Email Security

Is your business as safe as you think it is? What you need to know to keep your company secure.

With the increase in cyber threats, coupled with the confusion and lack of knowledge about cybersecurity, how do you know if your company is secure?  How do you know if you’re doing the right things at the right time?  The whole topic of cybersecurity is overwhelming and there’s not anything “fun” about it. So, it’s easy to avoid, but at what real risk to the company?

Monsters!

CyberMonsterDespite all the statistics that point to the fact that businesses, without the proper security measures, will likely suffer from a cyberattack, cyber threats are still being viewed as scary, but unlikely to occur. Most businesses still see a cyberattack as the monster under the bed, and cybersecurity as protection against the highly unrealistic possibility that there will ever actually be a monster under the bed. But unfortunately, these “monsters” are very real, and the number of attacks continues to escalate. It’s critical for businesses to have the correct security measures in place to keep the “monsters” from being able to even enter the front door.

One security solution does NOT fit all

Be cautious of cybersecurity providers who offer the same solution to every client. Every company is different, so expectations should be set based on many factors: size of the business, type of business, industry, etc. Also, no two businesses require the same IT solutions, support, software, or hardware. So, having tailored and specific IT security is crucial.

Is your business insecure?

If you’re reading this blog, then you’ve been warned! Now, what are you going to do about it? If you want to keep your business safe from cyber threats, knowing your risk level is a good first step to take before addressing each risk.

The following questionnaire addresses this by asking some basic questions that any business owner or management team should be able to answer.  While some of the topics are technical in nature, the questions are driven from a focus on the business itself.Questionnaire

Cybersecurity Preparedness Questionnaire

Answer each question below and tally your score. After completing the questionnaire, total your score to determine the level of risk for your company.

Yes: 0 points  No: 5 points  Unsure: 5 points

  1. Do you have a cybersecurity budget review annually?
  2. Do you have a written information security policy signed by every employee?
  3. Has your company reviewed its cybersecurity policies and procedures within the last year?
  4. Do you have a person designated as your security officer?
  5. Do you have a written incident response plan that is reviewed annually?
  6. Have you tested your incident response plan within the last 12 months?
  7. Do you know if you have any compliance or regulatory requirements?
  8. Have you defined the level of cybersecurity needs based on your business and compliance requirements?
  9. Have you provided security training to your employees in the past 12 months?
  10. Do you provide security training to employees on an annual basis?
  11. Can you employees identify sensitive information that could compromise the company if stolen?
  12. Do you know where your sensitive data is stored?
  13. Do you have cyber insurance that is reviewed annually?
  14. Are employees prevented from administrative privileges on your network or computers?
  15. Does your company have an acceptable use policy?
  16. Does your company consistently enforce policies around the acceptable use of computers, email, internet?
  17. Do employees regularly update passwords on company-issued computers/devices?
  18. Do your employees lock their computers when away from their desk, even for a few minutes?
  19. Do all your computers have anti-virus software that is regularly updated?
  20. Does your company have data backups onsite and offsite verified at least once a year?

Low Risk: 0-10 Moderate Risk: 15-25 High Risk: 30-50 Escalated Risk: 55-100

What now?

Once you’ve identified your risk level, what now?  If you answered “unsure” to any of the questions, do the necessary research to confirm the answer.  Once you have a “Yes” or “No” answer for every question, you will have a better idea of your true exposure and can begin prioritizing which areas to address first to mitigate the risk.

Don’t put your head in the sand!Headinsand

If you didn’t score a 10 or below, then getting to the green, (low risk range), won’t happen overnight. It takes time and, most importantly, full commitment and buy-in from ownership and senior leadership. But, as I mentioned, cyber threats are not imaginary monsters. So, don’t pretend they don’t exist and hope that nothing bad will happen. At Fluid, we understand the process can be overwhelming. Even determining the priority of what to do first can be a challenge. Luckily, we have a team of experts dedicated to cybersecurity. So, please feel free to reach out to us for help. Don’t wait until it’s too late!

Happy #$%@ New Year’s!! My Money is Gone!

HoodedHackerThis scam is downright scary!

Time is of the essence on this blog, so I tried to find a title that will grab your attention. I hope it did. I don’t get overly dramatic in my blogs, but this one is warranted for how bad it is. I also try to use graphics to break things up a bit, but I didn’t want to spend more time trying to make things “artsy”.

If you’re going to read anything, please read this. It might just save you thousands of dollars.

A small business owner and close friend of mine, we’ll refer to as “Joe”, texted me on December 22nd, (yes, right before Christmas), livid he had been conned out of thousands of dollars by a very elaborate and well executed scam. Now Joe is no dummy and pulling one over on him is no small task, but the detail these scammers deployed was no match for even an astute businessman.

So what happened?

The target, Joe, uses Chase Bank for his business and personal finances, which becomes important later.  All the money in both his personal and business accounts was stolen within minutes! How?... Joe gave the hackers the information they needed to steal it.

The chain of events.

Joe received a call from Chase Bank’s “Fraud Department” stating there was suspicious activity on his account, and transactions were made in a foreign country. Joe then explained that had recently been to Mexico on vacation – a common destination when you live in Texas.

Being a diligent and rightfully cautious person, Joe checked the number calling him and it matched the phone number on the back of his Chase credit card. The hook was set!!

The “Chase representative” stated because there were fraudulent attempts on his account, he needed to close both accounts, personal and business, and transfer the money to new, “safe” accounts. Then, the representative said he would text Joe a code for him to read back, which once again came from a legitimate number.  A two-factor authentication, using texted codes, to a mobile number is common practice, and no cause for alarm.  The representative then used this code to access both accounts and change the real password, one the hacker could then use.

In real time, the hacker used the common online payment app, Zelle, to clean out both personal and business accounts. It should also be noted that the scammer on the phone spoke excellent English and sounded legitimate, which is another well thought out tactic and different from the obvious “rich uncle” accents from Eastern Europe or other countries.

Worst nightmare!

Now being suspicious, Joe went into a Chase branch location and they verified that it was, in fact, NOT Chase. The real Chase representative mentioned this was the second time in a few days they have dealt with this same scam.  Panic now set in!

Pain and no gain.

While in the branch location, Joe had to immediately close all his accounts, open new accounts, while simultaneously working with the bank’s fraud department to try and reverse the transfers to get his money back.

When the Chase fraud department did their initial forensics, they discovered the transfer was made using a relative’s name.  This means the hackers gained full access to the account information, including the list of approved people and accounts to transfer money to and from.  Because the hackers chose a relative as the person receiving the funds, Chase would not escalate until Joe could confirm and ‘prove’ funds were not transferred to the family member as a legitimate transfer. The hackers purposely chose a family member knowing it wouldn’t get escalated.

It’s important to note that the phone number showing on Joe's caller ID matched the number on his Chase credit card.  At one point, Joe hit ‘call back’ feature on his phone to automatically dial the Chase number, which was directed back to the fraudsters (a tactic called number spoofing). The Chase fraud department advised Joe to always manually dial the number and not use the automatic call back feature on your mobile phone to ensure that you’re calling the correct number. In addition to closing his accounts and opening new accounts, Joe also has to identify and contact the numerous legitimate personal and business vendors and payers he works with to update their new account information.  More pain.

At the time of this blog, the success of reversing the scam is unknown. The bank stated it would take up to 30 days to determine if Joe would get the money back. To add insult to injury, Joe is also now locked out of online banking for 60 days.

This is one of the most elaborate and well thought out cons I’ve ever seen, requiring multiple people who know exactly how people use banking, and more importantly, people who know exactly how banks and their fraud departments work.  They were always one step ahead of the victim and I’m certain there are more to come!  So be diligent, be doubtful, beware.

Recession Obsession

If you’ve been alive 10 years, you’ve been through a recession – the Great Recession actually.  If you’ve been alive 20 years, you’ve been through two recessions.  30 years on the planet will give you…you guessed it, three recessions.  Although recessions do seem to be cyclical, they don’t always happen every 10 years. Over the last 50 years, there have been 7 recessions.

Gas Lines and Baby Food Jars

RecessionThe ramifications of a recession also change over time. Being 53 years old, I recall my grandparents saving every coffee can, baby food jar, and plastic container to repurpose and use for storing things throughout the house.  As products of the Great Depression, they were raised to literally save everything.  I can also distinctly recall having to wait in long lines for gas during the recession in the 1970’s.  My father and I would park the car in line at the gas station and go to the nearby strip mall to kill time for two hours while we waited for the line to move.

