The SolarWinds cyber-attack impacted the U.S. government and some of the largest companies in the world. Join HBK’s Bill Heaven, and cybersecurity law expert and best-selling author Joe Brunsman of Chesapeake Professional Liability Brokers, Inc., at noon this Wednesday, February 24, for a webinar on lessons we learned from the hack and the protection against cybercrime afforded by cybersecurity insurance.

“I think from a software engineering perspective, it’s probably fair to say that this is the largest and most sophisticated attack that the world has ever seen,” Microsoft President Brad Smith characterized the December SolarWinds cybersecurity hack on the February 14, 2021 episode of 60 Minutes. As such, the attack on the Austin, Texas-based software developer replaced the 2013 Target data breach as the most heinous cybercrime yet discovered. The enormity and nature of the attack hold lessons for us all.

The “supply chain attack” was executed through an “advanced persistent threat (APT)” vector. The supply chain attack is considered the most intrusive third-party breach because it impacts trusted, highly integrated computer systems of multiple organizations within a supply chain. APT attacks are perpetrated by the most sophisticated cyber adversaries, such as nation-states, organized crime, and activist groups. APTs are often long-term, multi-phase attacks that focus on reconnaissance while using obfuscation techniques that allow them to operate undiscovered for months or even years.

The SolarWinds attack, suspected to have been launched by the Russian Government, was a so-called “Trojan Horse,” where malicious software, or “malware,” was disguised as a software patch, that is, a fix for a vulnerability identified by the software developer. The “ingress attack,” which focuses on intrusion into computer systems, gave the hackers backdoor access to the computer networks of approximately 18,000 customers of the SolarWinds Orion platform. Likely initiated in March 2020, the ATP was not discovered until December 2020, giving the hackers nine months of “dwell time,” that is, nine months of undiscovered access to those 18,000 computer systems.

HBK Risk Advisory Services Senior Managers Bill Heaven, CPA, CISA, CITP, CSCP and Matt Schiavone, CPA, CISSP, CISA discuss Third-party Risk Management, SOC, SOC2 and reporting.

Download the materials.

According to The Ohio Department of Job and Family Services (ODJFS), a number of Ohioans who didn’t register for unemployment benefits in 2020 will be receiving a 1099-G form from the State saying they did receive benefits and stating the amount. If you are among them, you are likely the victim of a fraudulent unemployment claim, a type of identity theft resulting from what is known as a Social Engineering Attack. Cybercriminals use phishing (emails), smishing (texts) or vishing (phone/voicemail) to steal your identity, then use it to file fraudulent unemployment claims.

If you believe you are a victim of unemployment fraud, file with the ODJFS at https://unemploymenthelp.ohio.gov/. The site provides a link to “Report Identity Theft” and offers detailed information in a section titled “ID Theft: What To Do.”

To protect yourself from Social Engineering Attacks, we recommend:

1. Don’t give your Social Security number to someone you don’t know. No government agency or legitimate organization will request your Social Security number via email, text message or telephone.


2. Scrutinize messages containing urgent requests.


3. Study the message for subtle misspellings or replacements of letters with numbers.


4. Use the “hover over” technique on a hyperlink in an email, then examine the URL you find there for the actual website/entity that will process the request.


5. Verify the request via a different method, such as a phone call or online chat instead of a message reply.


6. Never rely on the contact information or account numbers provided in the message!

Other ways to protect your identity (not an all-inclusive list):

1. Review your annual free credit report via the Annual Credit Report website.


2. Regularly monitor your credit cards online.


3. Enable two-factor authentication for all your online financial and medical accounts.


4. Consider freezing your credit files (Equifax, Experian and Trans Union).

Find additional email security recommendations in our article at: http://hbkcpa.com/cybersecurity-social-engineering-email-security-recommendations/

Evolving cyber threats and expanding regulations have made risk management a seemingly daunting yet necessary task. However, leveraging a risk management model can be the first step in establishing an effective, streamlined risk management program. HBK Risk Advisory Services’ Matt Schiavone and Bill Heaven will be joined by Joe Wynn of Seiso to discuss the Three Lines of Defense model and how it helps organizations of all sizes proactively manage risk and stay out of trouble.

