IT security is making headlines more frequently as cyber attacks increase around the world. More companies are being targeted, and it’s becoming more and more profitable for the criminal organizations behind the attacks. I sat down with Jeffrey Julig, Chief Information Security Officer at SWBC, to get answers about what we all need to know and how we can protect ourselves.
Laura: What is CEO fraud?
Jeffrey: It is a type of social engineering attack. CEO fraud is a form of business email compromise (BEC), and it targets businesses that perform wire transfers and foreign transactions. Cybercriminals send emails that appear to be from a company’s CEO or other executive to try to steal money from people or organizations.
Laura: How can people identify when they are being tricked?
Jeffrey: You should look at some of the classic identification methods: an email comes from an external source, spelling mistakes, odd use of grammar, if it comes from a person who may not normally send you an email, or something outside of a normal business process. Other methods involve requests that create a sense of urgency. For example, if your normal business process is to follow steps one, two, three, and four, but this email asks you to skip to step four in a hurry, that is probably a warning sign. If it comes from a CEO that is telling an employee deep in the accounting department to transfer money immediately, that is another warning sign.
Laura: Have you ever been tricked?
Jeffrey: I have never been tricked by a business email compromise scam, but I have been tricked by social engineering. Back in 2001, the Anna Kournikova computer worm was targeting computer users. This message purported to have a picture of Anna Kournikova attached. However, when you clicked on the picture, it executed some malicious code that would send out that same message to everyone in your Microsoft Outlook address book, including your boss, which happened to me. The worst thing about the malware was that I never got to see the picture [laughs]. Everybody can be tricked with social engineering. It is just a matter of time, opportunity, and effort.
Laura: Is this a crisis situation?
Jeffrey: Yes, it could be. It depends on the circumstances. BEC may lead to a relatively small loss for a company, but it may also lead to a loss in the tens of thousands or even millions of dollars for a very large company. Depending on your company’s size and loss threshold, a single loss could devastate the company. It could be a crisis for the company because its cyber liability policy may not cover the loss. You must make sure that you have the proper protections in place to lower your risk. It could also be a crisis situation for the employee who actually fell for the compromise. If he or she failed to follow established protocols and fell for it, there might be personal consequences for that action. It really depends on the impact, but there is also the unknown impact resulting in reputation damage. Reputation damage is hard to quantify and very difficult, potentially, to recover from.
Laura: How often does this happen? How much money or data was lost last year?
Jeffrey: It happens every day all around the world. BEC is on the rise. The FBI quoted over the past two years or so more than $3 billion in losses were reported. Losses are primarily from companies that engage in money transfers, but it is a global problem.
Laura: How do attackers get the information necessary to make it seem like it’s legitimately coming from a CEO?
Jeffrey: That is a great question. Attackers use the same information that companies share to tell people about themselves and about their wonderful people and exceptional products. Attackers may use social media, marketing materials, or look at the company’s website. They may compromise an account and surveil the actual transactions within a particular email account and lay in wait for an opportunity to attack. There’s a lot of ways to gain intelligence. Whatever content you make publicly available could potentially be used against you.
Laura: What type of executive is typically picked? Is there a characteristic or some common thread?
Jeffrey: The most targeted person is normally the chief financial officer and employees involved in the money transfer process. The CEO, an important customer, or somebody in authority is likely the person perpetrators will spoof to direct action to the CFO or a member of the accounting department.
Laura: How can companies protect themselves?
Jeffrey: There are a lot of ways. The interesting thing is that the best protection is not even a technical solution. One of the most effective methods to prevent BEC is to use what is considered an out-of-band control. An out of band control is similar to using two-factor authentication where an employee will verify a request using the telephone or other separate and unconnected channel before a money transfer is authorized. Companies should use standard accounting controls, like documentation to make sure there is a request and an invoice for each transaction and separation of duties to split responsibility for money transfers. Employees should understand the internal protocols for transferring money and make sure they are strictly followed.
Other defenses involve developing and deploying an effective training program. You should ensure that your executives are aware that they are targets, and you have to make your employees are aware that they may be targeted by someone spoofing as an executive like the CEO or CFO. You should also provide general education awareness for all employees on social engineering threats and tailor your security awareness training program to their roles. There are also technical controls that you may put in place. Some email security gateways will use machine learning to detect and prevent threats. You may also use other standard email tags. For example, you may use email security features to add the word [EXTERNAL] on a subject line of an email message that warns people that a message is coming from an address outside of your organization.
Laura: How can companies deal with the aftermath of an attack like this?
Jeffrey: If you are attacked and you actually lose money, you must preserve any artifacts of the attack because they will be needed in some type of post-incident investigation. The most important advice is to follow your incident response plan. If you don’t have one, you should create one and prepare for this problem. Your incident response plan should represents a dry run of what you do in these situations. Executing the plan should become muscle memory within your organization, so the first time you execute it should not be when you experience a loss. And, you should also have a communication plan for internal and external sources. Externally, you may need to involve law enforcement organizations and should develop a plan to communicate with media, your customers, and your employees. Overall, I would say it is important to have a communication plan, an incident response plan, and conduct regular reviews of the controls you have in place to protect your company.
Laura: What is your biggest worry?
Jeffrey: The biggest worry is that despite all of the security and training efforts, the attacker still succeeds. Attackers only have to be right one time to succeed. We have to defend the company against hundreds of attacks. That’s my biggest worry: that we just can’t do enough in time to prevent the attacks.
Related reading: How Getting "Hacked" Can Make You Look Like a Terrorist
Laura: What gives you hope?
Jeffrey: What gives me hope is the continued executive support and recognition that information security is everyone’s responsibility. It’s not just the CISO or the information security team. Everybody in a company is responsible for security because the attackers are crafty, and they will find a way to get to your employees. We must make sure our employees are informed and aware so they don’t fall victim to these attacks. I also believe an effective security awareness training program will help lower our risk. While we may not eliminate all risk, we may lower risk to an acceptable level and still be successful in business.