Are Backup Files the Missing Link in Your Cyber Security?

Do you have backup files for your critical business data and software? Where are they stored? How often are they updated?

Are Backup Files the Missing Link in Your Cyber Security?During Cyber Security Awareness Month, you should be asking these three critical questions. Too often, business leaders and employees see cyber security as an ongoing battle against phishing, business email compromise and other direct scams. While these are core concerns in cyber security, data safety is also essential. You can train your people to stop pretexting attacks, but that training is of no value when a hacker encrypts or steals all of your business data, shutting down your operations. Even the most experienced IT professionals can have a blind spot when it comes to data backups.

Cloud Backup Files Are Not Enough

The default choice for many businesses is cloud backup, which is simple to implement and easy to access. The convenience of cloud backup files can obscure a significant risk: Cloud services can be hacked. If your only backups exist on a server, and that server is compromised, your backup data are gone. You may have done enough to qualify for a cyber liability insurance or business interruption insurance claim, but you still lack the data you need to run your business.

Cloud backup files should be part of your cyber security protocols, but they should not be your only path to data recovery. Backups on a solid-state device, such as a USB drive or an external hard drive, are also necessary for the following reasons:

  1. Your cloud backups can be compromised. Hackers may encrypt or steal your data from your cloud backup provider, or compromise your cloud provider’s operations, preventing you from accessing data.
  2.  Backup files may contain malware. Cyber criminals are more patient than most people realize. It is rare for them to gain access and immediately deploy malware or ransomware. Instead, they will lurk for weeks, sometimes months, waiting to deploy an attack. If criminals launch a ransomware attack that encrypts all your files and you attempt to restore a recent backup, there is a good chance it will fail to solve the problem.
  3. Cloud backup files may be incomplete. Creating a daily cloud backup is a good practice, but daily backups typically get purged after a few weeks to make room for newer backups. If you need data that is more than a month old, it may not be available. Your cloud backups may also be limited in scope; they may save daily data, but not the software you need to access that data.

Best Practices for Backup Files

Backup files are a crucial part of your overall cyber resilience. In the event of a ransomware attack, backup files may allow you to restore systems and avoid paying a ransom. In the event of data loss or exfiltration, backups may allow you to determine exactly what data were stolen, which can help you comply with new SEC Disclosure Requirements. Backups may also help cyber security professionals identify the timeline and methods used in a cyber attack.

Here are five things every organization should do to incorporate backup files in a cyber resilience plan:

  1. Employ cloud backups wherever they are offered. Even with their limitations, cloud backups offer the simplest option for daily data and system protection. Set up daily backups for your website, business data and cloud-based services that you use. Be sure that data are encrypted and take note of what is and is not backed up; for example, a website backup may include the core elements of the site and exclude add-ons, plugins and custom code. Cloud services may back up your business data but not any customizations you have made to your cloud environment. When in doubt, ask your service provider for a full list of what is and is not backed up. Ask how long data are retained as well, and make a note of that timeline. If you have to pay a little extra for daily backups or longer data storage, it may be a worthwhile investment.
  2. Create solid-state backups of business data. At least once a week, essential business data should be downloaded to spreadsheets and stored on a USB device or external drive. Once the storage device is full, label it with a date and keep it in a secure area in your office under lock and key. Restrict access to these backups to IT staff and senior leadership, and allow access only if critical systems are compromised and data become unrecoverable. Note that backups containing personal information may need to be erased or destroyed to maintain compliance with the FTC Safeguards Rule.
  3. Maintain a physical file of critical business data. This should include information that you need to keep your business running, including client names, phone numbers, addresses and order or delivery information. To determine what to include, imagine a situation where your  business is without power for several weeks, or where you lack access to your office due to a fire or disaster. What would you need to continue to service your clients, and what functions can you track and complete offline? The physical file can be created in a spreadsheet and printed weekly, or as you add new clients. Like data backups on external drives, information in these files are subject to the FTC Safeguards Rule, so you will need to store the physical files in a secure place, limit access to them and destroy old copies periodically.
  4. Create a System Recovery Image or Recovery Drive. An IOS Recovery Drive will allow you to repair a failing Mac or reinstall your MacOS software. A Windows System Recovery Image is a complete snapshot of your current Windows installation, settings and applications. These recovery images should be created quarterly and stored on a USB or external drive. Use a separate drive for each backup to reduce the risk of malware. These backup files have a practical purpose beyond cyber security: In the event that your primary computer is lost or damaged, you can use them to rebuild your systems on a new device. They can also help you restore systems if your hard drive fails.
  5. Maintain access to your passwords. If you rely on your browser to fill in stored passwords, you could find yourself locked out of critical systems. A cloud-based password manager can provide access, as long as you have a copy of the keys and passwords needed to access it. Consider keeping critical passwords on a written list or in a text file on a USB drive that you store in a secure place, such as a safe or locked drawer. Never store sensitive passwords in emails or files on your hard drive, as cyber criminals will look for these if they gain access to your systems.

Backup files, printouts and drives should be treated with the same care as digital data. They must be kept in a secure place and should be used only when necessary. These additional security measures should not deter you from creating backups. In the event of a ransomware attack, natural disaster or catastrophic damage to a computer, backup files can get you up and running in less than two hours, or provide the information you need to run your business offline until online problems can be addressed.

Large organizations should have protocols in place to create and maintain backups as part of an overall cyber resilience plan. Small businesses and sole proprietors will need to manage backups by themselves, but it is not a complex or overly time-consuming process. If you need guidance on creating system recovery files, or help creating and protecting backup files, please contact us online or call us at 1-800-658-8311.

Social Engineering Eyed in High-Profile Casino Attacks

Social engineering may be behind two high-profile attacks on casino operators Ceasar’s and MGM. In an 8-K filing with the Securities and Exchange Commission, Ceasar’s Entertainment reported “a social engineering attack on an outsourced IT support vendor used by the Company.” Hackers were able to steal data from the Ceasar’s loyalty database around September 7, exposing an unknown number of drivers license and Social Security numbers. The Wall Street Journal reported that Ceasar’s paid around half of a $30 million ransom demanded by hackers to restore systems and delete stolen information. In their SEC filing, Ceasar’s noted that there is no guarantee the criminals will delete the data.

Social Engineering Eyed in High-Profile Casino AttacksElsewhere in Las Vegas, MGM systems, including coded room keys, booking systems and slot machines, were turned off following a ransomware attack. Reuters reported that the ransomware attack was attributed to a group known as Scattered Spider, which has previously targeted telecommunications and business outsourcing firms. Scattered Spider is also believed to be behind the Ceasar’s attack.

Anatomy of a Social Engineering Attack

In an interview with TechCrunch, an alleged Scattered Spider spokesperson took credit for the MGM social engineering attack but denied involvement with the Ceasar’s hack. The spokesperson claimed that they had found information on an employee at an MGM IT vendor via LinkedIn, then called the vendor’s help desk to gain access to that person’s account.

Social engineering attacks are targeted. The criminal is typically armed with some information about an individual they are attempting to impersonate or persuade. The most sophisticated attackers can now employ artificial intelligence tools that synthesize an individual’s voice using just a few seconds of online audio. They will then call people who can grant account access, such as bankers or help desks, using the fake voice in real time to try and gain account access. Employees at companies that are high-value targets, such as hospitals, banks, casinos and telecom providers, and third-party vendors that serve these companies are most likely to be targeted with sophisticated attacks. The larger the potential payout, the more sophisticated the attack will be.

Other social engineering scams are clumsier and should trigger immediate red flags. Someone may call claiming to be a vendor or IT staffer and ask the victim to read out a two-factor authentication code over the phone, defeating the protection this authentication offers. Attacks like this are very common and can happen to any employee in any business.

Scattered Spider is not as sophisticated as some criminal gangs and state-sponsored hackers. They are motivated by money and mainly made up of young people, with one report suggesting they deliberately recruit young teens to avoid significant criminal consequences if they get caught. What business owners should know is that groups like Scattered Spider are sophisticated enough if they can trick employees into providing access or divulging information.

Preventing Social Engineering Attacks

As social engineering attacks become more sophisticated, business owners must double down on cyber security employee training and establish firm protocols that guide information or access requests. Individuals have a responsibility as well, as they must limit the discovery of information that criminals can use in social engineering attacks. Here are five things to do now to reduce your risk:

  1. Review your LinkedIn and social media profiles. Do strangers need to know where you work? Does your profile need to be publicly accessible? For a handful of people, the answer is yes, and those individuals generally take steps to separate their public profile from their private and business profiles. For most workers, the answer is no. Follow this simple rule: The more you share, the less visible your profiles should be. Go ahead and cultivate a professional network on LinkedIn, but limit your visibility to people you know.
  2. Change your passwords. Assume your current username and password are available for sale on the Dark Web. They likely are, making it a matter of time before a criminal connects that information to your workplace accounts. Use separate passwords for work and personal accounts and change them every few weeks, at least four times each year. When criminals see passwords changing, they recognize that you take cyber security seriously and may pass you by in favor of an easier target.
  3. Enable two-factor authentication. This should route access codes to a device that is with you at all times. Never, under any circumstances, share one of those access codes with someone. Two-factor authentication remains one of the strongest protections against account hijacking.
  4. Assess your level of risk. Some companies know they are targets, because they have access to money or personal data. Those companies typically have very strict protocols in place to deter social engineering and phishing attacks. Vendors may not have the same level of protection or training, which gives criminals a back door into secured systems. If you have high-value clients, you must adopt their level of cyber security and train every employee to recognize and respond to attempted cyber attacks.
  5. Require review of access attempts. One of the best protocols to put in place is to require a second set of eyes on any attempt to gain access to accounts via phone, text or email. These requests should route to a higher-level employee who is well-versed in social engineering and phishing attempts. When in doubt, protocols should require a call to the phone number on file for the individual as a final step in approving access. Do not call any other number, and do not use redial, as scammers may spoof an individual’s phone number on your devices.

