Tag Archives: BEC

$1.3 Billion is a Lot of Money

The FBI says that reported losses due to Business EMail Compromise attacks reached a whopping $1.3 billion in 2018, double the losses reported in 2017.

On the other hand, the number of ransomware complaints is down to levels reported in 2014.

There were 20,373 Business EMail Attacks reported last year, compared to 15,690 in 2017.   The losses in 2017 were $676 million, but increased to a whopping $1.297 billion last year.

For ransomware attacks, there were 1,783 attacks reported in 2017 and 1,493 attacks last year.   This represents $2.3 million in 2017 and $3.6 million last year (fewer attacks but more cost).

The Securities and Exchange Commission reported late last year that they investigated around a dozen companies who spent $98 million on Business EMail Compromise scams.

Also remember that this only represents what was reported to the FBI.  The total costs are unknown.

This probably means that people are getting better at backups and having emergency plans, so other than the massive ransomware attacks, people are beginning to understand what they need to do in order to avoid paying the ransom.  Are you prepared?

On the other hand, it apparently means that businesses have not gotten their arms around sending money to scammers.  The dollars basically doubled from 2017 to 2018.  That is not a good sign.

The attacks are, for the most part, straight forward.  Usually they send someone an email saying change the destination for a payment (ACH or wire into the scammers account) or create fake invoices and see if they get paid.  Creating some processes should really reduce the likelihood of falling for an attack.  One common thread to these scams is that they try to create a lot of urgency around getting the money out to them.  They probably figure that the longer the request is in accounting, the greater the chance that the scam will be detected.

Train your employees to resist the temptation to respond to the urgency, to walk down the hall to executive row if some large or odd request comes in and follow the defined payment processes.

$1.3 billion is a number that is enough to get my attention.  Does it get your attention?

Source: ZDNet.

Facebooktwitterredditlinkedinmailby feather

New Business Email Compromise Scam Variant

Some of the most popular business email compromise scams (BEC) target accounting and finance or human resources.

The scam usually works something like this.  Someone in the target department – often not too high up in the food chain –  gets a email pretending to be from an executive like the CEO or CFO.

The email urgently requests something like all of the W2s from last year or a wire transfer for a secret project.

The mid-level person, wanting to please the executive and being told that there is urgency, quickly processes the request without  the normal thought process.

Over the past couple of years, this has led to billions of dollars of losses, but companies have been doing extensive employee training so this attack is not working as well as used to.

So now a new attack method has been added to the mix.

Steal the credentials of employees, log on to the HR platform and change the direct deposit information.  The employee is completely unaware of this until they don’t get paid.  The attacker has already emptied the account by the time that the employee talks to HR.

Now the company has a problem:

  1. Do they believe the employee that he or she didn’t change the direct deposit instructions.
  2. The employer did nothing wrong so do they just eat the loss and pay the employee twice.

I suspect that most employers will make the employee whole and the law could be on the employee’s side, depending on the state.

If that vector doesn’t work, target the HR employee.  Using that account the attacker could change several paychecks at once and get a bigger payday.

Or both.

There are a number of things that an employer can do to protect themselves and their employees.

First of all, if you are do not have two factor authentication in place, do that now.  If you are using an outsourced Payroll/HR system and that vendor doesn’t support two factor authentication, “encourage” them to do that by including a contract clause to make them financially liable for any losses caused by their lack of two factor authentication.

Geofencing is the technology that restricts access to your HR system to a limited geographic area.  For example, if your company only operates in the continental U.S., block access from any I.P. address outside the U.S.  While this is not perfect, it does make it harder for the hackers.

Finally, generate a report just before the payroll run (assuming the hackers will try to make changes at the last minute so that it can’t be undone in time) of all direct deposit changes during that pay period.  If the number of changes or the location of changes or anything else seems out of whack, sound the hacker alarm.

And of course, educate people.

None of these changes should be particularly expensive or hard to do and could save you significant pain.

Source: Helpnet Security

Facebooktwitterredditlinkedinmailby feather

Business Email Compromise Attacks Are Not Always Sophisticated

 

Business email compromise (BEC) attacks are relentlessly attacking businesses with no let-up in sight.  BEC attacks have traditionally used CEOs and CFOs as their foils, pretending to be them and getting people to wire money to the hackers.

The oil and gas industry was targeted by a single individual using old generic malware readily available online and scraping company’s web sites for email addresses.  It doesn’t always require a sophisticated plan of attack,

One guy in his 20s targeting 4,000 organizations using a few fake Yahoo email addresses was all it took in this case. Over a few months he successfully attacked a few large companies, getting away with a lot of money.

According to Cisco’s midyear cybersecurity report, over the last 3 years, businesses lost over $5 billion.  Likely, this number is low because a lot of companies don’t want to let customers know that they were hacked – possibly by a lone hacker using obsolete software and no infrastructure to support him.