Although not a recession, I recall Black Monday in 1987 when the stock market dropped over 22%.  I was working at a financial planning firm at the time and that was not a good day, and not just because it was Monday.

Dot Bomb Bubble Burst

In the early 2000’s, the dot com bubble burst, and turned into the dot “bomb”.  It seemed like anyone with a web-based idea was given millions of dollars in funding without having to show any DownGraphprofits (a scenario which still occurs today).  eToys.com, Webvan.com, Pets.com, and many more all wiped out almost overnight.

Most recently, we can all recall, if not relate, to the Great Recession that occurred in 2007-2009 when the housing bubble burst due to the subprime mortgage crisis.  The term “government bailout” became a major thorn, and the nemesis for many household brands.  Many are still recovering from this economic meltdown. However, the prosperity over the past 10 years has dulled some of the sting.

But, some are now warning us that the great run we have enjoyed may be slowing down, and we’re potentially headed for a recession.  Search Google for “Recession 2019” and you’ll find blue-chip names discussing the very likely possibility that a recession is looming.

Before it's too late!

CrisisI have owned a technology company, Fluid IT Services, for the past 17 years, and we felt the impact of the 2007 recession – but in an interesting way.  We provide IT solutions and support for small to mid-sized businesses, and the cost of our services is typically less than the cost of one full-time employee. Although we lost the clients who unfortunately went out of business, we gained new clients who needed to cut costs and couldn’t afford full-time IT staff.

We certainly had to cut costs ourselves and manage everything more tightly, but we were okay because our risks were spread sufficiently, and we provide a service that is “recession friendly”.  We continued to grow as the economy improved, but always with a keen eye on our market segment and the economy as a whole.

As the economic signs, signals, metrics, statistics, etc. started showing a downturn, we’ve used it as an opportunity to get our business in order.  It’s much easier to evaluate all your people, processes and technology-related costs, and make sure that your business is operating as efficiently as possible, before things go south.

Every company has and uses technology (IT) constantly. Most companies today wouldn’t be able to function without IT.  But, when times are good, costs related to IT (and other business functions) may not be closely monitored because sales and revenue can cure many ills.  However, it’s best to ensure your IT house is in order before the times get tough and budgets get tight.

Start by asking questions

An analysis of your current IT spend at a detailed level, may be as exciting as watching paint dry, but it’s crucial when dollars tighten. IT cost analysis can also be difficult. Even knowing which items to include when analyzing your IT spend can be confusing. I’ve found that it’s easiest to start by asking questions…

  1. What are my costs for internet, phones, software subscriptions, IT support, computers, etc.?
  2. What hardware needs to be replaced soon? How much will it cost to replace?
  3. What costs can be reduced or eliminated?
  4. What costs are a bare minimum to keep the lights on?
  5. When was the last time I evaluated all my contracts related to technology and what are the terms? Being locked into an expensive 5-year contract at the beginning of a downturn is no fun.

Good news...

We can help! At Fluid, we help companies analyze their IT costs almost daily. So, we already know where most of the IT costs are found, where the skeletons are buried, what is reasonable, and what is outrageous.  As a provider of outsourced IT services for small to medium businesses, we have to know these costs because we’re responsible for managing them in order to be a good steward with our clients’ hard-earned money spent on IT.

We also take it one step further by using a more proactive and strategic approach to IT. We will hope for the best, but also help you plan for the worst by discussing current and future business needs, goals and “what if” scenarios. Once we have this information, we can provide guidance on ways to cut IT costs and suggest solutions that will generate revenue, and specifically align with each clients’ business plan.

Don’t be afraid to say you don’t know and bring in experts to help you understand your costs.  It will reap rewards now and help you sleep better when economic conditions do change.  Feel free to call Fluid IT, we love this stuff!  Our main objective is to help people with their businesses and see IT in action!

Ho, Ho, Ho No! I've been hacked!!

With the holidays upon us, it's not only the kids getting excited.  Hackers also love the holidays and the gift of giving takes on a whole new meaning.  Increasing malicious activity during the holiday spending spree is no coincidence.  Don't be a victim!  Take some tips from this blog by IBM SecurityIntelligence to be more diligent.  Hacky Holidays?

Cybersecurity - "You can't handle the truth!"