Sophisticated social engineering attacks work because employees trust and want to do a good job. Training must emphasize that security is equally if not more important than customer service. An inconvenienced person may be upset with you briefly. A cyber crime victim will never forget who allowed the attack to happen.

If you need employee training, anti-phishing training, compliance services or guidance on establishing cyber security protocols, please contact us online or call us at 1-800-658-8311.

When and How to Report a Cyber Attack Attempt

Should you report a cyber attack attempt? Even a small, seemingly insignificant one? The answer is almost always yes.

There are two reasons to report a cyber attack. The first is to show cyber criminals that you take security seriously. The second is to gain safety in numbers. The more people who are aware of current attacks and techniques, the harder it is for criminals to operate. Remember that hackers and fraudsters depend on their victims knowing little no nothing about their scams. Spread the word, and you help others defend themselves. When enough people fight back or ignore scam and hacking attempts, criminals move on to easier targets.

When Should I Report a Cyber Attack Attempt?

You should immediately report any cyber attack that occurs at the workplace, targeting your office phone, personal phone, email, text messages or web browsers. You should consider reporting attacks that target your personal email or phone as well, if you believe the attacker obtained information about you online. Senior executives and those who have access to financial or information-management systems should report every attack on any business or personal device.

What looks like a common malware email, such as “Your package could not be delivered,” or “Your account has been suspended,” takes on an added significance if you are a high-value target. Low-level employees may not need to report mass-email phishing and malware attacks, but should report any attack using a business or personal phone number, particularly if the attacker claims to be a co-worker.

Where Should I Report an Attempted Cyber Attack?

The size of your business will determine how you should report the attack.

For mid-size and large companies: You likely have an internal or external specialist who handles your cyber security. Report all attacks to this individual, no matter how small or obvious they may seem. Do not worry about being a nuisance. It is the cyber specialist’s job to determine how significant or widespread an attack may be, and they can only do their job if they have a complete picture of the threats a business faces. Provide as much detail as possible, including screenshots of emails and text messages, if any.

If someone calls or texts you claiming to be a coworker, report this activity immediately. Targeted pretexting attacks are on the rise, with some criminals using sophisticated software to impersonate the voices of business leaders and public figures. These attacks are resource-intensive and require planning. which makes it more likely that a criminal will target multiple individuals within an organization.

For small businesses: If you work in a small business without an in-house cyber security or IT specialist, you have two options:

  1. If you have an external IT specialist, report the attack to them and ask them to monitor your systems for any signs of unusual behavior.
  2. If you do not have an external IT specialist, send an email to all coworkers advising them of the attack. Send a screenshot of the text, email or website and ask if anyone else has received similar messages. If multiple people in a small business report the same attack, it may be a sign that you have been targeted. Strongly consider professional IT support to identify any possible system breaches or data loss if this occurs.

Reporting Attempted Attacks to Law Enforcement

Every successful cyber attack should be reported to local police. Your cyber insurance policy likely requires this. If customer data are stolen, you must report the attack to police and check reporting requirements under the FTC Safeguards Rule, if you qualify as a Financial Institution, and the SEC Disclosure Rule, if you work for or partner with a publicly traded company. Any significant data breach should be reported immediately to your state Attorney General’s office. In the case of a significant data breach or an attack that compromises critical public systems, you should contact the local Federal Bureau of Investigation field office and your state Attorney General, who will provide support and additional guidance on disclosure. Note that in some cases, cyber attacks and data breaches should not be disclosed to the public without first contacting Federal or state officials.

Whether you should report an attempted cyber attack is murkier and depends on the nature of the attack. If you have publicly traded companies among your clients, or clients covered by the FTC Safeguards Rule, you should report targeted pretexting attacks to their IT or cyber security specialists. Criminals may be attempting to harm your partners by attacking their vendors, clients or associates. Law enforcement agencies generally will not handle this reporting for you. You must do it yourself, and you should do it as quickly as possible, as you may have some obligations to report under the Safeguards Rule or SEC Disclosure Rule. When in doubt, reach out.

