Category: Mobile Security

At their heart, many criminals are also entrepreneurs – they’ve just decided to embrace the faster money and higher risks of illegal markets. However, just like other entrepreneurs, every criminal wants to maximize their ROI – increasing the amount of money they are earning while minimizing the amount they are spending. For however many dollars they put in, they can expect to get a certain number of dollars out. Here are some of the scams you need to know about.

CEO Fraud

A new type of scam which promises to enhance the ROI of many existing operations is beginning to be more frequently deployed by scammers. The Business Email Compromise (BEC), also known as ceo fraud, is a variant on conventional phishing attacks that businesses need to watch out for.

Phishing Attacks

Phishing attacks use emails that are masquerading as legitimate messages, containing links or attachments that look harmless but actually enable an attacker to execute malicious code. A spear phishing email is a phishing email that has been carefully crafted for a particular recipient. These were a notable feature of the Russian attacks on the 2016 elections – a spear phishing email crafted specifically for John Podesta ended up granting GRU access to the entire DNC network.

More About Spear Phishing

Spear phishing emails are more likely to be successful than the scattergun approach that phishing spam takes. Regular phishing emails rely upon users being susceptible and, for the most part, technologically illiterate. Often the scammers will have a list of emails from some database or other – every time one of those high-profile data breaches occur that we all collectively shrug our shoulders at, millions of people’s information is exposed.

Sometimes, passwords are exposed in these breaches, although that is relatively rare. When passwords are exposed, they are usually encrypted and, if the service in question takes security seriously, they will also be salted and hashed.

However, this is not always the case. You can enter an old email address into haveibeenpwned.com to see how many times it has been exposed in a breach and any passwords that have been exposed alongside it.

BEC Scam

The BEC scam utilizes spear phishing, spoofing, type squatting, or some other type of phishing attack, inducing the user to enter their username and password, thinking they are logging into a legitimate service.

The email itself deploys urgency and claims to have been sent at the behest of a CFO or CEO who is now in a meeting and therefore unavailable.  To disguise the lack of a corporate signature, the scammers use the ‘Sent from my iPad’ signature and explain that they are using a personal device. This also enables the scammers to get away with imperfect English as mistakes are written off as autocorrect. If hackers have any additional information that they can use to make themselves seem legitimate, they will often throw that in too.

In some cases, the scammers will use social engineering to convince employees to do things they normally wouldn’t. The best way to defend against this attack is to educate your employees about it. Once they know about it, it is fortunately easy to spot. Never open attachments you aren’t expecting without verifying in person that they are legitimate. Don’t open links or attachments from email addresses you don’t recognize, even if they purport to be from someone you know.

Between 2011 and 2017 there were an estimated 4,732 cyber attacks carried out against American businesses. However, only 24 of those breaches were reported to the SEC by the affected company. Those numbers are surprising, but the fact that companies are tight lipped is not.

Data breach reporting is a highly-sensitive process. Companies know it’s their obligation to inform victims. But going public about the breach can make it harder to clean up the problem and catch the perpetrators. It’s also a major public relations blow to the brand. And since the SEC has guidelines but not federal rules about reporting, delays and excuses are common.

That may be understandable, but that doesn’t make it acceptable. Reporting is an ethical obligation and also a legal liability for companies. Companies that wait weeks, months, or even years to report breaches potentially compound the damage done to victims. If and when those victims choose to go to court, they have grounds to demand much larger settlements. The growth of the cybersecurity insurance industry is largely due to the growth in size and frequency of these settlements.

It’s easy to conclude that companies should report the breach as quickly and completely as possible. Unfortunately, it’s not that easy when so much is at stake. Following these best practices to approach breach notification systematically:

1. Understand Your Legal Obligation – All states have laws requiring reporting, including the District of Columbia, Puerto Rico, and the Virgin Islands. There may also be other local, state, or federal laws that inform the reporting process. Study these laws in advance of any breach, and determine exactly when they apply and what they mandate. In some cases the breach must be reported within 72 hours of discovery.

2. Notify Law Enforcement – This is mandatory ASAP after a data breach. Even if the extent of the breach/victims is unknown, law enforcement must be aware of the incident. Once law enforcement is involved there are professional investigators pursuing the hackers. Contact local officials first. If they cannot help they will recommend you to state or federal officials.
   

3. Coordinate the Response – An inconsistent and disorganized response is just as bad as a late response. Pick someone to be the spokesperson, and make sure the message is consistent in public statements, on social media, and in official documentation. It’s possible to make the situation worse if victims are notified but not notified completely or accurately.

4. Consider Notification Options – The preferred way of notifying victims is through traditional mail. In special circumstances, however, companies are allowed to send out email notifications. Look at the cost of notifications based on the scale of the incident. Then determine how to directly notify victims and how to publicize the incident generally, Most companies also include resources on their website, issue a press release, and make spokespeople available to the media.

If the data breach notification process sounds unpleasant your interpretation is accurate. It’s a necessary evil for companies that suffer from a cyber incident. Unfortunately, avoiding these incidents is almost impossible. The strategy that more companies are taking is to plan for the worst early. Make a plan for responding to an incident, including in-depth details about notification. It may not be able to spare a company embarrassment, but it can spare them expense.