Download the materials.

Cyber security is a growing concern for many businesses, especially manufacturers. A breach can lead to issues with customers, suppliers, employees, intellectual property, or even in operating critical equipment. What should manufacturers know, and what actions should they take to protect their data, intellectual property, and ongoing operations?

Jim Dascenzo, CPA and Amy Reynallt, MBA of HBK Manufacturing Solutions discuss these topics and other cybersecurity considerations. Jim and Amy are joined by special guest, Bill Heaven of HBK Risk Advisory Services, who specializes in cyber security, IT security, e-commerce and other IT consulting initiatives. Learn tips for manufacturers to ensure your systems are safe and secure.

Download the materials.

This week, October 19th through October 23rd, is the third annual International Charity Fraud Awareness Week (ICFAW). The ICFAW is led by an international coalition of over 40 charities, regulators, sector and professional representative bodies, and other interested stakeholders. The goal of this week is to raise awareness of, and to share good practices for, tackling fraud and cybercrime among non-profit organizations.

In support of this important initiative, the HBK Non-Profit Solutions group and HBK Risk Advisory Services is teaming up to provide the following information. We encourage everyone to learn more about ICFAW here: https://www.fraudadvisorypanel.org/charity-fraud/get-involved/

If you are a charitable donor:

 

• Make sure that a charitable organization is legitimate before donating.

 

 

Charitable scams are incredibly common, especially as we move into the holiday season. Before you decide to write a big check in support of a charity, make sure you check that the organization is legitimate on the IRS website (https://www.irs.gov/charities-non-profits/tax-exempt-organization-search). GuideStar (https://www.guidestar.org/) is also a great resource to research whether or not a charitable organization is worthy of your support. Often, its best to research the organization on both platforms to ensure information is accurate.

Other great resources to vet the organization include your state’s registry of non-profits and the Better Business Bureau.

 

1. 1. Watch for suspicious e-mails, text messages, and phone calls.
      

      Social engineering threats, such as phishing e-mails and fraudulent advertisements, continue to increase at alarming rates due in part to COVID-19. As a general best practice, avoid clicking links received via email and text. If you find a message or organization of particular interest, its often best to access their webpage via an internet search or typing their URL directly into the address bar of your browser—after ensuring they are legitimate, of course (Item #1). This extra step will reduce the risk of being misdirected to a fraudulent webpage. Remember, fraudsters often create exact replicas of common webpages making it difficult to spot the difference.

      To avoid falling for a fraudulent webpage, make sure you look at the domain name and web address populated in your browser. Does it match the intended organization? Are there any glaring errors or misspellings? Sometimes these may not be so apparent, so be careful. Simple tricks such as switching a lowercase “L” to a number “1” (l vs 1 –no, those are not the same character) may be the only difference between a legitimate page and a fraudulent one.

      If you are absolutely certain the email is trustworthy, take a second to hover over any URL’s contained in the body of the e-mail to ensure that it leads to a trusted website. Again, keeping an eye out for misspellings or swapped characters. However, avoiding the click will eliminate the need for vigilance at this stage.

      Lastly, we recommend similar actions for voice calls. Rather than disclosing your billing information and contributing money over the phone, advise the representative that you will donate via webpage or mail in check. Securely navigate to the trusted website via search engine or known URL.

 

1. Remain vigilant.
   

   Once you’ve made your contribution its important to remain vigilant. First, make sure you receive your donor acknowledgment letter in a timely manner. These should typically be received soon after your donation is processed and before the end of the year. Secondly, make sure your transaction is processed or check is cashed promptly. Slow processing could indicate your account information is being used for other things. Lastly, remember to review your account statements at least monthly. Daily monitoring of transactions is preferred where feasible.

 

If you are a charitable organization:

 

1. 1. Watch for suspicious e-mails, text messages, and phone calls
      

      Charities can be a treasure trove of donor information and financial records—information that is very attractive to fraudsters. As discussed above, avoid clicking links in emails and texts and be suspicious of unsolicited phone calls. If its too good to be true, it probably is. Always verify the source and do not be rushed into a decision.

 

1. 1. Stay educated.
      

      Maintaining an educated workforce is critical. Fraudsters are having an easier time given the recent pandemic as the workforce is largely working remotely. As such, cybersecurity awareness has never been more important. Consider undergoing awareness trainings to remain educated on the latest threats and how to avoid them.

 

1. Establish and maintain processes and internal controls.
   

   Established processes and sound internal controls have always been critical, but prior to COVID-19, few organizations faced the task of migrating these processes and controls to remote work environments. COVID-19 and a new environment is no excuse to stray from these fundamental concepts. In fact, it’s more important than ever to ensure your processes and controls migrate to, if not strengthen, this new environment.

   It should be noted that cybersecurity insurance coverage may be lost if these controls do not remain implemented, so make sure you understand the requirements of your insurance policy. The dispersed and remote work force is introducing greater risks, and we are seeing a rise in malicious attacks. Your employees are also out of their routines and may find new ways to accomplish old tasks that could put the organization at risk. This increased risk coupled with a potential loss of coverage can be disastrous.

If you would like to discuss ways in which you can protect yourself, your organization, and/or your employees from fraud and cybercrime, please reach out to your HBK advisor.

For more information about Charity Fraud Awareness Week, visit the Fraud Advisory Panel website.

Cybersecurity attacks have become all too common. Some optimists still believe the attacks won’t happen to them, but realists are taking measures to reduce their chances and mitigate their damages of becoming victims.

According to this year’s IBM/Ponemon Institute “Cost of a Data Breach Report,” the average cost per compromised company record for 17 industries was $161—a high of $429 for the healthcare industry and a low of $78 for the public sector. A company spending the industry-wide average of $161 multiplied by as few as 625 impacted data records would take a financial hit of over $100,000. As well, a forensic investigation resulting from a ransomware attack where no data is stolen could easily cost a business $60,000 to $80,000, as Joe Brunsman of Chesapeake Professional Liability Brokers told us in our HBK Risk Advisory Services August 26 webinar. (Listen to our webinar on Cybersecurity Insurance Assessments.)

Your effort to improve your cybersecurity posture should include implementing a defense-in-depth strategy with your cybersecurity insurance policy serving as your backstop. But not all cybersecurity insurance is the same. As we learned during last week’s webinar: there are almost 200 different cyber policies. Some cover costs pertaining to legal, computer forensics, data restoration, legal, and/or public relations. You should work with a specialist to ensure that you have the right policy for your business. Will your policy stand up to a substantial claim?

HBK Risk Advisory Services can help you determine how well your cybersecurity insurance policy will perform when you need it. Moreover, we can help you develop and implement a cybersecurity program that fits your organization’s risk appetite and budget. We also offer Security Awareness Training featuring phishing simulations, IT security policy development and risk and readiness assessments.

Call us at 330.758.8613, or email me at wheaven@hbkcpa.com for more information. As always, we’re happy to answer your questions and discuss your concerns.

In April 2019, Saint Ambrose Catholic Parish near Cleveland was scammed out of $1.75 million in a Business Email Compromise (BEC) attack. According to the investigation by the FBI and the Brunswick, Ohio police, the hackers accessed the church’s email system and tricked the administrative staff into altering the banking information for the construction firm doing a major renovation at the parish. The parish made the $1.75 million payment to the hacker’s bank account, discovering the fraud only when the construction company called to inquire about the late payment for services.

