In May, Color Graphics (PPAI 278802, D6) was infiltrated by cyber criminals in separate incidents. False orders were placed through the distributor’s account with a large apparel supplier, half of which were only noticed after it was too late. The false orders that did ship totaled $35,000 worth of products.
The hackers managed to place an order under the distributor’s Augusta Sportswear (PPAI 187246, S5) account as well, which was noticed and prevented.
The Incidents:
• According to Color Graphics, the perpetrator hacked into Color Graphics’ account on the first supplier’s website and initiated six orders totaling $70,000.
• “What happened is they went into the system, they knew our password, they created a new user ID, and then they changed the confirmation email, so we didn’t see any of these confirmations,” says Voshte Demmert-Gustafson, Color Graphics’ president.
• Despite not receiving a confirmation email, an accountant for Color Graphics noticed the order and was alarmed to see that there was no purchase order associated with it. It was after business hours, but Kiley Gustafson, Color Graphics’ vice president, managed to work with FedEx to cancel three of the six orders before they were shipped. It was too late to stop the other half of the order, however.
• Gustafson also alerted the local police and filed a case report. For the next three weeks, he was in contact with local police from the shipment’s origin as well as Washington state. He says that police have told him that the intended shipping location was a known criminal location.
• Weeks after the first incident, a similar attempt was made with the distributor’s Augusta Sportswear account, but the crime was noticed and prevented in time.
• Both attempts relied on knowing Color Graphics’ passwords, obtaining access to its accounts, and turning off any notifications that might immediately make the company aware of the crime.
What The Company Learned
Demmert-Gustafson says that there’s a hint of embarrassment around being hacked, but the company agreed to share the story to help others in the industry understand how real the threat is. Indeed, cybercrimes are becoming an increasingly imminent reality for companies inside and out of promotional products.
“We want to be vulnerable [by discussing the incident] to let people know this is happening and our industry isn’t above it,” Demmert-Gustafson.
• Protect your passwords: Color Graphics had already taken precautions before being hacked, but has updated its IT policy regarding important passwords. The company will change those passwords with increased frequency going forward to throw more obstacles in hackers’ way.
• Consider cybersecurity insurance: Fortunately, Color Graphics has a cybersecurity insurance policy. Policies held by Color Graphics will cover the financial damages. “Any business owners who don’t have cybersecurity insurance, I would highly recommend it, especially nowadays,” Gustafson says. “It’s a way to protect your company from something like this.”
The Supplier Perspective
PPAI Media is not naming the supplier involved in the original incident because the business was not at fault but could be negatively impacted by news of the fraudulent order. Representatives from the supplier communicated to PPAI that the bad actor logged onto its website using an existing valid username and password originally created and approved by Color Graphics.
From the supplier’s point of view, nothing would have looked particularly out of the ordinary in this scenario.
• The hackers’ attempt to ship Augusta Sportswear products were noticed and ultimately prevented. The supplier has industry advice for dealing cyber security as such hacks can potentially happen on both the distributor and supplier ends.
“It is great to have multiple layers of security with robust firewalls, multi-factor authentication, and endpoint security on all devices,” says Brian Deissroth, senior key accounts manager at Augusta Sportswear. “However, 90% of major security breaches start with phishing attempts, and bad actors fooling users can negate a lot of your security measures. Because of this, we spend a lot of effort training and testing our users’ cyber security skills.
“People think of email when it comes to phishing, but we are seeing a large increase in text messages, chat notifications, and even Zoom meetings where bad actors are trying to manipulate people into taking an action.”
Additional Tips To Protect Your Company:
Most cyber hacks will fall under one of two categories: ransomware or business email compromise (BEC). Ransomware requires more technical sophistication, while BECs will use social engineering to gain access to payments. It is becoming increasingly possible that certain cybercriminals will implement both tactics.
We asked for further advice from Paul Elfstrom, PPAI director of IT, and Mike Pfeiffer, VP of IT at American Solutions for Business and chair of PPAI’s Technology Committee.
• “Enforce the mandatory use of multi-factor authentication on every email account your company uses and every third-party you choose to conduct business with,” Pfeiffer says. “At American Solutions for Business, we have enforced mandatory MFA for all email accounts for years. We are aggressively working with our vendor partners and customers, strongly urging them to do the same. It is simply the cost of doing business today.”
• Elfrom says, “Protect your email first. Strong passwords and two-factor authentication are a must for email accounts. Next, train your employees. They should have some level of security awareness training, especially key individuals that handle financial transactions or have the authority to make financial decisions. And don’t forget about HR. Employee information is just as important to protect.”