Business Email Compromise (BEC) Attack Steals $6 Million from Public School System

The New Haven, Connecticut, school district lost more than $6 million to cyber thieves in a Business Email Compromise (BEC) attack that was discovered only after the real vendor asked why they had not been paid.

ABC News provided details on the attack, which began in May and demonstrated a high level of patience on the part of the hackers.

  1. Criminals gained access to the email account of the school system’s Chief Operating Officer (COO).
  2. Using that email access, the hackers monitored communications for several weeks, identifying vendors.
  3. Phony vendor emails were then sent to the COO, directing payments to bank accounts controlled by the criminals.

Losses included more than $5.9 million in fraudulent payments meant for a school bus company. The FBI was able to recover $3.6 million of the stolen money.

This BEC attack shows a level of sophistication and patience that many business owners and employees do not associate with cyber criminals. By quietly gaining access to a targeted email account and monitoring conversations, criminals were able to gather additional, personalized information they needed to successfully redirect a significant amount of money.

As I noted last month, cyber criminals are using AI to improve their BEC and pretexting attacks. While many attempts at phishing and fraud still bear reconizable signs, employers and employees must be prepared to deal with increasingly sophisticated, personalized and persuasive attacks. Remember that criminals have just one job: to steal from you and hide their ill-gotten gains before they can be recovered. Any unusual action or request from a vendor, even if it seems small, should be investigated.

Simple Tactics Will Stop Sophisticated Business Email Compromise Attacks

The hackers who targeted New Haven’s school system took their time to identify high-value vendors, at the risk of losing access to the compromised COO email account. While this demonstrates a level of sophistication that is unusual, it also proved successful, and hacker groups share their success stories as they refine their criminal strategies.

More BEC attacks like this one will occur. Organizations should follow these simple steps to avoid becoming the next victim:

  1. Mandate two-factor authentication (2FA). Assume that hackers have your usernames and passwords, no matter how careful you are with them, or how frequently you change them. The only reliable way to keep criminals out of your email is to use two-factor authentication that requires you to complete an extra step via a personal device, such as a smart phone, before you can log in. Google now requires 2FA for some of its services. This should be a mandatory policy for every organization and is essential for anyone with access to financial systems or databases of personal information.
  2. Monitor online use regularly. IT departments should always know who is accessing systems and from where. Sophisticated criminals may be able to cover their tracks or spoof a location, but there will still be an unusual increase in access for individual accounts. Systems should be set up to alert both the account user and the IT staff whenever a new device attempts to connect to a network or log in to an email or online service.
  3. Require a second set of eyes on any changes. BEC attacks steal money and goods by diverting them to new accounts or locations. Organizations should put processes in place that mandate internal review of any changes in payment destinations, delivery schedules or delivery locations. Pay very close attention to the Sender of any email requesting a change, as criminals will create phony emails that look legitimate to try and trick their targets.
  4. Mandate voice approval for any changes. When a request to use a new bank account comes up, or a client sends an email asking for a delivery to be rerouted, organizational procedures should require a phone call to that client’s point person. Do not call any number given in a suspect email. Call the number on file for the client or vendor, and ask them if they requested the change. Consider implementing a password that only you and the vendor would know as a means of authorizing any changes.
  5. Limit the visibility of key staff online. Criminals regularly harvest compromised email and business accounts to identify high-value targets who they believe can access personal information or finances. Keeping the identities of key personnel concealed helps to deter this kind of targeting. For individuals who have a high level of visibility, consider setting up a second email account or logins that cannot easily be traced, while maintaining a publicly visible email. For example, a CEO named Joe Smith might have a joesmith@companyname.com email account for public use, but a very different email account, such as 712995abznow@companyname.com for official duties. Criminals will not be able to easily identify the secondary account, though this is not a foolproof solution if the hidden email is not carefully guarded.

Cyber security employee training should be provided to every worker in your organization. The more access and responsibility the employee has, the more critical this training becomes. Protect Now offers CE-eligible training for real estate professionals, as well as online and in-person training for all small- and mid-sized businesses. Contact us online or call us at 1-800-658-8311 to learn more.

The New SEC Disclosure Rule Will Impact Nearly Every U.S. Business

The new Securities and Exchange Commission (SEC )disclosure rule for cyber incidents represents the most sweeping attempt to date to mandate cyber security by the United States government. If you own or work at a publicly traded company, if you handle data provided by a publicly traded company or if you simply supply a publicly traded company, this new rule will impact your business.The New SEC Disclosure Rule Will Impact Nearly Every U.S. Business

What Is the New SEC Disclosure Rule?

As reported by the Federal Bureau of Investigation, the new SEC Disclosure Rule goes into effect on September 5, 2023. In broad terms, it requires the following:

  • Every publicly traded company in the United States must file form 8K to the EDGAR database within 4 days of the discovery or awareness of any cybersecurity incident that has a “material impact” on their business.
  • The United States Attorney General may allow a reporting delay of up to 30 days, with a possible renewal for an additional 30 days, if the cybersecurity incident presents a danger to public safety or national security.
  • The United States Attorney General may allow an additional 60-day delay in reporting only if there is a significant risk to national security.

Publicly traded businesses have the ability to determine whether or not a cybersecurity incident has a material impact on their operations or valuation. In the event that it does, they must report the nature, scope and timing of the incident, as well as its impact or potential impact.

How Does the SEC Rule Apply to Me If I Do Not Own a Publicly Traded Business?

This rule will be enforced by the SEC, which has extensive investigative capabilities and the ability to determine the penalties that violators will face. Unlike the FTC Safeguards Rule, which has defined penalties and regulations, the SEC disclosure rule is open, both in terms of what defines a “material impact” and in terms of how the agency will follow up. In the worst-case scenario, Federal investigators could arrive at your door to seize documents and devices, if they believe you are responsible for a cybersecurity incident that impacted a publicly traded company, or if the company identifies your business as the source of the data breach.

Here are a few examples of ways a company could inadvertently be swept up in an SEC investigation:

  • A franchisee of a national company suffers a data breach that exposes the personal financial information of its clients.
  • A shipping company receives a fraudulent order through a pretexting attack that diverts money or materials of significant value to criminal actors.
  • A conference planner suffers a data breach, exposing the email addresses, usernames and login credentials of all conference attendees.
  • A marketing agency’s servers are breached, revealing the embargoed technical specifications of a client’s new product.
  • A law firm’s email is breached, revealing details of a client’s patent filings or lawsuits.
  • A doctor’s office wireless network is compromised, allowing hackers to steal the personal health information of corporate executives.
  • A mortgage broker’s file transfer system is compromised, exposing the property valuations of individuals referred by a client.
  • A company website is hacked, revealing administrative usernames and credentials.

These examples fall into three broad categories:

  1. Data breaches that expose data belonging to a client’s customers.
  2. Hacking attacks that uncover a client’s future business plans, internal information or intellectual property.
  3. Credential theft or protected personal data theft that compromises a client’s leadership or employees.

Something as simple as a phishing attack that exposes your email contacts could be material, if hackers then use that information to launch a targeted attack on your client or sell the information to others. Pretexting attacks that divert payments, materials or finished goods that a client needs to operate could be material if they have a significant impact on a client’s sales. Ransomware attacks that lock your clients out of needed services, disrupting their operations, could also qualify as a material impact.

What Do I Need to Do to Comply?

Only publicly traded businesses are required to report cyber incidents under the disclosure rule, but their ability to report depends on support from their vendors, franchisees, service providers and partners. Remember that if your business is the source of a cyber incident that compromises a client’s business, you may be investigated, and your cyber security policies will be scrutinized. The publicly traded company will face SEC penalties. You will lose the client, and your reputation will take a significant hit.

No business wants to deal with the SEC. Investigations can be lengthy, disruptive and expensive. It is very likely that publicly traded companies will demand some accountability from vendors and partners, as well as assurances, possibly legally binding assurances, that cybersecurity incidents will be reported. For companies that are not publicly traded, compliance requests will likely include the following:

  1. Documentation of current cyber security standards, including incident monitoring and security updates.
  2. Documentation of cyber security employee training practices.
  3. Written plans to report cyber security incidents to impacted clients as soon as these incidents are known.
  4. Written plans to respond to and stop cyber attacks, along with an evaluation of data loss or potential third-party compromises.

Do not be surprised if clients ask for this documentation. Clients may also want to execute additional nondisclosure agreements (NDAs) that include specific language around cyber incidents, or ask for these protections to be outlined in service contracts or contract amendments.

How Will the SEC Enforce the Cyber Incident Disclosure Rule?

It is impossible to know what enforcement will look like, as the SEC tends to treat violations on a case-by-case basis. Based on past behavior around new regulations, the SEC is likely to issue warnings for a period of time for first-time offenders or minor breaches. If a significant breach occurs, or if a publicly traded company repeatedly violates the rule, an extensive investigation with significant penalties will follow. This will trigger a stampede for services that will leave providers struggling to keep up with demand, and companies scrambling to find providers who can help them. It is better to take this matter seriously now, evaluate your needs and get professional cyber security support if you need it.

Note that the new disclosure rule does not require an experienced or certified professional to oversee or report cybersecurity incidents. Most small businesses should be able to manage compliance on their own, or with the help of a VCISO.

Why Did the FTC Add This Reporting Rule?

