Beware of CEO Fraud, It’s Real

Standard

ceophishing

The following was originally published on April 17, 2016 on Seacoastonline.com.

A relatively recent form of e-mail scam, known as CEO fraud or BEC (Business E-mail Compromise) has been so successful, it’s amounted to over 2.3 billion dollars in financial losses.

Companies of all sizes have been victimized, from large corporations to small businesses and non-profits.  This scam is remarkably unremarkable in its form.  An e-mail arrives to finance employee who regularly moves money around for the company.  This e-mail comes from the company CEO and asks this person to wire transfer funds to an overseas bank.  The e-mail contains a signature that looks identical to the CEO’s e-mail signature and uses language and structure that is familiar in the CEO’s communication style.  Would you transfer money after receiving a request like this?  Numerous people have, to the tune of 2.3 billion dollars and climbing.

On the surface, this may seem hard to believe but the evidence is irrefutable.  Just this week, I assisted a long term client with evading this very type of threat.  Here’s a story I can personally vouch for, that indicates how real this threat is and some key lessons learned.  This particular story involves a client that runs a very sophisticated organization with excellent controls in place to secure the business, physically and virtually.  It underscores just how easy these scams are to fall victim to.

The controller received an e-mail from the CEO asking if the controller was in a position to make a wire transfer for them.  The controller replied to the e-mail saying yes.  The CEO then responded with an attachment requesting that sixty thousand dollars be transferred using the wire transfer instructions in the attachment.  The controller responding asking with account to transfer from, using account nicknames like operating, holding or trust.  The CEO replied holding and the controller initiated the transfer.  The CEO just happened to call in to talk to the controller within moments of the wire being initiated.  The controller informed the CEO the requested wire transfer was in process at which point it become immediately clear the controller had been tricked.  Fortunately, the controller was able to contact their bank, stop the transfer and with my assistance, log the threat and near financial loss with the FBI cybercrimes division.  This is scary stuff.

The lessons learned here are clear, especially in hindsight for this company.  The CEO had never asked for a wire transfer via e-mail so this was a first.  The controller responded to the e-mail and engaged with the criminal initiating the scam instead of calling the CEO to verbally confirm the request.  The controller also opened an attachment without verbally authenticating that the CEO had sent it.  Two missed opportunities for verbal confirmation of a request to electronically wire funds.  Finally, the controller was tricked into asking which account to effect the transfer from as opposed to asking the CEO to tell the controller which account to use.  This entire process started with an e-mail that was socially engineered at a new level not previously seen.

Social engineering like this is quite sophisticated.  It looks at e-mail flow to determine where intended victims may be, what their communication style is and more.  Combing Internet traffic, social media sites and public records about the target company and individuals, these hackers craft a custom e-mail attack that looks and feels like the real people involved and in so doing, defrauds its victims of significant sums of money.

The answer to this threat?  There are many, but chief among them is education and strong controls on the movement of money, especially electronically.  A verbal confirmation before taking action is required.  It’s simply far too easy to impersonate and authorized party electronically.

You should consider testing programs that periodically send phishing e-mail campaigns to your users, especially those that have access to sensitive information that could put the company at risk.  You want to test to see who responds and who does not.  Don’t punish people for making the wrong choice, rather use it to further education employees on just how careful they must be with their e-mail communication, especially in terms of what attachments to open or not and what type of information may be shared electronically and not.

The FBI has issued warnings of a dramatic increase in these types of e-mail scams.  In issuing some of their latest warnings, the FBI went on to say:  “The schemers go to great lengths to spoof company email or use social engineering to assume the identity of the CEO, a company attorney, or trusted vendor. They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy.”

Stay safe online!

30% of data backup disasters caused by accidents

Standard

backup

The following was originally published on April 3, 2016 on Seacoastonline.com.

Did you know this past Thursday, March 31 was World Backup Day? It was and hopefully you believe in good backups to protect your data, whether personal or professional.

World Backup Day is a private initiative that seeks to increase awareness of the importance of data in our lives. Because of this, backup is no longer a luxury, it’s an absolute must to protect our digital filing cabinets, photo albums, electronic medical records, document management systems, databases and more. I love the tag line for World Backup Day: “Don’t be an April Fool, Be prepared. Backup your files on March 31.” I’d actually change it just a bit, to say not only March 31, but every day of the year.

With the advent of imaging technology and online backup, backing up your data is far simpler than it used to be. I remember the days of managing multiple sets of backup tapes, one that would stay in the office and one that would go to the bank safe deposit box for secure off-site storage. These systems were extremely expensive and manually intensive, not to mention very prone to human error. Only larger companies could afford to maintain a proper backup rotation that would ensure they were keeping enough backup copies to protect the business. For individuals, backing up was nearly impossible as you would need multiple disks of one form or another, to copy all your data for backup. This was a very manual process and extremely prone to human error, most frequently in the form of simply forgetting to do it.

Fast forward to the present and USB drives with massive capacity and online backup services make this process for more efficient and reliable. Today, most organizations employ a form of imaging to take snapshots, digital copies, of their data several times a day and then copy these backup images to secure off-site data centers. Most organizations also employ encryption to secure these images as they are created so as they get transferred to the off-site data center they can’t be intercepted by hackers or electronic thieves. These systems ensure data is protected and in the event of loss or corruption, able to be quickly restored. In many cases, organizations also have the ability to restore their data in the Cloud and make it accessible, on a temporary basis, to keep business operations in tact when there is a larger problem with the source network.

For individuals, there are numerous backup services that run continuously on your computers to backup your data as you create it, in real time. The key to these services are that they are highly reliable and fully automated, so as long as your computer is turned on and connected to the Internet, the backup software is protecting you with little to no interaction required. Gone is the risk of human error. In the consumer market, these services are also extremely inexpensive, so if you can afford a computer, you can afford to backup your important data.

Why you should backup should be obvious, but the simple fact there is a World Backup Day underscores the point that even though most computer users do backup, there is still tremendous room for improvement. Consider some of these risk factors: more than 100 mobile devices are lost or stolen every minute. One in 10 computers is infected with some form of virus of malware, 30 percent of people have never backed up and 30 percent of disasters are caused by accidents. Don’t be someone who contributes to these statistics.

My wife is a professional genealogical researcher and backup and proper preservation is paramount to her work. Decades and even centuries old documentation is being converted to digital form in the hopes of being able to preserve this important information for generations to come. As we continue to migrate into an increasingly digital world, it’s critical that we preserve critical records for the future. Imagine researchers of the future not being able to find historical data about people, companies and entire civilizations. So even though World Backup Day has come and gone, make every day World Backup Day. The future will thank you.

%d bloggers like this: