Cyber fraud is getting even scarier

In what’s becoming a sort of Halloween tradition, I checked in last week with cyber ghostbuster Stu Sjouwerman for an update on the latest cyber scares. His company, KnowBe4, provides web-based security awareness training to employees at companies hoping to prevent cyber fraud.

Last October, ransomware was more or less in its infancy, but Sjouwerman says the bad guys have been innovating at a furious pace. ‘So there’s more of it and it’s nastier than ever,’ he says. ‘Over the past nine months, a new type of fraud has struck and it’s specifically C-level executives being targeted. The corporate secretaries are immediately responsible to some degree [to protect senior management from this].’

Known as CEO fraud, and also called ‘business email compromise’ by the FBI, the new scheme starts with research into a company’s C-level personnel, such as the CEO, CTO and CFO, and the people who work directly for them.

Here’s how it works. Hackers send a phishing email to either a C-suite executive or one of his or her direct reports, referring to something personal like a wedding gift registry in need of a correct address. The target is socially engineered, as Sjouwerman calls it, into clicking on the link, which allows the bad guys to monitor the email account for a few months, waiting for an opportunity to strike. That might be a trip the executive is taking, preferably abroad, during which time the hackers, posing as the executive from his own account, send an email to the accounting department, requesting a wire transfer of a large amount of money to a particular bank, to be done quickly and confidentially.

While that in itself should be a red flag, Sjouwerman says it succeeds 30 percent of the time. More than $1.2 billion has been stolen in this way internationally, the FBI says, with incidents being reported on a regular basis in the last nine months.

Once the money is transferred, the hackers quickly move it again and it jumps through a series of intermediate accounts before usually winding up ‘in Eastern Europe or China or another exotic locale where the local bank is either controlled by the bad guys or outright owned by them,’ Sjouwerman says. ‘They take the money out in cash and then the amount is lost.’

Hackers are specifically targeting people who do the wire transfers or are close to the people who do them. And the average loss per incident is $100,000, dwarfing the $500 ransom that ransomware attacks typically garner. The targets are often subsidiaries, where hackers believe the person in charge of wire transfers is more likely to comply with an order in a CEO’s email, even if it’s urgent or confidential, says Sjouwerman.

To protect against these attacks, he recommends a ‘three Ps’ defense consisting of policy, procedures and people. ‘You would have to put in [place] a very hard, iron-clad rule that there are always two people who sign off on amounts over X, and that one of the two needs to confirm by phone to make sure no fraud occurs,’ he says. ‘Those two steps are your policy and procedure.’

Then a company needs to prepare its employees by offering effective security awareness training so they can recognize red flags and report them, instead of complying. This sort of training is KnowBe4’s bailiwick.

‘Old school security awareness training got everyone in the break room. Keep them awake with coffee and donuts. Expose them to death by Powerpoint for 20 minutes and that’s their security awareness training for the next 12 months,’ he says. ‘The new school security awareness training [starts with] a baseline test. You send a simulated phishing attack to all employees, you get the percentage of everyone who clicks [on the link], and everyone is shocked by how high that is. Then you train everyone online, interactively through the browser, in their own time, with little quizzes and tests to make sure they got it. And as a third step, you send them frequent simulated phishing attacks, and that keeps them on their toes with security top of mind.’

Another point he makes is that companies are basically self-insured when it comes to these attacks. ‘Even if you have cyber insurance, that usually covers only hackers finding a vulnerability in the code and exploiting that code. You don’t get your money back if you’re socially engineered and your employee transfers the money.’

He reminds people that hackers are also business people, who regard time as money. ‘It’s all criminal, but they go after the low-hanging fruit, and guess what? The employees are the low-hanging fruit.’