The SEC outlined two needs that drove the new disclosure rule. First, the SEC believed, as do many law-enforcement organizations, that cyber crime is underreported. By bringing their authority to this area, the SEC seeks to compel a greater level of reporting compliance, eliminating the tendency of some businesses to quietly pay ransoms or overlook seemingly minor cyber intrusions.

Second, the SEC felt that current reporting, which lumps cyber security incidents in with other business challenges, did not provide enough information to shareholders. The standard report will allow shareholders to see how often a business suffers cybersecurity incidents and how severe they are, providing another data point investors can use to evaluate opportunities.

As a final, broader goal that was unstated, the disclosure rule puts anyone who works with a publicly traded company on notice that their clients’ interactions are under Federal scrutiny. This is likely meant to compel greater adoption of cyber security best practices across all U.S. businesses, which will make it harder for criminals to carry out attacks. In that regard, it is the most significant effort to date by the U.S. government to establish and require cyber security as a basic element of business operations.

If you have questions about the SEC disclosure rule, how it could impact you, how you can comply or how you can improve your cyber security employee training, please contact us online or call us at 1-800-658-8311.

Vacant Land Scam Warning Issued: Can You Spot These Red Flags?

Real estate agents nationwide need to be on alert for the Vacant Land Scam. A California Department of Real Estate (DRE) advisory issued in July noted what the DRE called “a sharp increase in real estate fraud involving identity theft and the sale of vacant land and unencumbered property.”

Similar vacant land scams have been reported throughout the United States. Do not assume that this warning does not apply if you are not in California. Every real estate agent should understand how the scam works, and how to spot the red flags of a potentially fraudulent transaction.

What Is a Vacant Land Scam?

Vacant land scam is an umbrella term that applies to any attempt to fraudulently sell real estate that the scammer does not own. While undeveloped land is the most common focus of these scams, criminals may attempt to sell residential or commercial buildings, condominiums or homes.

Scammers begin by researching properties through public records. They first look for properties that are free of mortgages and liens. They then look for properties that are likely to be unoccupied; undeveloped land, empty long-term rentals and out-of-season vacation rentals are among the most popular targets.

Criminals will then identify the owner of the property and attempt to assume their identity. Properties owned by the elderly or by foreign nationals are most often targeted. The scammer will pose as the property owner and hire a real estate agent to sell the property, pocketing cash from the transaction.

Vacant Land Scam Red Flags and Responses

The signs of a potential vacant land scam are easy to spot, and this is one of the simpler scams to thwart. Be on the lookout for the following:

The seller refuses to meet in person. This should be a red flag for any transaction. Scammers may claim to be too busy or to be out of the country and will claim that they cannot attend the closing. They will also resist video calls and prefer to communicate solely by text or email. The simple solution is to insist on an in-person or video meeting, or to require the seller to use a third-party identity verification service to prove their identity. Be sure this is a service that you choose, as some scammers may attempt to fake identity verification.

The offering price is well below market value. The scammer will claim that they want a quick sale, in cash, with a fast closing and the money wired to their account. There are legitimate reasons why a client would ask for these conditions, so you will need to balance these requests against other warning signs. One clear red flag is a client who refuses to provide an identifiable mailing address or bank account number and demands a wire transfer to a public location, such as a money transfer office.

The seller refuses to allow a For Sale sign on the property. This is a significant red flag that your agency can address by requiring a sign on any property that it lists. Grant an exception to this rule only on a limited basis, and only after someone else at the agency has reviewed the request and transaction details.

The seller provides their own notary. This is a significant warning sign for document fraud. Require all clients to use your in-house notary or a notary approved by your agency. If a client supplies their own notary, contact that individual directly to confirm they ae who they claim to be.

The vacant land scam is a form of identity theft that relies on real estate agents prioritizing service and convenience for a client over due diligence. When in doubt about a transaction, set those instincts aside and be skeptical. These next two steps will stop nearly any attempt at this scam:

  1. Have someone else review the property offer. Get a second set of eyes on the situation. Ask a colleague or manager to take a look at the property offer and circumstances and tell you what they think. Be neutral in your approach; if you ask someone if something looks suspicious, they may look for signs of fraud. If you ask someone to give their opinion of a situation, they are likely to evaluate it objectively.
  2. Contact the property owner of record. You can get access to the name and address of the property owner, which should give you a means of contacting them. In the worst case scenario, the deal is legitimate and the seller will recognize you. Simply tell them that this is an extra step your agency follows to prevent fraudulent real estate sales. If the property owner has no idea who you are or that their property is for sale, you will want to join them in reporting the fraud to law enforcement and your local real estate governing body.

Like all attempts at fraud, a vacant land scam requires you to trust details and situations that seem a little out of the ordinary. Learning to trust your instincts and to identify the common techniques used by scammers will help you identify and avoid most cyber attacks and pretexting attacks. Protect Now offers an in-depth Elearning program, Cyber, Social and Identity Protection Certification (CSI) that will give you the confidence and strategies you need to stop scammers. You can try a free CSI demo online at any time.

