Promotional products businesses have learned to be on the lookout for scams and fraudulent orders. Industry professionals are generally quite vigilant, but scammers can slip through the tightest defenses. A recent example is distributor Promotional Marketing Services in Athens, Georgia, which unexpectedly fell victim to a sophisticated phishing email scam that took time, effort and money to resolve.

In this case, hackers took over the company’s email system and sent out an email—with a staff member’s signature to give it more credibility—with a subject line requesting an RFP. The embedded link went to an Adobe Spark link that, while looking legitimate, contained a virus. The hackers used their email list to send out more than 1,600 messages and, to keep the company from being aware of the intrusion, added a rule to the email setting that automatically marked incoming messages as “read” and moved them to the “deleted” folder. This type of exploit escapes firewalls because it comes from a trusted email address and Adobe Spark is widely considered a trusted product. When email recipients began responding with questions, like “Is this a valid email?” the hackers would respond as if they were the company, assuring them it was valid.

“It seems that the hackers want access to the email addresses although I'm not sure for what purpose,” says Lori Lord, president and owner of Promotional Marketing Services. “As a distributor already dealing with additional work with the supply chain issues, I spent two days and a great deal of money to deal with this.”

Lord inadvertently discovered the scam when phone calls began coming in. “My team and I were meeting for our monthly luncheon and our office line began to ring a lot. The calls were coming in to ask about this email they had received. So, we immediately knew something was wrong. The first thing we did was change our voicemail message to explain what happened, and then we sent an eblast to our entire contact list letting them know we were hacked and not to open this email,” she says.

“Next was the call to GoDaddy Office 365. They manage our Microsoft emails accounts, and I was lucky enough to get an awesome rep on the line who spent an hour and a half with me, walking me through the process of digging into the deep settings of our email accounts—we have four—and determining what was happening. Between the time on the phone and the cost of the additional protection we added to our accounts, it was approximately $1,000 to resolve. Then came the task of contacting all of the clients and suppliers whose systems had blocked our emails from coming into their servers. That was more time, energy and delays in getting orders processed. It was a domino effect of the hacking event, and we are still dealing with some of that now.”

Lord also notes, “While I was talking to the GoDaddy rep, he asked me what industry I was in. When I told him, he said that he had just talked to another person in the same industry who had something similar happen. So, is the promo industry being targeted by these hackers?”

A previous PPB article, “Scammers Vs. The Promo Industry,” outlined some of the ways scammers prey on promotional products companies and how industry businesses can respond. In general, here are a few things to look out for whenever doing business online:

  • Look for poor spelling or grammar in emails.
  • Notice whether they ask for personal details in an email; your bank will never ask for security information or account information in an email.
  • Don’t open attachments or click links if the email is from someone you don’t know or if you are not expecting the email.
  • Be wary of orders from new customers submitted through your website. Scams often start with asking for a quote on a large quantity of items, especially USB drives and blank t-shirts.
  • Do not reply to spam. Educate your staff on this practice, too. Practice good security measures. For example, create a strong password and do not reuse your email password on other services. Enable encryption in your email settings. Use antivirus software and keep it updated, and set Windows to automatically update or install all security updates. Use a reputable company to host your email and ecommerce.
  • When shipping offshore, be wary of a shipping address that is a private residence. Research the address on Google Maps, which often provides snapshots of what a building looks like. Sometimes this step can help filter out fraudulent orders.
  • Check the company’s website to ensure that the address and phone number match the information on the order. Click links on the website to make sure it’s legitimate, too.
  • Scammers almost always pay by credit card. Before you establish open credit for an unfamiliar company, look it up in Dun & Bradstreet.
  • Be sure the company is legitimate by checking it out on Google and then calling to check.
  • Generic domain email addresses such as @hotmail.com are often tip-offs to a scam. Check it out first.
  • Use caution if the requester offers to pay immediately by credit card or requests immediate shipment.
  • Know the person or company to whom you are selling. If you don’t know them, find someone you know who does.