Over the years, working with people in the cybersecurity field and talking to them about their experiences I’ve heard some hair-raising stories.
Last year I was at a business leaders conference in Singapore, and I got talking to a guy who had learned the hard way how destructive cybercrime can be.
Brad (not his real name) is the founder and CEO of a major logistics company. The story he told me is astonishing, but unfortunately, it is also true.
It started at 6:25 pm on a Friday. Brad sat down at his computer and clicked open his email inbox. It had been a long but productive week and he was looking forward to the weekend when he would step out of his role as a CEO and just be a dad at his son’s birthday party.
The message at the top of his inbox was titled: ‘deal closed/clown found.’
Brad opened the message. It was a typically short and good-humoured note from his PA, Aaron.
‘Selina has closed the deal in Seattle. Payment authority link attached. Congratulations; You will soon own Washington’s second-biggest logistics company. Also: I have, as requested, successfully managed to retain the services of the balloon animal guy for Michael’s birthday party. Tough negotiation, but he is locked in for a 2 pm performance, Sat.’
Brad was stoked; it was the perfect ending to the working week. This Seattle deal was going to take him to another level as an entrepreneur. He glanced at his watch and punched out a quick response to Aaron’s message:
‘Good job..! Michael will we thrilled. Party sure to be a hit... Also, pass on my congrats to Selina for closing the deal in Seattle. I’ll authorise the payment now. ;)’
Brad clicked open the link in Aaron’s message that took him directly to the payment authorisation form and entered his pin code that would authorise the transfer of approximately $20 million and secure the acquisition of his first logistics business in Seattle.
He grabbed his jacket and headed for the garage lifts. Brad told me that he was whistling to himself as he climbed into his car - thinking about the grinning face of his son surrounded by absurd animals crafted from sausage-shaped balloons.
As he drove home Brad got a call from Aaron on his cell phone.
“Sorry to bug you Brad, I know you’re in weekend-dad-mode now, but I think you’ll be happy to get this news; the deal’s gone through in Seattle. Selina just advised me that we should forward the payment immediately. The banks over there close in half an hour and it would be great to lock this thing down.”
Brad smiled to himself. Aaron was always on top of things but he was a worrier with deadlines.
“No problem, buddy. I authorised that payment as soon as I got your email. It’s done.”
There was a brief silence on Aaron’s end of the conversation.
“My email? What email? I knew you would have left the office already so I called you. I didn’t send you an email.”
It was at this moment that the smile faded from Brad’s face and a feeling of unease began to grow in his mind.
“I already authorised the payment,” Brad told his assistant. “I did it as soon as I opened your email at 6:30.”
Brad heard Aaron clacking his keyboard on the other end of the line.
“I didn’t send you an email about this,” Aaron told him. “Let me check the bank records. Hang on. They haven’t received any payment, their bank is telling me. I can see the transfer amount on our account record; the money has gone out, but... I don’t recognise this receiver account number. Something isn’t right here.”
Aaron told Brad he would check into the details, and disconnected the call abruptly.
Brad stared at the red icon on his phone. A tight knot had crept into his stomach and settled there.
Cybercrime is Not Virtual - it’s Brutal
Estimates vary, but whichever numbers you look at, the trend in cybercrime is steeply upward. Growth in ransomware attacks alone shot up more than 300% between 2015 and 2016, according to statistics released by the FBI.
Cybercriminals are not amateurs in basements fishing for chump change; they are intensely focussed, organised predators.
Looking back over the last decade and a half running MailGuard, I have heard the stories, and seen the anecdotal evidence for myself. Cybercriminals are more persistent, more cunning and better organised than ever before.
More than 90% of cybercrime starts with an email. Millions of malicious emails are sent every minute, and the odds are good that some of those emails are probably in your team’s inboxes right now. Most people cannot recognise the tell-tale signs of a scam email, and will click on malicious messages without thinking twice.
Here’s an interesting experiment to try: take a look at some of the recent phishing scam updates on our blog and then ask some of your team around the office whether they have received any of the messages we identify in the posts. These sort of attacks are massive and ubiquitous. I’m willing to bet that at least one person in your office has seen these messages pop up in their inbox.
What people fail to appreciate about the infosec world is that cybercrime is not a software issue - cybercrime is perpetrated by and targeted at humans - it’s personal and psychological.
Cybersecurity is ever-changing and constantly evolving. Every new innovation we come up with to protect the privacy and security of our clients is probed and tested by the criminals as they look for chinks in the armour. Our mission is the constant evolution of new and better protection, but the technology we deploy is defending more than information systems; servers and networks. A businesses greatest assets are its people. A community of investors, employees and customers. When cybercriminals attack a business they don’t make a direct assault on the walls we build - they hone in on the weakest point in the defences: the people.