I’m a guy who likes sports and movies, and my wife tells me that I’m constantly quoting sports analogies and movie tag lines. Guilty as charged.  So, why do I do that???  Because I can quickly state a movie quote or sports reference to explain a situation to someone, without having to spend an hour doing so. If I tell someone “you just fumbled”, knowing this person likes or understands American football, he or she will immediately know they made a mistake.  Notice how I stated ‘American football’ lest I confuse it with the round ball version and defeat the very purpose of my analogy.

ManYelling

The problem is, if I use my linguistic mojo on people who don’t follow sports or movies (yes, those people do exist), I not only don’t get my point across, I confuse them.  Many times, I get that tilt-of-the-head puppy look and then a nod, never asking me to clarify what I meant.  It’s surprising how many people never ask the question – I don’t understand, what do you mean?

This can be very frustrating and even a cause for escalating arguments and disagreement later.

To clarify, here’s an example of a recent conversation when discussing a company project…

Me: “We’re at the one-yard line!  It’s time to punch it across the goal line!” Colleague: “Got it!  You can count on me!”

A week later…

Me: “So that project was completed, right?” Colleague: “No, I’m still working on it.  I need to add some more detail." Me: “What!  I thought I told you and we agreed this needed to be done asap!? Like yesterday.” Colleague: “Oh, I’m sorry.  You didn’t tell me it was urgent.” Me: “I did tell you it was urgent.  Remember ‘the one-yard line’, ‘the goal line’?” Colleague: “Yeah I kind of recall something like that.” Me: “Then why didn’t you get it done??” Colleague: “Why are you yelling at me?  I have no idea what you meant.” Me: “Why didn’t you ask?

And the downward spiral continues.  The frustration level for everyone is extreme.  Worse yet, the project was not completed, and the company suffers.

I see this same scenario over and over again as it relates to technology and business – especially with cybersecurity.

Get serious about cybersecurity SecurityGuard

Articles are published every day stating how businesses aren’t taking cybersecurity seriously enough only to be completely ignored.

I constantly come across articles that give real statistics showing how businesses think they are secure, yet they have recently been breached or compromised!  How is that possible?  Why do businesses, led by extremely smart people, continue to ignore the very real threat that cybersecurity breaches and hackers can easily compromise their business’ livelihood?  Why do they continue to have incidents, and not learn from them?

Some studies show, many business owners rely on their insurance policy to save them instead of protecting their assets proactively.  I believe some of that is true, but I believe the real issue is a complete disconnect in communication.

The danger of miscommunication

MiscommunicationThere is a very real and dangerous disconnect in communication between business and IT!

I read an article recently that was trying to get businesses to understand the importance of cybersecurity and the importance of communication between IT and business.  Here is how the article begins…

 

ArguingDigital transformation is happening rapidly in every industry. As companies move toward software-defined infrastructures (SDI) connected to powerful cloud ecosystems, they can tap into the near-real-time intelligence from the data gathered from every edge of their business, helping to drive faster business decisions and changing the way they serve their customers.

Rapid transformation, however, without a solid plan, can produce cybersecurity vulnerabilities. As infrastructures go virtual, security models need to shift. To avoid serious risks and security management issues, companies need to identify challenges, strategize, collaborate, pilot, test, and evangelize. *

 

Did you have to read it twice?  Did you understand even part of it?  What exactly is ‘every edge of their business’?

“Trust me, Greg, when you start having little Fockers running around, you'll feel the need for this type of security.” Meet the Parents, 2000

Yes, I did it, I used a movie line from the great film “Meet the Parents” to make my point.  If you haven’t seen the movie, you have no clue what I’m talking about.  Business leaders have not seen the cybersecurity movie!!  They don’t understand a word coming out of your mouth (another movie reference).

Don’t allow technology to get lost in translation

LostTranslation

In all seriousness, business leaders have not taken the time and do not have the time to learn all the parlance of cybersecurity.  Yet, we keep pummeling them to death with cyber techno-speak.

The reality is, both business and technology leaders have a responsibility to their companies, their employees, and themselves to learn enough about each other to make the conversation relevant.  I can keep showing business owners all statistics. But, most of them still don’t properly plan for or budget for cybersecurity, and most will only do so after they’re hit with ransomware or have a breach.  But what is ransomware?  What is a breach?  What do they look like? What is the actual cost to the business now and in the future?

This is not a one-sided issue. IT professionals also need to learn how to translate technology jargon into terms that business owners can understand.

