirm quick.

 

Employee:         

Oh! They have a whole thing of like Bearnaise over there, too. Soo creamy.         

I’ll try again, hold on.         

         

 
 

Employee:         

Oh damn, that’s my dog. Grr. So annoying.         
Hold on, lemme restart my phone.         
Think about the sauces though while I restart.         

 

(Some minutes pass)

 

Employee:         

Okay. I got the store manager, he’s trying to take a photo to send to me.         
Or I can give him your number.         
What do you think about the sauces? Hold on.         
Okay, the manager says he agrees that Williams Sonoma is the best bet.         
They have like, $15,000 in those cards, which would buy us a ton of sauce.         

 

Scammer:

Send me picture of it.

 

Employee:         

Ha! He was just telling me about how his grandma dropped a  whole jar of sauce         
at Thanksgiving last year, and they gave her Williams Sonoma cards so she         
could pick out new sauce.         

Ok.         

He’s trying to take a photo now. I gave him your number, he’ll send it to you in a  sec.         

Okay, he just sent it. They really do have a ton of them.         

It’s so weird, you’d think [people don’t like sauce or something.         

We good? I have the corporate credit card. Finance just paid it off,  so there’s all         
$250,000 available. Which is more than enough for sauce cards from         
Williams Sonoma.         

 

Scammer:

I didn’t get the pictures.

 

Employee:         

No? Weird. Hold on…         

OMG, he accidentally sent the photo to his grandmother!         
Probably because he was thinking about the sauce story.   Sit tight, it’ll be right there.         

I’m supposed to use the MasterCard, right? Should I just buy these         
Williams Sonoma cards regardless?         

 

Scammer:

I need apple gift cards now sonoma

 

Employee:         

So—Apple AND Williams Sonoma? Wow, super generous! The clients will love that.         

Okay, I’ll buy the lot. Use the MasterCard?         

 

Scammer:

Bye.

 

Employee:         

Wait, Enrico, hold on. I think I got the photo to work…         

 

Scammer:

Why is it so difficult to listen to my instruction?

 

Employee:          

Oh, not difficult at all! Just having some phone issues. Sit tight.          

          

(the employee downloaded a photo from the internet)         

Employee:         

Can you see that?         

 

Scammer:

Yeah

 

Employee:         

They have Chick-Fil-A too!         

 

Scammer:

I don’t see any apple gift cards on the rack.

 

Employee:

They have app store cards. Want me to try another store?         

 

Scammer:

Can I see the app store card

 

Employee:         

Oh wait, they have Starbucks. You could do coffee.         
App Store cards are the blue ones, lower right.         
$30, $50, $25         

 

Scammer:

What’s the values on the amazon cards

 

Employee:         

Hmm lemme see. $25, $50, $100         
And you can DEFINITELY get sauce from Amazon.         
Probably ketchup, even.         

 

Scammer:

Send me clear picture of the amazon card on the rack.

 

Employee:          

     (who happened to have one handy)         

         

 

Employee:         

Ugh, it’s not working. But they have $25, $50 and $100.         
How many do you want?         
Which credit card should I use?         

 

Scammer:

Purchase 3 of 100$ amazon

 

Employee:         

Just 3? They probably have 40. Should I grab the Williams Sonoma, too?         
Dude, the whole credit card is empty. I could buy every card in the photo!         
Wait, the manager is back.         
Ok, he says Williams Sonoma is doing all the fall sauces now.         
So like pumpkin spice and all that stuff.         

 

How many should I get?         

 

Enrico? I mean—Mr. Palmerino?         

 

Scammer:

Just the 3 Amazon.

 

Employee:         

Ok! Where do you need me to send them?         
Hey—can I grab a Williams Sonoma one for myself? Just a $10.         
You know. For sauce.         

         

 

Scammer:

It’s alright. Send me clear picture of receipt.

 

Employee:         

Oh sweet! Thank you! Listen, I don’t want to frustrate you,         
but my camera is NOT working right. Happy to read the receipt to you, though.         

 

Scammer:

Lol. You’re a clown.

 

Employee:         

What do you mean?         

 

Scammer:

You’re too funny.

 

Employee:         

Hold on, almost checked out. Okay, what do you need from the receipt?         
The total was $334.28 (counting my Williams Sonoma Card!)         

 

Scammer:

Send me picture of everything you purchased with the receipt.

 

Employee:         

Okay, I’ll try…         

         

 

Employee:         

So weird, it’s like sending random photos from my album.         

 

Scammer:

You can just take the pictures direct and send to me.

 

Employee:         

I’m trying. Sit tight.         

          

 

Employee:         

Hahahahaha oops! But hey, SAUCE!         
I have pics of all my sauces.         

 You know what though? I don’t think this is going to work.         
In fact, I quit. Go have Robbins do this. He hates sauce.         

I’ll keep the cards though, thanks!         

 

Scammer:

Okay, a**hole.

 

We thought this exchange was pretty funny, but imagine the damage that could have been done if the employee had failed to recognize the danger. It’s easy to trust all the technological protections available these days, but it’s important not to overlook keeping your staff in the loop.
That means thorough training on proper protocols in communication, what information you should and shouldn’t transmit, and how to confirm a communication is what it seems to be.

 

Botkeeper’s automated bookkeeping solution takes security seriously, with industry-standard SOC2 Type 2 accreditation, two-factor authentication, and 256-bit encryption for data at rest and data in transit.

 

If you’re interested in learning more about keeping your organization safe, download our eBook, “Client Data Security Best Practices.”

 

Take me to the guide!

4 min read

Are your employees about to walk?

No one bats 1.000 when it comes to employee retention. Even when a workplace gets everything right, employees will need to move, retire, or just...

Read More

4 min read

The most efficient accounting firms do these 4 things

Next week, the blog is taking a break to eat turkey and all the trimmings. Wait—the writer is. Not the blog. Blogs don't eat. You know what we mean....

Read More

4 min read

Here’s what happens if your accounting firm has no capacity

Let me tell you a little story. It’s about three little pigs. WAIT! I promise you haven’t heard this one. I know, it sounds familiar. But this is a...

Read More