Where Else Should Attempted Cyber Attacks Be Reported?

If you work for a franchise business, report any cyber attack attempt to your franchisor’s head office immediately. This is especially critical if the attacker attempts to impersonate a senior employer of the business. Criminals may be launching simultaneous attacks against franchisees. Your quick response could prevent significant damage to the business and your fellow franchisees.

If you are part of a trade association, such as a Bar Association or the National Association of REALTORS®, for example, or if you are a member of a state association or Chamber of Commerce, report any cyber attack that targets your business or employees to the senior officials in your area, and to your local and national headquarters. In recent years, there have been surges of criminal cyber activity targeting specific sectors, such as health care or public schools, or specific regions, such as the recent spate of Vacant Land Scam attempts in the Southwest United States. There is no way to know if an attack on your business is isolated or part of a bigger trend. Spreading the word to professional associates may give them the opportunity to stop similar criminal attacks.

 

Would you know what to do during a cyber attack? Download our free Cyber Crime Response Kit, which includes detailed, step-by-step instructions that will help you prevent an attack from spreading, quarantine infected devices and rebuild systems safely. For more detailed guidance on preventing and responding to cyber attacks, please contact us online or call us at 1-800-659-8311.

Business Email Compromise (BEC) Attack Steals $6 Million from Public School System

The New Haven, Connecticut, school district lost more than $6 million to cyber thieves in a Business Email Compromise (BEC) attack that was discovered only after the real vendor asked why they had not been paid.

ABC News provided details on the attack, which began in May and demonstrated a high level of patience on the part of the hackers.

  1. Criminals gained access to the email account of the school system’s Chief Operating Officer (COO).
  2. Using that email access, the hackers monitored communications for several weeks, identifying vendors.
  3. Phony vendor emails were then sent to the COO, directing payments to bank accounts controlled by the criminals.

Losses included more than $5.9 million in fraudulent payments meant for a school bus company. The FBI was able to recover $3.6 million of the stolen money.

This BEC attack shows a level of sophistication and patience that many business owners and employees do not associate with cyber criminals. By quietly gaining access to a targeted email account and monitoring conversations, criminals were able to gather additional, personalized information they needed to successfully redirect a significant amount of money.

As I noted last month, cyber criminals are using AI to improve their BEC and pretexting attacks. While many attempts at phishing and fraud still bear reconizable signs, employers and employees must be prepared to deal with increasingly sophisticated, personalized and persuasive attacks. Remember that criminals have just one job: to steal from you and hide their ill-gotten gains before they can be recovered. Any unusual action or request from a vendor, even if it seems small, should be investigated.

Simple Tactics Will Stop Sophisticated Business Email Compromise Attacks

The hackers who targeted New Haven’s school system took their time to identify high-value vendors, at the risk of losing access to the compromised COO email account. While this demonstrates a level of sophistication that is unusual, it also proved successful, and hacker groups share their success stories as they refine their criminal strategies.

More BEC attacks like this one will occur. Organizations should follow these simple steps to avoid becoming the next victim:

  1. Mandate two-factor authentication (2FA). Assume that hackers have your usernames and passwords, no matter how careful you are with them, or how frequently you change them. The only reliable way to keep criminals out of your email is to use two-factor authentication that requires you to complete an extra step via a personal device, such as a smart phone, before you can log in. Google now requires 2FA for some of its services. This should be a mandatory policy for every organization and is essential for anyone with access to financial systems or databases of personal information.
  2. Monitor online use regularly. IT departments should always know who is accessing systems and from where. Sophisticated criminals may be able to cover their tracks or spoof a location, but there will still be an unusual increase in access for individual accounts. Systems should be set up to alert both the account user and the IT staff whenever a new device attempts to connect to a network or log in to an email or online service.
  3. Require a second set of eyes on any changes. BEC attacks steal money and goods by diverting them to new accounts or locations. Organizations should put processes in place that mandate internal review of any changes in payment destinations, delivery schedules or delivery locations. Pay very close attention to the Sender of any email requesting a change, as criminals will create phony emails that look legitimate to try and trick their targets.
  4. Mandate voice approval for any changes. When a request to use a new bank account comes up, or a client sends an email asking for a delivery to be rerouted, organizational procedures should require a phone call to that client’s point person. Do not call any number given in a suspect email. Call the number on file for the client or vendor, and ask them if they requested the change. Consider implementing a password that only you and the vendor would know as a means of authorizing any changes.
  5. Limit the visibility of key staff online. Criminals regularly harvest compromised email and business accounts to identify high-value targets who they believe can access personal information or finances. Keeping the identities of key personnel concealed helps to deter this kind of targeting. For individuals who have a high level of visibility, consider setting up a second email account or logins that cannot easily be traced, while maintaining a publicly visible email. For example, a CEO named Joe Smith might have a joesmith@companyname.com email account for public use, but a very different email account, such as 712995abznow@companyname.com for official duties. Criminals will not be able to easily identify the secondary account, though this is not a foolproof solution if the hidden email is not carefully guarded.

