As We Go High, They Go Low

Rhys MacFarlane, CSO, Luxury Escapes

Rhys MacFarlane, CSO, Luxury Escapes

After being approached to write this article I thought around for what exciting and high-tech area of security I could write about, maybe AI security applications; how about the growing risk and exposer of cloud-based vulnerabilities and attacks; or maybe the growing sophistication of ransomware. As I was mulling this over I received an email from a team member with the subject ‘Suspicious Email?’. It then occurred to me that one of the most common issues we’re facing is amazingly low level and technically very easy to attempt. CEO/Executive fraud has been a growing threat within my company, and I know several CSO and CISO who have unfortunately experienced successful CEO/exec fraud attacks.

Who amongst us does not pay extra attention to an email from the CEO, COO or CFO? We all get that little jolt that tells us we need to act quickly to ensure we assist them with whatever important task they have for us. Unfortunately, this little jolt can sometimes outweigh our more sensible natures and may stop some team members from casting a critical eye over the email and the request being made. Add in a little time pressure and we have a situation that is primed for mistakes.

As we in the cybersecurity space grow ever more sophisticated in our defences it seems our enemies are adapting by going very low tech in response. With everything in our vast array of protections from mail filters, to anti-virus and AI DDoS threat identifiers we are making it more difficult for the high-level technical attacks to occur. However, it doesn’t matter how intelligent our defenses become we must allow external email traffic and we must allow these emails to contain PDF attachments, otherwise our suppliers and vendors are not able to contact us about payments. The cyber threat actors have realized this and are investing more of their time in executive fraud style attacks. From my experience, the number and sophistication of these attacks are increasing at an exponential rate.

Cyber criminals need only a basic URL; a fraudulent company email account, or even better a compromised account; some minor effort on an official-looking email signature; a PDF generator; and time to search social media to find a suitable target within your organization. With this remarkably simple setup, they’re ready to bypass most of our protections and have a very believable email reach a member of your team that appears to come from an executive within your company, with an official-looking invoice attached.

I am aware of numerous successful executive fraud attempts within the Australian business space having received firsthand accounts from other security executives. I will not use these stories to highlight this threat, rather I will use a very prominent case. It was reported in early 2017 that one person was allegedly able to receive more than 100 million dollars from 2 major US tech companies over the space of 2 years. They did so by creating fake invoices, email accounts and internal company approvals for a series of what were considered minor payments for the company. These were sent sporadically over the two-year period. Despite the extremely high level of technological sophistication of these two companies, there was little they could do at the time to protect themselves from this style of attack.

This has been an issue that I have personally been grappling with over recent months. How can I ensure business as usual activities continue to go on with minimal impact while trying to make sure we are as protected as possible from such attacks? I am very human-focused security practitioner, and this was where I started our combat against executive fraud. Your team members will most likely be your first layer of protection against this and we must increase their level of preparedness. I started a massive internal education process wherein I went around to every team of our company and gave in-person cybersecurity lessons with a large focus on exec fraud. I wanted to express the importance of the issue, which can only be achieved face-to-face and I focused all my effort on teaching the key red flags to look for in any invoice they receive and getting them to understand that I never wanted them to feel extreme time pressure to pay any invoice. This has been successful, and I have noticed a significant uptake in the amount of reporting from team members.

However, we still experienced some near missies. You cannot always rely on your team members to be security-minded and perpetually 100 percent proficient. I looked around for another solution and discovered verify and started using this with high level and high access team members. I found this app-based product to be the best solution for this problem, as it allowed for instant internal approval and simultaneous validation of any invoice while having minimal impact upon business as usual functions. We inserted this product as part of our invoice approval process, adding a step of high level internal multi-factor authentication. All invoices needed to receive this seal of approval from the relevant approver within the company, and that it was immensely difficult for criminals to fake this validation. Since implementation, we have noticed a vast increase in the confidence of invoice payment and the teams have reported negligible impact to their daily job function. Our accounts team has also noted that it has made it very easy to spot the fraudsters in their very first email attempt.

Exec fraud is a difficult attack to defend against but as custodians of our companies, we must be vigilant to all threats that face us, especially against those that are easy to inflict upon us and hard for us to counter. We must respect that our enemies are very resilient, resourceful and creative individuals. They seem to be realizing that the technically sophisticated attacks are getting harder to implement, and there are other attacks that net a better rate of return. It is our responsibility to ensure the highest levels of protection for our company while making sure that we do not become an impeding force on business productivity. As always, we must ensure that we are the path clearers for our organizations and never the roadblock.

Check this out: Top Managed Security Service Companies in APAC

Weekly Brief

Read Also

Fighting Fraud is a Combination of Effective Preventive Systems, Use of Skillful Staff and Employee Awareness

Fighting Fraud is a Combination of Effective Preventive Systems,...

Kim Siren, Head of Fraud Management at OP Financial Group
Intentionality Is The Key To Increasing Diversity In Information Technology

Intentionality Is The Key To Increasing Diversity In Information...

Rosemarie Lee, Vice President and Chief Information Security Officer at BlueCross BlueShield of Tennessee