Protect Now also provides interactive in-person and virtual CSI cyber security employee training for groups that is CE eligible in many states. To learn more, contact us online or call us at 1-800-658-8311.

Here’s Why You Need Identity, Privacy, and Device Protection

People are often anxious about the security of their personal information and online accounts. Cybercriminals are finding new ways to invade your privacy which is why you need comprehensive protection to keep you safe online.

We spend a lot of time on this blog discussing SMB security. However “all security is personal”, even at the enterprise level. That’s because it’s people who implement security, monitor it and react to vulnerabilities. Therefore if those people are lax in their own personal security, how are they going to do their jobs effectively?

Here are some protection and privacy best practices that you can use to keep your identity and sensitive information away from prying eyes and restore your faith in technology.

Device Protection

Device protection refers to the measures you take to protect your hardware or physical devices from intruders and potentially harmful software, such as malware, adware, and viruses.

Protect Your Hardware

Knowing where your smartphones, computers, iPads, and gaming consoles are and never allowing people you don’t know to use them are the first steps in protecting them.

Ensure that you protect your devices with a password to ensure that your photos, banking apps, and text messages stored on them are inaccessible if you lose your phone at a concert or leave your tablet in a restaurant.

It’s also a good idea to back up your files regularly so that your images, videos, and documents are lost if your phone is stolen.

Protection Against Malicious Software

To keep your device safe, you’ll also have to protect it from software threats. There are many ways for malware and viruses to get onto your devices, including phishing scams, suspicious websites, questionable downloads, and clicking on advertisements.

When browsing sites that seem unreliable, use caution, and apply common sense when clicking on links.

You can also download a reliable antivirus software application to help detect, identify, and remove malware and viruses that could pose a threat to your online security.

Privacy Protection

Protecting your privacy involves preventing advertisers, fraudsters, and other unscrupulous organizations from obtaining access to the information you’d prefer to keep private.

It only takes a few careful modifications to your regular browsing, emailing, and social media activities to increase your internet privacy.

Limit What You Share on Social Media

Consider your usage of social media. Do you upload pictures containing information that could be used to identify you? Examples of information that you shouldn’t share online include your:

  • Full name
  • Birthday
  • Physical address
  • Current location

If your profile is freely accessible and anyone can view it, you might want to think about limiting what you post online. Sadly, although your loved ones may like reading your status posts, cybercriminals enjoy them even more.

Fraudsters can learn enough about you in just a few minutes of spying to pass themselves off as you or to target you. Restrict the information you post on social media and restrict the number of people you follow and befriend to those you actually know.

Use a VPN

Connecting to a virtual private network (VPN) is another great way to protect your online privacy. By encrypting your connection and keeping your location hidden, a VPN enables you to browse the internet anonymously.

Protecting your privacy with a VPN is essential when using public Wi-Fi at a library, restaurant, or coffee shop.

This is because cyber criminals typically wait around unprotected Wi-Fi networks to spy on users making online purchases or paying bills to gain access to their login information.

Keep up with the latest developments, and if a corporation that stores your information is the target of a cyberattack, take swift action to protect your identity and safeguard your account.

Here are some examples of identity theft:

1.   Forging an Identity

The most frequent form of identity theft is when a thief takes a victim’s Social Security number and uses it to create a new false identity.

2.   Creating New Accounts Using Someone Else’s Credentials

When a scammer successfully obtains financial data and personally identifiable information from a user, they can open new accounts such as utility accounts, credit cards, and more using the victim’s good credit rating.

3.   Taking Over Someone Else’s Account

Account takeover occurs when a fraudster takes the victim’s account login information and adds themselves as authorized parties, giving them access to the victim’s banking facilities.

Fortunately, this type of fraudulent activity is steadily decreasing due to the widespread use of EMV chip readers.

4.   Medical Identity Theft

Medical identity theft occurs when fraudsters pose as patients to access certain prescribed drugs and have their medical care covered by the victim.

5.   Corporate Identity Theft

Corporate identity fraud occurs when a criminal tries to issue new lines of credit in the name of a company, sends clients fake bills, and then takes the payments themselves. This type of identity theft is most common in small businesses.

A cybercriminal may still manage to obtain your personally identifiable information even when you follow all the rules.

When a security breach occurs at an establishment with your personal information, you’ll need to find another way to keep your information and banking accounts safe.

Investing in identity security software that monitors the dark web and notifies you of any suspicious activity that might point to identity theft is a good idea.

Considering how many ways there are to target users online, it should come as no surprise that many are uneasy about their safety when surfing the net.

Fortunately, you can safeguard your devices, protect your identity, and keep your browsing history away from prying eyes by installing reliable antivirus software.