The same case can be made for IT experts making an effort to understand the language of business and understand the impact they are having.  When business owners and leadership speak in terms of EBITDA, CAPEX, OPEX, Life Time Value, Gross Margins, Net Margins, Cash Management, etc., they are speaking a language immediately understood within the group, but many times foreign to the IT group.

At some point, business owners, leadership, and even board members must work with IT experts to start taking cybersecurity more seriously.  Both parties must be willing to have an open dialog where each is not afraid to ask questions, educate and translate into terms each party can understand, to make better business decisions.

If you want to have a discussion regarding your business and how the cybersecurity landscape impacts your company now and in the future in a language you can understand, contact us! We will be happy to advise and educate you in this increasingly complex space.

May the force be with you!

 

* AT&T Cybersecurity Insights Vol 7

Are You Prepared for a Cyberwar?

We make it our business to protect yours. Former white hat hacker Joshua Petty will be presenting the unexpected sources of security threats and how to defend yourself. In light of the recent global ransomware attacks, this information could prove invaluable. We think you should be there.

Fortinet is the largest security appliance vendor, and when partnered with Fluid IT Services you know that your information is protected. The topics over lunch will cover simple ways to harden your infrastructure, how to manage your security with minimal effort, and arming your staff to become more security conscious.

Space is limited, so register today to secure your place at the table. We look forward to your participation.

Tuesday, June 6, 2017 @12pm

Maggiano's Little Italy 6001 West Park Blvd.

What you can expect:
  • Security insights from the experts
  • Fine Italian dining
  • GOPRO giveaway with all the accessories to get you started

Register Now

IT Security Framework for Accounting Firms

The AICPA released two sets of criteria for public comment this week (Sept 2016) regarding cyber security. Both focus on different elements, but the common theme is the AICPA trying to develop a common framework for audit firms to evaluate the cyber security of their clients (risks and compliance). While this will prove to be very helpful, it got us thinking at Fluid: Do CPA firms themselves have a framework for their own security? Are CPA firms adequately protected from data breaches of their client’s financial information? Are accounting firms prepared to react to and recover from a malicious threat that may cause data loss or temporarily impact the productivity of the team?

Data security is a pressing issue for CPA firms given the rising level of attacks and the sensitive financial data accountants work with. A few data points –

  • Over ½ a billion personal records were stolen in 2015
  • Phishing campaigns targeting employees rose 55% in 2015
  • Ransomware increased by 35% in 2015 (362K reported cases)
  • 1 in 220 emails sent contain malware (431M new malware variants found)

While developing your own cyber security framework may seem daunting given the rapidly shifting threats, the task at hand can be greatly simplified if you break it down into the components parts (and work with professionals). At Fluid, we support our clients in 4 primary areas that each firm must address to have a comprehensive security plan.

1) Compliance Management:Fluid Security Framework

Does your firm understand all levels of compliance required given the data your firm interacts with? This can range from data retention compliance standards to data-center configuration standards. Often great compliance management starts with proper documentation, but rely on staff training and monthly monitoring to ensure/validate compliance.

2) Perimeter Management:

Think of your IT perimeter like the physical perimeter of a secure building. Are all entries and exits secured and guarded? Firewalls, cloud services, and email are major vulnerability points that should be managed and monitored for security purposes. BYOD and the proliferation of mobile devices has extended this perimeter, but these additional problem have solutions if they are approached systematically.

3) Vulnerability Monitoring and Threat Response:

You may know your weaknesses today, but that will change tomorrow; you need to monitor for attacks and have an active response if any attacks are detected. Much of this can be automated, but some expert oversight can make sure you don’t have any unintended gaps.

4) Cloud Backup and Disaster Recovery:

Even the best-run IT Departments may run into an occasional problem, ranging from accidental data loss to a malicious breach. We’ve found from our experience with clients that having a robust, offsite backup in a secure cloud environment can minimize the impact of most problems and greatly improve recovery times.

 

Whether you know it or not, your firm has ongoing IT activities in each of these 4 areas, which require ongoing focus and continual improvement – security is never ‘one and done’.

If you want to review your security practices, give us a call. We can help.

DNC That Coming! Email Security for Your Business

I was sitting down to write a blog on security, focused on some of the latest data published regarding how IT security impacts small to medium businesses and before I could begin I was lobbed a softball by the Democratic National Convention – a leak (breach) of Democratic Party emails last weekend allegedly conducted, or at least backed, by Russia.