One industry that is being hammered is the real estate industry.  For the most part, industry members don’t like talking about it, but every now and then we do hear stories.  One group that is often targeted is real estate agents.  These people are often one person organizations with limited technical support and, in many cases, not technically sophisticated.  And, they act as trusted intermediaries between all the parties to the transaction.  My recommendation to real estate agents is to not get in the middle of the finances and make that clear to the parties.  Otherwise they will potentially wind up in the middle of a lawsuit just for trying to help out.

In one example, a real estate agent got an email from a person claiming to be looking for a house.  The scammer then sent a link in another email to the agent, claiming that the link was a bank mortgage pre-approval letter.  In fact, it was an attempt to steal the agent’s email password.  If successful the attacker, could then, silently, read all of the agent’s emails.

As soon as the hacker sees an exchange with information about wiring funds, they can inject their own emails changing those instructions and wiring money to them.

We have seen multiple cases where the money lost was well over a hundred thousand dollars in each case.  For a company, with the right kind of insurance, while this loss is a pain, but it is manageable.  We know of one local company that lost close to $150,000 because they did not have the right insurance coverage.

For homeowners who are either buying or selling a house, they have no insurance and the real estate agent or title company likely has zero liability for giving you back the money.  It is possible that the might have insurance coverage, but it depends a lot on exactly how the attack worked.

If the company does not have the right kind of insurance and they don’t have the funds to reimburse the buyer or seller, that company will likely face a lawsuit and may go out of business.  For real estate agents, that could be a judgement against them and bankruptcy.

We always tell people that they need to have the right kind of cyber insurance and the Cisco report gives 5 billion reasons why.

It is important to understand exactly what insurance coverage you do have and we strongly recommend that our customers seek out the advice of a cyber insurance knowledgeable insurance agent before purchasing cyber risk insurance.  Unfortunately, many agents who sell cyber insurance do not have the training needed to take care of the customer.  They are not bad people, just people who need more training before selling an insurance product that can be very complicated.

Information for this post came from Dark Reading .

Facebooktwitterredditlinkedinmailby feather

Leoni AG Lost $44 Million to CEO Fraud

Leoni makes cables and wiring harnesses for cars, trucks, healthcare systems, appliances and many other products.   They operate worldwide, are publicly traded, have 75,000 employees and in 2015 had sales of over 4 billion euros.  You would think that a company like this would not fall for a business email compromise scam.  But they did.

CEO fraud, AKA Business Email Compromise (BEC) , cost Leoni AG almost 40 million euros to the scammers.  BEC is a huge problem with the FBI saying that it is costing companies worldwide over $2 billion during the last several years.

The scammers had done their homework.  They targeted a subsidiary of the company in Romania.  It turns out Leoni has four factories in Romania, but only one of them is authorized to send wires.  They targeted that one.

They sent an email that looked like it came from the CFO in Germany.

People inside the company said that it was common to send money that way.  Even large amounts of money.  40 million Euros later they hopefully are reconsidering that strategy.

I continue to be amazed that large companies – Leoni has revenues of over $4 Billion Euros – authorize wires via email.  And then they are surprised that they are taken to the cleaners for almost $45 million.

The company’s press release said hackers used falsified documents and identities and electronic communications channels to perpetrate the scam.  This means that they pretended to be the CFO and sent an email requesting the wire transfers.

The good news is that 40 million Euros, while substantial, will not cause the company to go under.  Their profit before taxes in 2015 was around 150 million euros.

Unfortunately, for many companies that fall victim to a business email compromise attack, that isn’t the case.  In some cases, the attack has a very significant financial impact on the business.  I wrote about a company yesterday that went out of business as a result.

This incident makes me ask some questions.  Consider what the answers for your company are.

  1. Can someone send an email, pretending to be, say, the CEO or CFO, to someone in accounting asking to wire some money to some random bank account in a foreign country and no one says anything about it BEFORE sending the payment?
  2. Is there a policy that dictates how employees are supposed to handle requests for payments made via email?  For example, is there a validation process?  Does the request require approval?  Is there a dollar value threshold above which extra authorization is required (such as $40 million)?  What about if the sender says that this is a super-secret hush-hush deal?
  3. Does your company attempt to phish its employees as part of its training program?  If so, how often is that done?  HINT:  Doing it once a year as part of the review of corporate HR policies probably won’t have much of a positive effect.
  4. Does your insurance cover this loss?  Typically cyber insurance does not cover it, nor does general liability.  Since the employees voluntarily sent the money, it is not covered by forgery coverage.  Some insurers are creating a social engineering coverage to address this.  To be sure that you are covered, ask in writing and make sure that the amount of coverage is adequate.

This is a significant business problem that can only be addressed by training people.  This is not a technology problem.  And since it is so profitable, it is not going away any time soon.

 

Information for this post came from Leoni’s press release on the issue.

Facebooktwitterredditlinkedinmailby feather