IT Support and Hardware for Clinics
38.4K views | +3 today
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...!

FBI Alert: Business Email Scam Losses Exceed $1.2 Billion

FBI Alert: Business Email Scam Losses Exceed $1.2 Billion | IT Support and Hardware for Clinics |

The FBI, in a new alert, estimates that fraud losses linked to so-called business email compromise scams worldwide totaled more than $1.2 billion from October 2013 to August 2015. But some financial fraud experts say the losses from this largely overlooked threat could be even higher because the incidents often are not reported.

David Pollino, bank fraud prevention officer at Bank of the West, who calls these scams "masquerading" schemes, has warned of upticks in this type of wire fraud since January 2014.

In May, he predicted that losses linked to masquerading, or business email compromise attacks, in 2015 alone would exceed $1 billion. "This is a global fraud trend," he said.

In a white paper Bank of the West recently posted about this fraud trend, Pollino notes that masquerading attacks are among the top three fraud threats facing small businesses today.

"Masquerading is a payments scheme in which a fraudster impersonates a company executive or outside vendor and requests a wire transfer through a phone call or email to a company controller, or someone else with authority to wire funds," Pollino writes. "The controller will usually tell the business' bank to wire the funds because the email or phone call seems legitimate."

Fraudsters' social-engineering methods include sending these bogus requests to accounting departments with a sense of urgency, Pollino notes. To speed up payments, the fraudsters often ask the bank or credit union to bypass the normal out-of-band authentication and transaction verification processes in place for wires, especially those being sent to overseas accounts, he says.

"For the third consecutive year, three in five companies were targets of payments fraud," which includes BEC scams, Pollino points out, quoting statistics in the Association for Financial Professionals' 2015 Payments Fraud and Control Survey.

To mitigate risks associated with these scams, Pollino recommends that businesses:

  • Develop an approval process for high-dollar wire transfers;
  • Use a purchase order model for wire transfers, to ensure that all transfers have an order reference number that can be verified before approval;
  • Confirm and reconfirm transfers through out-of-band channels, such as a confirmation emails or SMS/texts; and
  • Notify the banking institution if a request for a transfer seems suspicious or out-of-the-norm.
FBI Alert

In its Aug. 27 alert, the FBI notes that most of the companies that have fallen victim to BEC scams have been asked to send urgent wires to foreign bank accounts, most of which are based in China and Hong Kong.

"The BEC scam continues to grow and evolve and it targets businesses of all sizes," the FBI notes. "There has been a 270 percent increase in identified victims and exposed loss since January 2015. The scam has been reported in all 50 states and in 79 countries."

From October 2013 through August 2015, the FBI estimates that some 7,066 U.S. businesses and 1,113 international businesses fell victim to this socially engineered scheme.

Quantifying Losses a Challenge

But quantifying losses from BEC scams has proven challenging because many of the incidents are not reported.

"Certainly these losses are understated, because many companies are not reporting them to the FBI due to embarrassment, lack of knowledge of where to turn, or the realization that there is no chance of retrieving their funds," says financial fraud expert Shirley Inscoe, an analyst at consultancy Aite. "So much money is being stolen through this scam that it is only going to continue, costing businesses billions of dollars."

In an effort to curb losses associated with these socially engineered schemes, Inscoe says financial institutions must educate their commercial customers about how these types of attacks are waged.

And she contends that the Asian banks to which these fraudulent wires are being sent should be held accountable. "Clearly, these banks are assisting in laundering these ill-gotten gains," she says. "An appeal could be made to their regulators to crack down on them from amoney-laundering perspective, but I have no idea how receptive the regulators would be to that avenue of action."

Dave Jevans, co-founder of the Anti-Phishing Working Group and chief technology officer of mobile security firm Marble Security, says federal law enforcement agencies have been strengthening their relationships with agencies in Asian markets to help curb some of this fraud.

"They can always work more closely with the financial institutions in these regions to monitor activity. However, it is really up to the originating companies and their U.S. financial institutions to solve this problem," he says. "Law enforcement is about investigating and arresting criminals. They are not a regulatory agency, nor are they a fraud-detection agency."

Preventive Measures

Jevans argues that the solution to the BEC problem is ensuring that businesses have stronger internal controls and targeted attack prevention on their email systems. "Banks can help their customers get educated, and can strengthen their validation processes and requirements when funds are being requested to be sent to new, untrusted accounts," he says. "Only focusing on overseas accounts won't solve the problem, and many of the smaller BEC frauds are routed through money mule accounts here in the USA."

Tom Kellermann, chief cybersecurity officer at the security firm Trend Micro, says businesses have to understand that bypassing banks' procedures for wire-transfer confirmation is exposing them to fraud.