So what happened?

“On Sunday, Hillary Clinton’s campaign manager, Robby Mook, accused Russia of working through hackers to access 19,000 emails at the Democratic National Committee that were dumped into the public domain last Friday by WikiLeaks. The emails showed DNC staffers working to help Clinton’s campaign during her primary fight against Bernie Sanders, despite the DNC’s publicly neutral stance,”*

Why is it important?

We’re an IT Services and IT Security Company, so we’ll try to leave politics aside for this blog. In that spirit, what can we learn from an IT perspective from the leak?

 

Email isn’t just communication, its valuable personal and corporate data

Sometimes we separate email from other corporate data, but that’s a mistake. In a typical company email system, hackers could potentially find information on corporate strategy, personally identifying information, financial information, IT system passwords, and other information that could help in further attacks through phishing, etc. Our email isn’t just communication, it’s data that needs to be protected.

While these hackers weren’t looking for credit card numbers in the DNC email, they did learn (and expose) a lot of information about strategy, tactics, and plans that were certainly not intended for the public. In the 19,000 emails, how much personally identifiable information (PII) was present? PII in security speak, within the thousands of emails there could be the need for risk mitigation and damage control, not to mention the potential for law suits and other fines.

 

Not all email is secure, use encrypted email for sensitive information

Many people still “trust” email as a secure communication method and willingly share private information such as credit card numbers, social security numbers, healthcare information to name a few. In the hands of the wrong people that can be very dangerous and costly many people. Email is not secure by default and must be encrypted prior to sending to have proper security for sharing any private information. If you’ve ever received an email from your doctor or financial institution that sends you to a website to login to read your email, that is a secure, encrypted email.

 

Security experts are giving you plenty of warning. The time to listen is now.

Security experts have been beating the drum for a while now – cyber attacks are growing at an alarming rate and frequently the target is shifting to small businesses. Another troubling aspect of this breach is that “Federal investigators tried to warn the Democratic National Committee about a potential intrusion in their computer network months before the party moved to try to fix the problem, U.S. officials briefed on the probe tell CNN.” If true, and the FBI warned the DNC and they did not act, it creates a massive problem for the DNC leadership and their credibility. Action in fact was swift as the DNC Chairwoman, Debbie Wasserman Schultz, announced her resignation on Sunday. Further evidence showed “The DNC brought in consultants from the private security firm CrowdStrike in April. And by the time suspected Russian hackers were kicked out of the DNC network in June, the hackers had been inside for about a year.”**

A year! That is a long time to be gathering data and suggests more is likely to be leaked. In fact, WikiLeaks founder Julian Assange virtually has already stated as much. All those emails, all that data is still out on the public domain where anyone with access to the internet can see them.

Federal Investigators may not be calling you with warnings about your small business, Security experts have been beating the drum for a while now – cyber attacks are growing at an alarming rate and frequently the target is shifting to small businesses. It’s time to listen to the experts and take basic steps to protect your company.

 

Borders don’t protect your company in cyber attacks

It’s being reported that these attacks came from Russia. Borders can’t protect us from the rest of the world when it comes to cyber attacks. Prosecution and restitution for damages caused by an attack is not going to happen. As an example, once funds are extorted into a foreign country through ransomware, consider it gone with no recourse.

For your business, the foreign nature of attacks is alarming due to the lack of accountability and prosecution, for the DNC breach, the motivation and ability to influence our country’s political process is very alarming.

It’s been stated that the intent was to expose DNC members that used email to sway people to one candidate over the other, something that fundamentally against the DNC charter. Was this done to just embarrass the DNC or was it a wider sweeping intent to impact our actual Presidential election process in November? If it was in fact Russia, did they do this to make the DNC look unscrupulous in hopes to sway voters to the other Party? The repercussions are HUGE – potentially impacting the outcome of who will be our next President!

Protect yourself!

Some simple steps could have avoided this disaster or at least mitigated it. Just a few things to consider as you run your business –

  1. Robust IT security monitoring and management to proactively detect malicious attacks
  2. Defined governance process and procedures to define what is and is not acceptable
  3. Employee training programs on what to look for, what to NOT put in email
  4. A defined Security Response Procedure to act quickly and decidedly if attacked
  5. Take any warnings seriously and address them now

If you can’t check each one of these off your list, call us and we’ll make sure you can. And don’t be surprised when a new wave of hacked emails is made public.

