Cybercriminals can act alone, but increasingly we are witnessing cyber gangs (who operate like a small business and are also often referred to as ransomware gangs), with leaders, developers, system administrators, intrusion experts, data exfiltration experts, and monetary experts working in unison daily to search for victims and earn their prize - your cash. The following is a true story; another victim and tremendous hassle could have been avoided with fundamental security awareness training, sound practices, and due diligence.
Whether you are a large, mid-size, or small company, you should stay vigilant and always be aware of common cyberattacks, and especially phishing. There is always an adversary trying to take advantage of you and steal your funds or data. Phishing is the practice of sending fraudulent communications that appear to come from a reputable source, usually through email. The goal of this adversary is to steal sensitive data like credit card, account, and login information or to install malware on the victim’s machine. Phishing is an increasingly common cyberthreat. Many have heard of the opportunities that threat actors took during the days of the pandemic. Today I will share a story about a local attack, and one that could have been avoided.
Our subject is a small manufacturing company located in New England who manufactures medical products and often acquires raw materials from overseas to balance their supply chain with United States suppliers due to price fluctuations and supply challenges. As with many small businesses, the staff of this organization wear multiple hats and are often terribly busy, whether that is attending to the health of their employees, payroll, managing the shop floor, collaborating with suppliers for shipment status, or updating customers on delivery dates. During the early days of the pandemic, numerous people were unable to show up for work. For those that did, employers were constantly changing their processes to keep their staff safe and to deliver orders (on time). Backlogs ensued everywhere you turned, and what once was easily planned for was no longer the case as companies were getting squeezed on both ends. It became a difficult challenge to keep the business running and enormous patience was necessary.
As the days became busier and busier, attending to the detailed administrative computer work was shortened. When a suspicious email initially came through, it was not examined so closely. The email arrived from a supplier of raw materials (for over ten years) asking to change the wire transfer account information from Sri Lanka to an account in Hong Kong. The owner of our subject organization read the email, and as this was a critical supplier, he drove to the bank to have the account information changed (without verification or challenge). Of course, the bank doing its proper due diligence recommended that the owner fully verify any changes with the supplier by phone call (to their known contact) prior to changing any account information. However, the supplier’s time zone was 12 hours in advance and that seemed too difficult, so the owner decided to send an email to the supplier to ask for account verification, and of course, received a return email confirmation to change the account information. The owner went back to the bank and proceeded to make a few wire transfers to the new account worth approximately $100,000 over a 3-month period. As this was in the height of the pandemic, the supplier was not aware that their accounts receivable had exceeded their regular terms, and nothing was noticed. After a couple additional memos from the supplier to inquire about the status of payments, the owner’s email suddenly became inaccessible. Finally, after changing the password and gaining access to the email account once again, it was discovered that all the email correspondence over this 3-month period was deleted, and no email backups were available. There was now a profoundly severe problem.
Considerable time was spent attempting to determine what truly happened, beginning with the insurance company for cybersecurity coverage, replacing the current computer system, setting up a new email service with multi-factor authentication (MFA), contacting the bank, digital forensic investigation, contacting the Attorney General, FBI, Internet Crime Unit (IC3), Federal Trade Commission, and the Consumer Finance Bureau. Unfortunately no real progress was made and there was no conclusive evidence as to the source of the attack. The evidence had vanished.
After all this, it was determined that their current insurance policy did not cover these types of cyberattacks and it was clear that sound cybersecurity awareness practices were not followed. During that time, it could not be determined whose email was hacked (supplier or company) and to keep good business relationships, the companies decided to split the monetary loss and agreed to institute better cyber practices and verifications within both organizations going forward.
Remember, cybercriminals wake up every single day with the goal of stealing data and money, and they are constantly evolving and becoming more sophisticated. How can you protect your organization?
This true story is not unique, and unfortunately thousands (if not millions) of organizations have also suffered a cyberattack that carried with it a financial toll. A proactive approach to your cybersecurity program is crucial in mitigating the risk of an attack before one occurs. The first step is to engage a trusted and independent cybersecurity partner such as Compass IT Compliance. Compass IT Compliance is an industry leader in providing IT security, compliance, and risk management services to organizations of varying size and complexity. Our password policy templates, phishing assessments, security awareness training, and dark web monitoring services provide a holistic approach to swiftly strengthening an organization’s account security. Contact us today to learn more!