Security professionals have to prepare their organizations for any number of threats, both physical and cyber. As such, it’s imperative to create a comprehensive map of your business’s attack surface, and develop strategies that protect your assets, including people, infrastructure, and data. But with attention-grabbing headlines focusing on major security issues (active shooters, ransomware) it’s all too easy to forget about the nickel-and-dime, low-tech scams that are a little harder to spot.
On Tuesday, Connecticut’s Attorney General, William Tong, and Secretary of State Denise Merrill issued a statement warning of a snail mail scam targeting businesses in the state. As NBC Connecticut reported, the “illegitimate business mailing [tells] companies they must pay a fee to obtain a document that companies are not actually required to have.”
The letter was sent by an organization calling itself the CT Certificate Service, and it states that the recipient must pay a $112.50 fee to obtain a “Certificate of Existence.” The malicious letter states that the certificate proves that the business complies with all requirements set out by the state.
While the state does issue these certificates, they are not required to operate a business in CT. Instead, according to Tong and Merrill, the certificate shows that an organization is “active and up-to-date with its report filing.” Legitimate certificates of existence are available through the Secretary of the State’s office, for fees ranging from $40 to $120, depending on the organization requesting the document.
The threat actors involved in the incident used techniques similar to those in e-mail phishing attacks; the letter was sent in an envelope labeled with language like “Important-Open Immediately” and “Time Sensitive” to evoke a rapid, emotional response to get the victims to comply without questioning the identity, motive, or even the existence of the sender.
Additionally, the attacker kept the requested monetary amount consistent (though, at the higher end) with the actual cost of the legitimate documents. This tactic increases the likelihood of an unsuspecting employee or business owner simply paying the fee without conducting due diligence.
In the end, it’s important to implement strong access controls, utilize threat detection platforms, and to train your organization to properly handle physical and cybersecurity threats. It’s just as important, however, to not only be aware that snail mail-based threats exist, but to train employees to detect and report them.