"Internal procedures should change to ensure that all requests for the transfer of funds be verified," Kellermann says.

Kellermann says businesses' employees should be trained to carefully examine the URLs from which emails are sent. Spoofed email addresses, for instance, will be slightly different yet resemble legitimate email addresses. And he says all external wire transfers should be required to have some type of out-of-band confirmation, through a secondary email, phone call or SMS/text, before they are approved and scheduled.

Stronger email authentication and adoption of DMARC, the Domain-based Message Authentication, Reporting & Conformance initiative, could have a big impact on reducing fraud losses related to BEC, Kellerman contends.

Fraud expert Avivah Litan, an analyst at the consultancy Gartner, says identify-proofing technology, which requires that an online account user provide a headshot or picture of a driver's license captured with a mobile phone, could make a difference.

More banking institutions are exploring identity-proofing to authenticate new-account customers, Litan says, by employing the same technology they use for the remote-deposit capture of check images from smart phones and PC scanners.

"Perhaps this technology for identity proofing and documents transfer [such as check images] can be rolled out to the customer sites," she says. "Now you start asking the person requesting the wire to prove who they are by saying, 'Sorry, CEO, but before I act on your instructions, I need to see your driver's license.'"!

Defending Against 'Wiper' Malware

Defending Against 'Wiper' Malware | IT Support and Hardware for Clinics |
In the wake of the FBI issuing a warning that a U.S. business has been attacked using a dangerous form of "wiper" malware, security experts say businesses must protect themselves against attack code that aims to delete the content of every hard drive it touches.

See Also: Preparing for OCR Audits: Presented by Mac McMillan of the HIMSS Privacy and Policy Task Force

Defensive measures organizations can take include segmenting important information to hardened networks, backing up data offsite in case systems get wiped, and investing in appropriate resources to detect breaches quickly (see: Speeding Up Breach Detection).
Related Content

NATO Faces Challenges in Mounting Cyber-Defense
Senators Probe Home Depot, Apple Breaches
Breach Response: Are We Doing Enough?
3 Key Questions from CEOs to CISOs
Redeeming NIST's Reputation

Related Whitepapers

Securing Cloud Workloads
Secure Mobile Banking: Protecting Your Customers and Your Bottom Line
How JPMorgan Chase Adopted DMARC to Stop Cyberattacks and Protect their Brand
Protecting Customers and Safeguarding Brand Reputation in the Era of the Cybercriminal
Fight Phishing and Fradulent Email with Big Data

The FBI alert is reportedly tied to the Nov. 24 hack of Sony Pictures Entertainment, which locked employees out of their PCs, instead displaying a message that their system had been "Hacked By #GOP," referring to a group of attackers calling themselves Guardians of Peace (see Sony Hack: FBI Issues Malware Alert).
Malware Characteristics

The alert is notable because attackers rarely employ wiper malware that's designed to delete the content of drives. To date, wiper malware has only been seen in a handful of attacks, mostly in the Middle East or South Korea, Costin Riau, who heads the information security research team at anti-virus vendor Kaspersky Lab, says in a blog post.

But many information security experts say they've never seen such an attack launched against a business in the United States. "This is somewhat of a watershed event," says Alex Cox, senior manager at information security research organization RSA FirstWatch. "Up until now, we have had very limited examples of large-scale data destruction."

That's because the majority of attack code is designed to steal data - and especially financial or intellectual property details - rather than destroy it. "Wiper-type malware is rare because the motive of modern virus writers is to infect machines silently and avoid detection for as long as possible to enable attackers to control the infected machine for longer and to steal [valuable] information," says Brian Honan, who heads Ireland's computer emergency response team. "Wiper malware, in contrast, is noisy [and] those infected will know straightaway."

Wiper malware attacks the master boot record and core file system operations, says David Kennedy, CEO of TrustedSec, an information security consulting service. "It makes it hard to recover from the malicious software, which could be disastrous for organizations," he says.

This form of malware also operates fairly swiftly, says Shirley Inscoe, an analyst at the consultancy Aite Group. "Once the malware gets into a system, it spreads and could be very difficult to detect and shut down in time to avoid major disruption."

As a result, many information security experts believe that the attack referenced by the FBI may not be the work of garden-variety cybercriminals. "Data deletion would typically be associated with hacktivism - deletion of backups - or strategic political or wartime goals, such as Stuxnet," Cox says. "Destroying access to a network doesn't really fit the cybercrime model - where criminals want to retain quiet access to continue their theft - or the APT model where nation-states want to retain access for espionage purposes. A dead network is a network that gives no data."

