A number of Fort Atkinson businesses have been targeted in a scam in which people impersonate Fort Atkinson Area Chamber of Commerce Board of Directors members, Fort Atkinson High School students or representatives of other community groups.
The scam has hit at least three businesses in Fort Atkinson, prompting the chamber to send several alerts warning members about it.
“This individual or organization is being very aggressive, as several legitimate organizations are being used as bait to get people to buy the gift cards,” Carrie Chisholm, chamber executive director, said. “Some of our businesses have unfortunately succumbed to the request, thinking they are helping a worthy cause.”
The scammers send an email to an area business claiming to be someone else, Chisholm said. The email often mimics other aspects of the person’s email such as the URL and design of the email signature.
In the email to businesses, the scammers ask if they can pick up iTunes gift cards for a local fundraiser, asking for the gift card redemption codes. After they have the codes, the sender requests a number type of gift card, saying the reimbursement will be paid by check.
Chisholm said the scams came in two waves. The first one — which came last week — specifically mentioned a local service club and targeted its members, with a few of those members thinking it was legitimate, according to Chisholm.
The second wave came Monday and was less convincing than the first, Chisholm said.
“Especially today, this is so rampant, they had some success last week and they’re trying to go further,” Chisholm said. “But they’ve gone too far because it’s so obvious. They’ve had success and now they’re blasting the whole community.”
Chisholm said she didn’t know how the scammers gained a foothold into the chamber’s network — or the networks of other organizations that were used such as the high school — but she said she had contacted the police.
Cybersecurity experts recommend a number of tips to avoid scams such as this one, including changing passwords frequently, examining the email url, training staff, updating all software regularly and limiting guest access to networks.
In September, the chamber itself hosted an event to teach area businesses about the importance of cyber security.
The event, which featured Brian Dennis, director of the Cyber Security Center for Small Business at the University of Wisconsin-Whitewater, taught business owners these lessons. Ninety percent of data breaches will affect small businesses, according to Dennis, and that means it can and will happen to almost every business out there. The important thing is being prepared.
“If you have a plan for a fire, if you have a plan for a flood, what are you doing to prevent a cybersecurity breach?” Dennis said at the event.
Chisholm said that in light of the scams of the last couple weeks, this will continue to be a concern going forward.
“Cybersecurity is definitely going to become the issue of this decade,” Chisholm said. “(Dennis) was wise to warn us and it’s something we’ll be watching out for as a business concern.”
Fort Atkinson Police Capt. Jeff Davis said the department does what it can, but these types of crimes are difficult to investigate. That especially is the case, Davis said, if it ends up being a foreign actor that would put the scam out of the department’s jurisdiction.
“The nature of these is it’s difficult to track down; we follow up as much as we can,” Davis said. “We do what we can with them.”
The chamber put out a list of steps businesses can take to avoid cybercrime such as this scam.
• Change your log-on passwords annually and do not use birthdays, addresses, phone numbers, or other publicly available personal information in constructing your password.
• Carefully examine the url of incoming email addresses. Often, the name may look familiar, but the email address will not refer to the name at all.
• Host regular awareness sessions and train your entire team to recognize what is normal and what is suspicious.
• Ensure your antivirus software is current. Download any new updates.
• Run a weekly or monthly scan (if not more frequently) on your entire network for intrusions.
• Identify all devices that touch the organization and those with access to them. Ensure the ability to wipe those devices clean remotely so your organization retains control over the contents.