Cyber security employee training should be provided to every worker in your organization. The more access and responsibility the employee has, the more critical this training becomes. Protect Now offers CE-eligible training for real estate professionals, as well as online and in-person training for all small- and mid-sized businesses. Contact us online or call us at 1-800-658-8311 to learn more.

The New SEC Disclosure Rule Will Impact Nearly Every U.S. Business

The new Securities and Exchange Commission (SEC )disclosure rule for cyber incidents represents the most sweeping attempt to date to mandate cyber security by the United States government. If you own or work at a publicly traded company, if you handle data provided by a publicly traded company or if you simply supply a publicly traded company, this new rule will impact your business.The New SEC Disclosure Rule Will Impact Nearly Every U.S. Business

What Is the New SEC Disclosure Rule?

As reported by the Federal Bureau of Investigation, the new SEC Disclosure Rule goes into effect on September 5, 2023. In broad terms, it requires the following:

  • Every publicly traded company in the United States must file form 8K to the EDGAR database within 4 days of the discovery or awareness of any cybersecurity incident that has a “material impact” on their business.
  • The United States Attorney General may allow a reporting delay of up to 30 days, with a possible renewal for an additional 30 days, if the cybersecurity incident presents a danger to public safety or national security.
  • The United States Attorney General may allow an additional 60-day delay in reporting only if there is a significant risk to national security.

Publicly traded businesses have the ability to determine whether or not a cybersecurity incident has a material impact on their operations or valuation. In the event that it does, they must report the nature, scope and timing of the incident, as well as its impact or potential impact.

How Does the SEC Rule Apply to Me If I Do Not Own a Publicly Traded Business?

This rule will be enforced by the SEC, which has extensive investigative capabilities and the ability to determine the penalties that violators will face. Unlike the FTC Safeguards Rule, which has defined penalties and regulations, the SEC disclosure rule is open, both in terms of what defines a “material impact” and in terms of how the agency will follow up. In the worst-case scenario, Federal investigators could arrive at your door to seize documents and devices, if they believe you are responsible for a cybersecurity incident that impacted a publicly traded company, or if the company identifies your business as the source of the data breach.

Here are a few examples of ways a company could inadvertently be swept up in an SEC investigation:

  • A franchisee of a national company suffers a data breach that exposes the personal financial information of its clients.
  • A shipping company receives a fraudulent order through a pretexting attack that diverts money or materials of significant value to criminal actors.
  • A conference planner suffers a data breach, exposing the email addresses, usernames and login credentials of all conference attendees.
  • A marketing agency’s servers are breached, revealing the embargoed technical specifications of a client’s new product.
  • A law firm’s email is breached, revealing details of a client’s patent filings or lawsuits.
  • A doctor’s office wireless network is compromised, allowing hackers to steal the personal health information of corporate executives.
  • A mortgage broker’s file transfer system is compromised, exposing the property valuations of individuals referred by a client.
  • A company website is hacked, revealing administrative usernames and credentials.

These examples fall into three broad categories:

  1. Data breaches that expose data belonging to a client’s customers.
  2. Hacking attacks that uncover a client’s future business plans, internal information or intellectual property.
  3. Credential theft or protected personal data theft that compromises a client’s leadership or employees.

Something as simple as a phishing attack that exposes your email contacts could be material, if hackers then use that information to launch a targeted attack on your client or sell the information to others. Pretexting attacks that divert payments, materials or finished goods that a client needs to operate could be material if they have a significant impact on a client’s sales. Ransomware attacks that lock your clients out of needed services, disrupting their operations, could also qualify as a material impact.

What Do I Need to Do to Comply?

Only publicly traded businesses are required to report cyber incidents under the disclosure rule, but their ability to report depends on support from their vendors, franchisees, service providers and partners. Remember that if your business is the source of a cyber incident that compromises a client’s business, you may be investigated, and your cyber security policies will be scrutinized. The publicly traded company will face SEC penalties. You will lose the client, and your reputation will take a significant hit.