Business Email Compromise (BEC) attacks target commercial, government and non-profit organizations as well as individuals. According to the 2020 Verizon Data Breach Investigations report, BEC frequency increased nearly 225 percent in the past year. Median losses were $1,240 for individuals and $44,000 for organizations.

If you learn that you or your company has been the victim of a BEC attack, you should immediately do the following:

1. Contact the bank where the funds were drawn.
2. Ask your bank to contact the corresponding bank where the fraudulent transfer was sent.
3. Contact your local FBI office as well as the U.S. Secret Service.
4. File a complaint, regardless of the dollar loss, with the Internet Crime Complaint Center (www.IC3.gov). Note that it was a BEC attack.
5. Inform your cybersecurity liability insurer.

The best approach for preventing BEC attacks is to implement a security awareness and training program that includes test phishing emails and design preventative controls into your payment process.

HBK Risk Advisory Services can help implement a cybersecurity awareness training featuring phishing simulations, IT security policy development and payment controls assessments to evaluate the security of your payment processes. As always, we’re happy to answer your questions and discuss your concerns.

Note: For more information on BEC attacks, listen to the HBK Risk Advisory Services BEC webinar at: http://hbkcpa.com/ras-bec-attacks/

Cybersecurity crime and fraud, including Business Email Compromise “BEC” attacks have increased exponentially during the COVID-19 pandemic. BEC attacks were the #1 source of payment fraud attempts on US organizations in 2019. According to the FBI’s 2019 Internet Crime Complaint Center “IC3” Report there were more than 23,000 BEC complaints with losses over $1.7 billion in the U.S. alone. Are you as prepared as you should be to prevent becoming a victim of a BEC attack? We can help you.

Download the materials:
BEC 2020 June 24-Download

According to a recent cybersecurity briefing webinar from the Cleveland office of the FBI, bad actors continue to use phishing attacks to set-up online and electronic theft. The criminals are using more targeted attacks and are willing to be very patient as they hone in on an eventual payday. In the case of so-called Business Email Compromises (BECs), evidence is that with little fear of discovery hackers are spending weeks or even months identifying financial personnel at a company and studying their email habits or tendencies. Now that we are working remotely, business is being conducted with almost no face-to-face interaction among employees, clients and vendors. We rely more on email conversations than phone calls. Hackers see this trend as an opportunity and are developing schemes to take advantage of it. Your businesses should be implementing email payment security measures. Our recommendations include:

1. Scrutinize emails pertaining to subjects such as Accounts Payable, Banking or Finances.
• Would the entity that the email is supposedly from typically request changes to procedures or account information via email?
• Study the domain name of the entity for subtle misspellings or replacements of letters with numbers.
• Use “hover over” technique on the hyperlink in the email, then examine the URL you see for the actual website/entity that will process the request.
• Verify the request via a different method, such as a phone call or online chat instead of an email reply.
2. Require an employee receiving an email requesting a new or altered electronic payment to reach out to the “requestor” via a familiar or known contact point, such as a phone number, to verify the request and account numbers are real. Never rely on the contact information or account numbers provided in the email!
3. Require a second authentication before making an email payment from a pre-designated member of your company, such as your CFO or director of finance.

HBK Risk Advisory Services can help develop and implement a cybersecurity program that fits your organization’s risk appetite and budget. Our assessment will offer a roadmap for continual improvement through cost-effective solutions. Call me at 330.758.8613, or email me at wheaven@hbkcpa.com for more information or to schedule an assessment. As always, we’re happy to answer your questions and discuss your concerns.

Listen to a recent Risk Advisory Services webinar on Banking Controls at: https://attendee.gotowebinar.com/recording/8846183878460240903

Find a Risk Advisory Services Cybersecurity Article on additional Email Security Recommendations at: http://hbkcpa.com/cybersecurity-social-engineering-email-security-recommendations/