Other issues in this category (3)
Fooling someone is easier than hacking into a network
Companies of all sizes can land in an attacker’s crosshairs. A large organization can be robbed of a substantial amount, while a small one can go bankrupt paying for a decryption utility to cope with the aftermath of a ransomware attack.
To successfully attack a corporate target, criminals don’t necessarily need to penetrate its network. Instead, they can gather information about the employees, adopt their style of correspondence (e.g., use leaked email passwords) and communication, and, by posing as a staff member, establish a trusting relationship with the right person. Then, in the course of communicating with them, the attacker can worm needed information out of them, set up a time to meet at a café, arrange for a gift (a malware link) to be sent to that person, or even ask them to transfer money.
Since 2013 the FBI has registered almost 18,000 cases of fraud involving compromised mailboxes. The victims suffered a total of $2.3 billion in losses. Last year saw the number of complaints about similar incidents triple.
The FBI points to three main schemes used to compromise email for the purpose of money laundering: Compromise a senior officer's mailbox and then send an email to an employee, asking them to conduct a money transfer. Compromise an employee's mailbox to submit a fraudulent request. Pose as a trusted supplier and invoice a company so that the money will be transferred to a fake account. Requests are drawn up in such a way that neither their text nor the amounts arouse suspicion.
The best option is to pose as a high-ranking officer. Compromising such an account can be more difficult than acquiring the credentials of an ordinary employee, but if successful, this action will yield results sooner. The FBI warns that businesses have lost over $2.3 billion to CEO scams in the last three years. From January 2015 till April 2016, this type of fraud grew in popularity by 270% and affected at least 79 countries across the globe. For example, Mattel lost $3 million dollars to the scam, while The Scoular Co found itself missing $17 million and Ubiquiti was tricked into forking over $46 million!
A company should help its employees protect their accounts and devices. After all, by doing so, it preserves its financial security and reputation.
- If employees use their own handhelds and PCs for work, it can be a good idea to provide them with corporate security software such as an anti-virus.
- If personal accounts are used for business communication, it is recommended that corporate security standards be established to protect them and that the corresponding security guidelines be provided to employees. Specifically, staff members should understand that strong passwords are essential for security.
- Search the Web periodically to check whether fake accounts exist that allegedly belong to your company's employees.
- Your company's security service should warn your staff about mass password leaks and successful attacks on your corporate infrastructure if any such incidents occur.
- All links that employees receive should be verified to make sure none of them is part of an attack.
- Employee personal pages on social media sites shouldn't contain any information related to their work or the company—criminals can abuse it to find the "key" to gaining another employee's trust.