No business wants to deal with the SEC. Investigations can be lengthy, disruptive and expensive. It is very likely that publicly traded companies will demand some accountability from vendors and partners, as well as assurances, possibly legally binding assurances, that cybersecurity incidents will be reported. For companies that are not publicly traded, compliance requests will likely include the following:

  1. Documentation of current cyber security standards, including incident monitoring and security updates.
  2. Documentation of cyber security employee training practices.
  3. Written plans to report cyber security incidents to impacted clients as soon as these incidents are known.
  4. Written plans to respond to and stop cyber attacks, along with an evaluation of data loss or potential third-party compromises.

Do not be surprised if clients ask for this documentation. Clients may also want to execute additional nondisclosure agreements (NDAs) that include specific language around cyber incidents, or ask for these protections to be outlined in service contracts or contract amendments.

How Will the SEC Enforce the Cyber Incident Disclosure Rule?

It is impossible to know what enforcement will look like, as the SEC tends to treat violations on a case-by-case basis. Based on past behavior around new regulations, the SEC is likely to issue warnings for a period of time for first-time offenders or minor breaches. If a significant breach occurs, or if a publicly traded company repeatedly violates the rule, an extensive investigation with significant penalties will follow. This will trigger a stampede for services that will leave providers struggling to keep up with demand, and companies scrambling to find providers who can help them. It is better to take this matter seriously now, evaluate your needs and get professional cyber security support if you need it.

Note that the new disclosure rule does not require an experienced or certified professional to oversee or report cybersecurity incidents. Most small businesses should be able to manage compliance on their own, or with the help of a VCISO.

Why Did the FTC Add This Reporting Rule?

The SEC outlined two needs that drove the new disclosure rule. First, the SEC believed, as do many law-enforcement organizations, that cyber crime is underreported. By bringing their authority to this area, the SEC seeks to compel a greater level of reporting compliance, eliminating the tendency of some businesses to quietly pay ransoms or overlook seemingly minor cyber intrusions.

Second, the SEC felt that current reporting, which lumps cyber security incidents in with other business challenges, did not provide enough information to shareholders. The standard report will allow shareholders to see how often a business suffers cybersecurity incidents and how severe they are, providing another data point investors can use to evaluate opportunities.

As a final, broader goal that was unstated, the disclosure rule puts anyone who works with a publicly traded company on notice that their clients’ interactions are under Federal scrutiny. This is likely meant to compel greater adoption of cyber security best practices across all U.S. businesses, which will make it harder for criminals to carry out attacks. In that regard, it is the most significant effort to date by the U.S. government to establish and require cyber security as a basic element of business operations.

If you have questions about the SEC disclosure rule, how it could impact you, how you can comply or how you can improve your cyber security employee training, please contact us online or call us at 1-800-658-8311.

Business Email Compromise Gets Smart with WormGPT: How Businesses Must Prepare

WormGPT, a new, AI-powered tool for pretexting attacks, is attracting subscribers among the cyber criminal community, according to reporting from ZD.net. The capabilities of this tool, which uses similar technology to large learning models like ChatGPT, are grounds for significant concern for all business owners.

Researchers from SlashNext were able to access the tool and examine its capabilities. They found the following:

  • WormGPT can create flawless, persuasive emails indistinguishable from a human conversation.
  • Built-in translation capabilities allow WormGPT users to communicate fluently and flawlessly in languages they cannot speak. The exact languages that WormGPT can process have not yet been reported.
  • The software can write its own malware, though the extent of these capabilities were not tested.

The WormGPT Threat to Businesses

By creating flawless, persuasive, customized emails and texts, WormGPT has the potential to overcome the most obvious fingerprints of a fraudulent Business Email Compromise (BEC) or phishing attack: bad grammar, odd sentence structure and generic requests. Even novice criminals could use this tool to trick employees who have extensive cyber security and fraud prevention training.

This does not render cyber security employee training useless. Training programs that teach employees to recognize unusual requests or unusual language from customers will still stop most attacks, and programs that emphasize awareness will have some success in thwarting AI-powered attacks with impeccable grammar and urgent requests. The rise of programs like WormGPT does mean that businesses cannot solely rely on language as a way to detect fraudulent emails. To meet this challenge, businesses need to look at technical solutions and their everyday practices.

Effective Techniques to Mitigate WormGPT Threats to Business

The most dangerous WormGPT attacks will attempt to steal goods, money or credentials. Pretexting attacks claiming to come from senior company leaders, clients or IT staff will present the greatest challenge, particularly if criminals have gained access to the actual email accounts of these individuals.