Engaging and defeating a sophisticated security system is an almost impossible task - all those TV shows where the hacker furiously types code and breaks into the mainframe are Hollywood fantasy - it’s much easier and more effective for cybercriminals to gain access to a company’s secrets by sending a phishing email to the people who work there.
High ranking business people have become the prize game in the cybercriminals sights and they stalk them relentlessly. As experience has taught me, it only takes a momentary lapse of judgement, a single click on a malignant link, to give the criminals access. Patiently lying in wait for their prey, all the criminals need to get inside the perimeter is to place the bait in their mark’s inbox and wait - they know it’s just a matter of time.
Blood is in the water. Millions of dollars are being stolen by cybercriminals as you read this and with such big scores up for grabs, it’s no wonder email scams are such a booming business. According to one report, cybercrime is forecast to cost more than $6 trillion p.a. By 2021.
It Only Takes a Second to Lose Millions
That anecdote I started telling you earlier, about Brad and his missing $9 million is a true story. I’ve changed his name of course, and the identifying facts but the events of the story are accurate, as he told them to me.
To finish the story for you: Brad spent an anxious weekend, trying to enjoy his son’s party, but constantly wondering what had happened to his money. When he delved into the details, Brad’s assistant Aaron, quickly realised that the email Brad had received was bogus. The message had not been from Aaron at all. It had been sent by a skilful scammer who seemed to know everything about Brad and his business and has simply sent an email at just the right moment, with just the right information to take advantage of a golden opportunity.
The shocking thing is that incidents like this are not uncommon. It’s relatively simple these days for hackers to sift through news reports, company websites and social media and find out enough data about CEO’s to construct an accurate profile of their business activity and personal lives. A bit more digging will reveal their network of colleagues on Linkedin, giving them invaluable information about their dealings and transactions.
With so much data to work with, cybercriminals can identify an opportunity and craft a fake email that will seem completely legitimate and authentic to the victim of the scam. Like Brad, we are all making split-second judgements about the authenticity of the emails we receive and usually, if they seem to be from our co-workers and colleagues we never check to see if they are the real deal.
The harm done to a business by a successful cyber-attack can go far beyond the immediate losses to theft. A security breach can cost a company millions up front, but there is also the far-reaching collateral damage to consider. The disruption that a cyber-attack causes can put a company out of action for days or even weeks. Lost revenue from such an incident can far exceed the immediate cost of the theft. In addition, there is the damage to a company’s reputation to consider; the perception by clients and others in the supply-chain, that a business is not secure can be very hard to repair.
Cybersecurity is Personal
Cybersecurity is a technical business in the sense that we work with high-tech tools but our clients - the business people we protect - are just as vulnerable as the rest of us. Even the most savvy, well informed person can have a lapse of judgement and click on something they shouldn’t. When we’re tired, stressed, in a hurry, we don’t always take the time to make sure that those innocent looking messages in our inbox are as benign as they look. And if you happen to be that unfortunate person whose 2 second mistake ends up costing the company millions of dollars, the damage cannot be described merely in technical or financial terms. The emotional, financial and psychological, impact of cybercrime is not often discussed, but it is very real.
Cybercrime hurts bottom lines and bankrupts corporations, but it also destroys careers, and ruins lives. This kind of crime is so common now that there are support groups for victims who have lost their money and their careers to unscrupulous scammers.
We are all capable of making errors of judgement. If the cybercriminals hunting us can deliver their malicious emails to us, there is always a possibility that we will fall into the trap. The work of cybersecurity in this day and age is to create a perimeter around the vulnerable humans in an organisation so that the bait sent by the hunters doesn’t get to inboxes in the first place.
We need to be treating the proliferation of cybercrime as a psychological as well as a technical battle. The hunters prowling the internet are stealthy and ruthless. Their determination to steal from us is motivated by the lure of huge potential rewards. They can be stopped, but we need to understand that in a world where a single email can yield a multi-million dollar payday, some very smart people will be lining up against us, and they are as committed to their business as we are.
Protect Your Business:
You can download MailGuard's comprehensive guide to avoiding CEO fraud for free, right now. The guide covers:
- How CEO fraud works
- Why cybercriminals are increasingly leveraging social engineering
- Why CEO fraud is a whole-of-business risk
- Common fraud scenarios
- A policy framework for mitigating the risks of fraudulent email
Download your free copy, here.