Combating Fraudulent Pecuniary Transactions
As the Chief Information Security Officer of a large bank, I worry about protecting our organization. But more often, I see our clients falling victim to this scheme. Businesses come to us when they discover fraud. In some cases, if noticed quickly, banks can stop the fraud, but once the client clicks on the bait or authorizes the transaction, the money is usually gone. A simple click or even voice activation is all it takes to have a devastating and lasting effect on a business.
There are endless cyber security threats in today’s world. Too many to count really, causing headaches for business owners. One of the most significant threats we see is scamming or phishing through the use of business email. It is extremely sophisticated and trending in the wrong direction.
Business Email Compromise
Last June, the FBI reported over $3 billion had been lost as a result of the business email compromise (BEC) scheme. During this type of scam, the finance department receives an email, which they think is from the company CEO (or other executive) directing that they urgently send funds via wire. However, the email is not from the CEO and your money gets sent to criminals who spoofed or otherwise hacked the email account. We're also seeing tax season variations, asking for sensitive employee W2 data. Sometimes, the email is even supplemented by a phone call from a “consultant” to make the scam even more plausible.
Response planning and recovery drills ensure that all relevant parties are notified of an incident following which, they will know what to do
Recently, wire fraud is also happening after the wired funds have been transferred to the fraudster. The fraudster initiates contact with the closing professional and poses as the receiving bank for the wired funds, often using a false name to increase the legitimacy. The fraudster will confirm that the funds were sent to an account flagged as suspicious—and assures the professional on the other end that the funds will be returned within a few days. This action often tricks the professional into not contacting the actual receiving bank to freeze the funds and provides the fraudster sufficient time to move the funds to another account or source.
As a business owner or a member of the leadership team at a large organization, what can you do?
Talk about these schemes with your finance department, HR and your CEO. Ask them to be suspicious about emails that seem out of the ordinary or that come from unusual email addresses. If you get one, don’t hit reply, pick up the phone and call. Create a culture where caution is encouraged. Consider implementing dual authentication for money movement (wires, ACH, etc.) above certain thresholds. Verify changes in payment information to vendors/suppliers. Be judicious with the information about your company and employees that is available online. Finally, have a response plan for what you would do, quickly, if you do fall victim. This should include your bank and also law enforcement.
Business Email Compromise and wire transfer fraud are just a couple of cyber risks that businesses face. With threats changing daily, we recommend you implement good security “hygiene.” These additional tips are meant to help you prevent an attack and if one does occur, to get back to business quickly:
1. Implement the Basics
Smaller businesses may not always have the luxury of a large information security budget. Use your resources wisely and take these basic, low cost steps.
• Maintain security patches—outdated systems are extremely insecure
• Remove or strictly control administrator/ privileged accounts or access rights
• Use “strong authentication” (e.g. one-time PIN tokens) for remote access to the network or remote email
• Ensure anti-malware controls are in place for email, servers, workstations
• Log and monitor systems and networks
2. Educate End Users
Training the end users—your employees and your executives—is paramount. Teach employees what kind of emails and hyperlinks to avoid, what type of passwords (or stronger authenticators) to use, and what information should never be sent over email. Remember that to keep pace with emerging cyber threats, employee education must evolve constantly.
3. Have a Game Plan
Every business needs to have plans and protocols in place before an incident occurs. Response planning and recovery drills ensure that all relevant parties are notified of an incident following which, they will know what to do. Include your counsel, communications team, executives, and Board and law enforcement partners when planning and exercise your plan. You can file a complaint with the FBI at https://www.ic3.gov/default.aspx if you’ve been targeted by BEC or another scheme.
4. The Buck Stops Here
Assign one person, by name, to be accountable for your information security program. For smaller organizations, this might be an added responsibility for an existing person. That person needs to understand your risk tolerance and ensure controls are put in place to manage to it.
5. Stay Engaged
The cyber landscape changes daily. Join an Information Sharing and Analysis Center if your industry has one.
Threats are all around us. Every second of every day. The cyber security risks continue to grow in scale and sophistication. Start with these basics. While I have the role of chief cyber security officer at my organization, it is really everyone’s job to protect the safety and soundness of our customer’s information.