Businesses should take the following steps to prevent sophisticated pretexting attacks of all types:

  1. Automatically blacklist all emails. Most email programs can be set to warn users of an email coming from a new or unknown address while allowing emails from known contacts to pass through. This function should be enabled to catch criminals who attempt to spoof email addresses by changing a letter to a number, adding or moving a letter, or changing a domain name. For example, if you work at industries.com and have the CEO’s email in your contacts, fraudulent emails from industries.net, industr1es.com or indutsries.com will be flagged. The same technology can be used to identify attempts to spoof client emails.
  2. Establish strict protocols for delivery changes. Businesses are well within their rights to demand faxed approval of any changes to delivery locations, dates or volumes, or to ask for 48 hours’ notice to implement such changes. Similar rules should apply if clients attempt to place orders on credit or ask for significant increases in deliveries.
  3. Require phone verification for order or delivery changes. You can either mandate that clients call when they need a significant change in their order volume or a new delivery destination, or send an email telling clients, “Call your account manager to confirm this change.” Do not include details on who to call, and if you receive an email asking for that information, do not reply. This will dissuade the majority of criminals attempting BEC fraud. If the stolen goods are valuable enough, criminals may actually reach out by phone.
  4. Set a unique passcode with each client. This works with phone verification to stop fraud. Each individual client should have their own unique passcode that they provide when they need to change order details. In the event that a criminal calls to try and complete a fraudulent switch, they will not know the passcode, and the order will not be changed. Use random strings of letters and numbers in these passcodes, and convey them only via telephone to clients, never by email or text, which can be intercepted by criminals.
  5. Call the client to verify the change. A significant increase in order size or a change in delivery location are red flags for fraud. Employees should be required to call the client on record for the account and personally verify any order changes.

These steps serve two purposes. First, they will defeat the majority of attempts to steal goods via BEC attacks. Second, they will provide ample evidence to your insurance company that you have policies and practices in place to deter fraud. Banks and insurance companies have been pushing back on claims for reimbursement involving pretexting attacks and BEC fraud on the grounds that employees allowed these attacks to happen. A demonstrated level of internal vigilance and security may help your cause if you need to take a claim to court.

The other necessary defense against WormGPT and other forms of business fraud is employee training. Criminals count on hurried, helpful employees who are motivated to provide service and clear bottlenecks. Employees who learn to recognize the red flags of fraud can still do their jobs efficiently and keep customers happy while protecting your business. To learn more about employee training that generates real change in the workplace, contact us online or call us at 1-800-658-8311.

ChatGPT Conversations Stolen: What You Should Do Now to Protect Yourself

Stolen ChatGPT conversations have been found on the Dark Web, according to Singapore-based cybersecurity firm Group-IB. The theft and publication of ChatGPT conversations reveals a danger about the software that many users may not know.

According to Group-IB’s data, nearly 27,000 ChatGPT conversations were offered for sale on the Dark Web in May 2023. The majority of these data were stolen from India and Pakistan using malware during the past year. The United States had the sixth-largest number of stolen conversations, at 2,995, just ahead of France, which led Europe with 2,923 conversations.

What Makes ChatGPT Conversations Vulnerable?

Conversations with ChatGPT take place using a browser or through a remote connection to a ChatGPT server in the overwhelming majority of cases. If you have a local installation of ChatGPT that you access directly via a LAN, with no connection to the Internet, you are at a much lower risk for data theft, but such installations remain rare.

Hackers can steal ChatGPT conversations as they happen in one of three ways:

  1. Using malware programs such as Raccoon, which exfiltrate data from an infected device.
  2. Using eavesdropping software that captures communications as they move back and forth between a ChatGPT server.
  3. Hacking a ChatGPT account and directly downloading past conversations.

The third method of attack is the one that may surprise many ChatGPT users. By default, ChatGPT saves your prompts and the logs of your conversations. If hackers can gain access to your account, they may be able to download complete transcripts of your past conversations. This could include sensitive business data, software code or personal information that could be used to compromise your identity or your business.

The current global distribution of ChatGPT theft may not appear to be a threat to North American users, but this is a mental trap. Hackers may be targeting particular industries or businesses overseas, but the techniques and methods they learn spread almost instantly across the globe. More ChatGPT theft will happen, and more U.S. businesses will be targeted. The only good news is that you have time to prepare.

How to Prevent ChatGPT Conversation Theft

There are a few steps ChatGPT users should take immediately to prevent data loss.