As the Sony Pictures attack demonstrates, wiper malware can also be used to disrupt an entire business. "When I think of such threats, it's Shamoon that comes to mind," says Sean Sullivan, security adviser at Finnish anti-virus firm F-Secure, referring to malware that was used in August 2012 to wipe an estimated 30,000 PCs at Saudi Aramco, Saudi Arabia's state-owned petroleum and natural gas producer. Security experts never identified exactly who launched Shamoon.

Wiper malware has typically been the domain of someone who wants to air a grievance, says John Hultquist, who heads the cyber-espionage practice at threat-intelligence firm iSight Partners. "Even though it has practical effects - for instance, halting oil production or shutting down operations - its greatest impact is perception - the message being sent," he says.
Defensive Measures

Organizations can take several steps to protect themselves against wiper malware, starting with using segmented networks, F-Secure's Sullivan says. "Isolate important intellectual property to hardened networks," he advises. "Access those networks 'remotely' - [using] some kind of remote desktop software." That adds a security layer that makes it more difficult for attackers' malware to access - or wipe - PCs connected to that network.

Backing up data is also essential, in case systems get wiped and must be reinstalled, and such backups must be disconnected from the network, lest they get deleted by the same wiper malware. "Continual, offsite data backups are critical for any organization," says Michael Sutton, vice president of security research at cloud security firm Zscaler. "Backups can be a challenge with a mobile workforce when devices rarely return to the corporate office, but Internet-based backup solutions provide a means of remote backup so long as an Internet connection is available."

In addition, organizations that received the FBI alert can use the file structure for the malicious software, which was provided, to help detect a malware intrusion, Kennedy at TrustedSec says. "However, note that these [file structures] could change when deployed in other systems," he says. "The best approach is still having multiple layers of defense in order to prevent an attack from occurring in the first place."

The attack against Sony also illustrates the critical importance of having business continuity and disaster recovery plans, says Rick Holland, principal security analyst at Forrester Research. "InfoSec teams need to be highly engaged with the groups that put these plans together," he says. Servers are obviously included in such plans, but they also need to extend to workstations and desktops that are critical to business operations, Holland adds.

"Events like this could lead organizations to research virtual desktop deployments, which make recovering from these types of attacks much easier," he says.

Investing appropriate resources into quickly detecting breaches is also essential. "The unfortunate reality of today's threat landscape is that enterprises will be breached," Sutton says. "When that occurs, it is essential that the breach is quickly identified and isolated as to limit the overall damage."
No comment yet.!

Read Your Emails Carefully: FBI Issues PSA on Business Email Scam

Read Your Emails Carefully: FBI Issues PSA on Business Email Scam | IT Support and Hardware for Clinics |

The Internet Crime Complaint Center (IC3), a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C), warns the public about a Business E-mail Compromise (BEC) scam in its recent Public Service Announcement (PSA).

According to IC3, the BEC is a sophisticated scam that targets businesses that work with foreign suppliers and/or businesses that perform wire transfers. This global scam has affected subjects and victims in many countries, including victims in every U.S. state and 45 countries.

What you need to know

What makes this scam so detrimental is the fraudulent wire transfer payments, sent as a result of this scam, are sent to foreign banks and may be transferred several times and quickly dispersed without the victim’s knowledge. The PSA details the amount of money lost to this scam, with a total loss of over $214 million.

BEC victims range from small to large businesses, including purchasers and/or suppliers of goods such as textiles, furniture, food and pharmaceuticals. This PSA also specifically warns attorneys of an “Attorney Check Scam” that is being linked to the BEC scam.

Based on IC3 complaints on other complaint data, IC3 has provided a list of common versions of the scam and common characteristics, which include, but are not limited to:

  • Businesses and personnel using open source e-mail are most targeted
  • Individuals at the business responsible for handling wire transfers are targeted
  • Spoofed emails very closely mimic a legitimate email
  • The phrases “code to admin expenses” or “urgent wire transfer” were reported by victims in some of the fraudulent e-mail requests

What you can do to make sure you don’t get scammed

IC3 warns businesses to be aware of ‘sudden changes in business practices.’ Companies should avoid free web-based emails by establishing a company web site domain and use that to establish company email accounts. Employees should be careful what is posted on social meeting, with special attention to not posting job duties/descriptions, hierarchal information and out-of-office details.

IC3 encourages businesses to file complaints with IC3 if you feel that your business has been targeted. Details of the complaint process can be found in the PSA.

Vesta R. Whisler's curator insight, February 12, 2015 6:12 AM

Not only is it important to WRITE emails effectively, but it is critical to READ emails effectively to stay safe.

zemmel hamza's curator insight, March 5, 2015 11:36 AM

pio unkoni tos le mode cava annaba terror