Highlights of the October edition of the HBK Risk Advisory Services webinar series hosted by William J. Heaven, CPA/CITP. CISA, CSCP, Senior Director, HBK Risk Advisory Services
Watch On-Demand.
Two closely related topics: business email compromise and protecting against identity theft
Business Email Compromise (BEC)
Defined as a type of email cybersecurity crime scam in which an attacker targets a business or individual with intent to defraud.
A large and growing problem
Also called an email account compromise, very accelerated because of cloud-based infrastructure
BEC Examples:
A vendor sends an invoice with altered payment details; vendors don’t usually send emails to change where to send a payment.
A CEO asks an assistant to purchase dozens of gift cards to send out as rewards and asks for serial numbers to expedite delivery.
A homebuyer receives a message from a title company with instructions on how to wire the down payment.
Whatever money you send, basically double your cost, because you’re paying the bad guy but still owe the real vendor.
From the FBI:
In 2022: 21,832 BEC complaints were filed with reported losses of more than $2.7 billion.
64% of companies worldwide have been affected by BEC hacking.
Total losses exceed losses from ransomware attacks.
Most common BEC attack vectors:
Spoofing an email account or website
Phishing/spear phishing emails
Malware
How to protect against BEC:
Use multi-factor authentication (MFA) wherever possible; never turn it off
Be careful:
with information you share online, including social media
about unsolicited, unexpected emails; be skeptical: “if it sounds too good to be true, it likely is”
with unrecognized URLs or emails
before opening downloads: could have a malicious payload
if you are asked to act quickly-Phone calls: don’t answer spam calls; that could validate your number.
If you become a victim of BEC:
First, contact the bank/financial institution: where you wired the money from and where you wired the money to. If you wired overseas, you might have 24 to 48 hours to have the money clawed back.
Report the attack to your local FBI field office, or better, the IC3 (internet crime complaint center) because FBI does not investigate “small” losses.
Learn from the attack so you don’t fall for the same thing in the future.
Identity theft
Defined as obtaining personal or financial information of another person for the sole purpose of assuming that person’s name or identity to enter into transactions or make purchases.
Forms of identity theft:
Healthcare, such as for procedures you haven’t had done
Tax fraud, such as filing an income tax return in your name
Financial, including for credit cards
Statistics:
5.7 million cases of fraud and ID theft in 2022
ID theft every 22 seconds
Median loss to victims is $500 (growing as we become more digitally dependent)
How thieves obtain your identity:
Data breaches
Exposed consumer or employee records
Theft of personal information, such as through spoofing or phishing
The deep web is about 90% of internet, including company information; the dark web is about 6% of internet, home to illegal activity like buying email addresses and other personal information.
How to protect identity:
Freeze your credit.
Safeguard your Social Security number.
Shred everything.
Protect RFID cards (people with scanners 10 to 15 feet from you can copy your card): Purchase a “wallet” for a shield around your cards, Use a passport carrying case and Buy a jamming card to put in your wallet to block signals: inexpensive route
Use strong passwords and a password manager.
Use MFA (do business with organizations that use MFA).
Train yourself and staff to recognize and report phishing.
Keep software updated.
Be careful what you post on social media; don’t disclose personal data.
Set-up online account access and monitor it weekly.
Establish email/text alerts for account authorizations, account declines, statement balances, and account payments.
Consider an ID theft monitoring service: multiple companies. They will do:
Credit monitoring
Dark web monitoring
Opt you out of data brokers
Provide some form of insurance coverage
Provide some threat resolution information
Don’t carry your social security card.
Know what’s in your wallet and make copies of your credit cards, front and back.
If you’re ID is stolen:
Place a fraud alert with one of the bureaus; they will contact the others; companies must contact you before they issue credit in your name.
Review your credit report.
Contact the Federal Trade Commission (FTC).
Build a recovery plan: FTC site will help you build a plan.
FTC site has a lot of valuable information: identitytheft.gov.
Check your Social Security account (create an account).
Contact your local police; for example, an attacker might use your driver’s license data to create a new license and commit a crime.
As of 2018, there is no fee to freeze your credit with credit bureaus.