 

*https://www.yahoo.com/news/chris-van-hollen-russian-dnc-000000889.html

**http://www.cnn.com/2016/07/25/politics/democratic-convention-dnc-emails-russia/index.html

Billions Lost to CEO Email Scams

internet security conceptI am emailed hundreds of articles and blogs every day, and although 80% may not be of particular interest, there is always a nugget or two worth reading. Today was no exception, and I received one that particularly caught my eye. Posted this morning: April 16, 2016 written by Brian Kebs from www.KrebsonSecurity.com was the very eye-catching title –

"FBI: $2.3 Billion Lost to CEO Email Scams."

As a CEO and one that receives at least two to three scam emails that make it past our email defense, this one really hit home. As I read the article, it became eerily apparent that our company had been hit by this scam many times over the past four months. It made me think if our little company has been hit that many times, how many of my other CEO friends have been or may be hit shortly? This is my small attempt to spread the word and hopefully help someone avoid a costly and embarrassing disaster.

Here's how it basically works –

  1. Staff in your financial department, typically the CFO, controller, etc. receive an email directly from the CEO’s legitimate email account asking to authorize a wire transfer of funds.
  2. The CEO being very busy and authorizing many transfers to run a business quickly sees the email and answers ‘yes’ assuming it must be legitimate since it came from your inside CFO.
  3. The CFO then provides the wiring instructions, and the amount is transferred to the bad guys.

In the blink of an eye, your company is out thousands if not millions of dollars. Although you might think a request like this would raise red flags, it is very brief and includes names that are all legitimate within the company. Furthermore, it is very common for CEO's to authorize wires through the course of normal business. I authorize a minimum of two to three a month.

Taking an excerpt from Krebs excellent article –

The U.S. Federal Bureau of Investigation (FBI) this week warned about a “dramatic” increase in so-called “CEO fraud,” e-mail scams in which the attacker spoofs a message from the boss and tricks someone at the organization into wiring funds to the fraudsters. The FBI estimates these scams have cost organizations more than $2.3 billion in losses over the past three years.

In an alert posted to its site, the FBI said that since January 2015, the agency has seen a 270 percent increase in identified victims and exposed losses from CEO scams. The alert noted that law enforcement globally has received complaints from victims in every U.S. state, and in at least 79 countries.

A typical CEO fraud attack. Image: Phishme

The FBI estimates that organizations victimized by CEO fraud attacks lose on average between $25,000 and $75,000. But some CEO fraud incidents over the past year have cost victim companies millions — if not tens of millions — of dollars.

Last month, the Associated Press wrote that toy maker Mattel lost $3 million in 2015 thanks to a CEO fraud phishing scam. In 2015, tech firm Ubiquiti disclosed in a quarterly financial report that it suffered a whopping $46.7 million hit because of a CEO fraud scam. In February 2015, email con artists made off with $17.2 million from The Scoular Co., an employee-owned commodities trader. More recently, I wrote about a slightly more complex CEO fraud scheme that incorporated a phony phone call from a phisher posing as an accountant at KPMG.

The FBI urges businesses to adopt two-step or two-factor authentication for email, where available, and to establish other communication channels — such as telephone calls — to verify significant transactions. Businesses are also advised to exercise restraint when publishing information about employee activities on their Web sites or through social media, as attackers perpetrating these schemes often will try to discover information about when executives at the targeted organization will be traveling or otherwise out of the office.

As you can see in the email image above, it looks very innocuous and legitimate. My accounting team has received this very email from me at least 4 times in the past few months. Thankfully, they know better and we have two-factor authentication, as suggested in the article. Once we request a transfer, there is a second step required that only I can do with information only I would have.

In talking to our in-house security expert, this type of scam is actually not called phishing but whaling because it targets a much smaller number of high profile individuals with access to larger sums of money.

I encourage you to share this information with your accounting team as well as your clients where appropriate. It is deceptively simple to fall for, and I know at least two of my CEO friends that were literally one button click away from transferring over $60,000 before they did the last second double-check and avoided the disaster.

You can read the full article here –

http://krebsonsecurity.com/2016/04/fbi-2-3-billion-lost-to-ceo-email-scams/