Consider the following scenario, taken directly from the case files of the FBI.
“The accountant for a U.S. company recently received an e-mail from her chief executive, who was on vacation out of the country, requesting a transfer of funds on a time-sensitive acquisition that required completion by the end of the day. The CEO said a lawyer would contact the accountant to provide further details.
‘It was not unusual for me to receive e-mails requesting a transfer of funds,’ the accountant later wrote, and when she was contacted by the lawyer via e-mail, she noted the appropriate letter of authorization—including her CEO’s signature over the company’s seal—and followed the instructions to wire more than $737,000 to a bank in China.
The next day, when the CEO happened to call regarding another matter, the accountant mentioned that she had completed the wire transfer the day before. The CEO said he had never sent the e-mail and knew nothing about the alleged acquisition.”
The FBI reports that the company was the victim of a business e-mail compromise (BEC), a financial fraud that is more sophisticated than any the bureau has seen before, and one that is becoming increasingly widespread as more and more smartphones and other electronic devices are connected to company networks.
Companies are especially vulnerable as executives become more active on social media, and as the Internet of Things expands exponentially. Gartner estimates that the number of connected IoT devices will grow from the 6.4 billion that are in use today to more than 20.8 billion by 2020.
The FBI has compiled statistics on more than 7,000 U.S. companies that have been victimized by similar scams since the end of 2013, with total dollar losses exceeding $740 million. Small and mid-sized companies are the most frequently targeted, and the average loss is $130,000.
The scammers aren’t teenage hackers working out of their bedrooms. According to the FBI, they are highly sophisticated members of organized crime groups from Africa, Eastern Europe and the Middle East. Working out of war rooms, they mine data from social media and websites, and they use it to create credible fraud schemes that aren’t as easy to detect as the Nigerian lottery spam emails that used to clutter our inboxes.
So by monitoring Facebook or Twitter, or data from IoT devices and wearables such as fitness applications or apps that enable you to control your DVR or close your garage door when you’re not at home, it becomes possible to know when a CEO is on vacation, and where. It also becomes possible to know when the chief financial officer might be on a treadmill and not able to read her email as carefully as she ordinarily might.
What should CIOs do to minimize the risk to companies and their employees?
As a practical matter, they need to know that there is no surefire way to protect attacks like this from happening. No matter how high companies build their firewalls, scam artists will find a way to climb higher.
So it’s important that CIOs make sure their companies have cyber insurance policies that protect against wire fraud. We’ve found that most don’t, and only a handful do.
In addition, CIOs should drive efforts to:
- Make sure employees, and senior executives in particular, receive social media training that is updated regularly in response to the constantly changing landscape.
- Provide employees with free access to security tools and capabilities such as password vaulting.
- Put stronger controls in place around the finance functions, such as strengthening protocols around wire transfer requests.
- Create intrusion detection system rules that flag emails with extensions that are similar to company email but not exactly the same.
- If possible, register all Internet domains that are slightly different than the actual company domain.
- Conduct robust threat modeling
- Duress indicators, including incident reporting via confidential means.
Finally, it’s important to regard cybersecurity efforts as an ongoing challenge. With billions of new devices coming online every year, what we know today about security may not necessarily be as relevant tomorrow. The bad guys are smart, highly organized and hard to stop.