  1. Scan your devices for malware. This should be a common, regular practice at home and at work. Keyloggers and malware can creep onto your devices even if you practice great cyber security habits. Regular scans offer confirmation that your devices are clean.
  2. Disable your ChatGPT history. To do this, access the Settings in your account and turn off Chat History & Training. This forces ChatGPT to dump any conversations that are more than 30 days old. Be sure to save any conversations you want to keep outside of the ChatGPT interface, using Microsoft Word, Notepad or another program that resides on your hard drive.
  3. Clear your old conversations. To do this, click on your profile picture, then click on Clear Conversations. This will give you the option to remove all of your archived ChatGPT conversations.
  4. Beware of what you share. Even with these steps, ChatGPT will store conversations for 30 days. It is best to avoid using ChatGPT to compose documents with sensitive business information that could be valuable to rivals, or to completely write code that powers proprietary software, as these could easy be stolen in the event of a breach. Do not give personal details to ChatGPT, such as your address, phone, email, login credentials or bank and credit card numbers. Hackers will mine ChatGPT logs for this information.
  5. Protect your ChatGPT account as fiercely as your bank account. Never share any login information for your ChatGPT account with anyone under any circumstances. If possible, use two-factor authorization or a password manager to log in to your ChatGPT account. In cases where a single account is shared across an organization, every individual user should have their own login with two-factor authentication or a password manager for additional security.

The explosive growth of ChatGPT and its brand-new capabilities provide fertile ground for criminals. The majority of ChatGPT users probably have not considered conversation log theft as a cyber security risk, but it can be, depending on how you use this AI tool. As criminals probe new ways to harvest data from AI systems, remember that basic cyber security employee training, such as our CSI Protection Certification, will prepare employees to use new online tools with a much lower degree of risk.

Why Do I Need Dark Web Monitoring?

Dark Web monitoring fills an important security gap for individuals and businesses. It has applications in cyber security, reputation management and brand management. By monitoring Dark Web activity, individuals and organizations may be alerted to cyber attacks or data breaches.

Admit it: You search your name on Google to see what’s there. Most businesses pay attention to their online reviews. Some monitor social media to see what customers are saying. Dark Web monitoring completes the picture of your and your organization’s online reputation. It can also tip you off to data breaches or potential cyber attacks.

What Is the Dark Web?

In its broadest definition, the Dark Web is a portion of the Deep Web, which itself is a collection of websites and databases that are not indexed by the major search engines (Google, Microsoft Edge, Yahoo!, DuckDuckGo, etc.). In 2018, CNBC estimated that the Deep Web was 400 to 500 times the size of the Internet that most people use.

The Deep Web itself is benign. It consists of password-protected content, encrypted databases and data, including millions of articles, books, recipes and public records. Some of these can be accessed through specialized search engines, such as a university’s library catalog of digital media or LexisNexis.

Amid those terabytes of data lurks a smaller set of sites that can be accessed with browsers such as TOR, short for The Onion Router, a browser that attempts to conceal the user’s location by routing web traffic randomly across the globe. Promises of anonymity and cover from law enforcement have made the Dark Web a haven for illegal activity. It is where many cyber crimes originate, and where you will find cyber criminals offering their services and software for sale alongside the fruits of their labors: credit cards, login credentials and personal information.

Why Are Businesses Monitoring the Dark Web?

Because a great deal of cyber crime originates on the Dark Web, monitoring is a tool that thwarts and reveals attacks. In some cases, it can be the first warning of a data breach.

Dark Web monitoring begins with a deep dive on selected data points. For businesses, this is most commonly the business name and the names of senior executives and managers. This creates a baseline of information that is known to be compromised, as well as intelligence on any discussions about the business or its leaders among cyber criminals. This information is provided to the business with notes on any areas of concern.

Once the baseline is established, the Dark Web is searched on a regular basis for new information. This may include

  • Mentions of the business or its leaders by cyber criminals, which can signal a pending attack
  • Solicitations to buy or sell information on the business or its leaders
  • Newly posted data, which may include compromised logins for systems, user accounts or personal accounts of the company’s leaders
  • Customer data, such as credit card numbers, exfiltrated from a company’s database

When new information is found, the business receives an immediate alert that can be used to prepare for or stop a cyber attack. In some cases, this is the first evidence of a data breach that compromises customer information.

Dark Web monitoring may also reveal what people are saying about a business and its employees, providing opportunities to repair reputational damage. It can also be used to prevent disgruntled former employees from selling stolen data online after their separation from a company.

How Can I Monitor the Dark Web?

Dark Web monitoring requires specialized software that can access and index the hundreds of thousands of hidden sites that criminals use to communicate. There is currently no free solution, and until recently, monitoring was an expensive service available only to large companies.

Protect Now is pleased to offer affordable small-business Dark Web monitoring that includes a full baseline examination of data about your business and employees, as well as regular updates on any new information that appears online. If someone adds to that information, attempts to buy or sell it or discusses using it, you will be notified immediately so that you can take action.