Technology
Each year, businesses are losing $12-$13 billion dollars because of cybercrime. One criminal tool is called the Business E-mail Compromise (BEC), aka “The Man in the Middle Attack.” It begins when criminals use information, like that readily found on social media platforms, to target an employee. The criminal may phone or email the employee, gain their trust, steal their identity, compromise and access their emails and the business network (including human resources, banking and client accounts) and so on, all for the ultimate goal of stealing large sums of money.In this podcast, Stacy Arruda, a cybersecurity threat specialist, provides insight on how individuals and businesses can better protect themselves against cybercriminals and take steps to prevent criminals from stealing their money or exploitation them in other ways. BECs have seen a 1300% increase since 2015, and, as Arruda says, “it’s no longer a question of 'if,' it’s 'when,' and not just 'when' but when you discover that the bad guys are inside your network.” Businesses have options and they begin with training employees and reporting problems quickly. Having a strong corporate culture that trains employees about proper handling of emails, account security, personal information, and reporting can make a tremendous difference.Stacy Arruda is a former FBI supervisory special agent with more than 20 years of experience in cybersecurity and counterintelligence.She is the CEO of the ARRUDA Group, a cyber threat consultancy firm, and the Executive Director of the not-for-profit Florida Information Sharing and Analysis Organization (FL-ISAO).Stacy details how cyber criminals use social media to profile potential victims, building trust to gain access to networks. Anyone can be a target, and cybercriminals do their homework by connecting the dots to gain access to large payouts.Arruda notes that women, in particular, seem to overshare information on social media, nearly every aspect of their lives, and it’s a problem. As an educator and speaker, Arruda speaks on how women can better safeguard their information, warning that online activity can escalate to physical threats and exploitation.Children can also be targeted. Predators can use simple techniques to lure information from children and they can cross-reference social media to gain information about the family. Gaining a real name online can have a criminal scrolling a family’s social media profile and readily finding things like an email, place of work, child’s school, and after-school activities. Monitoring a child’s online activity and restricting shared information is important to the entire family’s safety.The business email compromise,(BEC), also known as “The Man in the Middle Attack,” is a cybersecurity scam that is typically short-lived and aimed at stealing information and money. “Once they send that email, and you click on that email, the bad guy has a lot of avenues that they can go down. Once they're sitting on the network, they can steal data, they can introduce ransomware and shut down the network. They can sit on the computers and they can wait for invoices to come in and wait for payments and steal money,” states Arruda.Well-organized criminals, terrorists and spies use the information that is innocuously shared by us to gain our trust so that they can:Target email attacksAccess compromised emails and files anywhere on the networkAccess human resourcesAccess business accounts, such as bankingDisguise themselves as business representativesDisguise themselves as clientsAuthorize wire transfers to accounts all over the worldChange account routing information in a record or during a transactionArruda recommends that companies should have security drills, much like fire drills, to implement a response plan and reinforce the company’s culture on security.The FBI has a unit called the Recovery Asset Team, where companies can report a compromise for the possibility of freezing accounts to stop the wire transfer. Time is of the essence relative to how quickly a bank will process a wire transfer; two weeks is far too long, and the money will likely be unrecoverable.SOME KEY POINTS:Security is often a failure because of two factors:Human error, such as misconfiguring software, oversharing information, lack of training on how to spot and report criminal activity, andConvenience, such as not taking the time to update system patches, using multifactor authentication, and using our own records to contact clients versus using information found in their email.For the individual, Arruda shares that human error and oversharing can be the gateway to being compromised. Having system patches up-to-date, strong passwords, and reducing one’s cyber footprint, such as oversharing personal details or falling for scams because they know our likes and dislikes, can be key to preventing cybersecurity threats at home.Defense-in-Depth is a tactic that individuals can use to protect themselves. Having our systems patched, running a firewall, running antivirus software scans, using strong passwords are examples of how an individual or business can add layers of defense against cyber criminals.An untrained employee is a liability and changing company culture to encourage calls to higher-ups to confirm requested transactions is a must.BEC - 1300% increase since 2015, and it’s getting worse because “it’s an easy way for criminals to make a lot of money quickly” and defense-in-depth is one way to hinder BEC criminals.Posting on the internet so openly, especially on social media, is creating opportunities for criminals to target and manipulate individuals. Controlling your footprint on the internet is vital, and being elusive may discourage a criminal from targeting someone.Businesses can also add a layer of protection by not sharing/oversharing personal information about their employees, such as the CEO is married to so-and-so and their children’s names are Tom, Becky, and Mike and their ages. Criminals profile and store this information, and this creates unnecessary risk.The FL-ISAO, which helps to build cyber resilience for the state of Florida, has an agreement with the Department of Homeland Security to encourage removing the corporate stigma of sharing information to prevent data breaches, hacking, cyber incidents, cyberattacks, and other cybercrimes. Trends show that reporting to the Internet Crime Complaint Center has increased and more and more victims are willingly coming forward. While this is critical, more can be done so the FL-ISAO is expanding to provide training, tips and business support to prevent cybercrimes. Organizations can contact Arruda via www.flisao.org or via email at info@arrudagroup.com TIME STAMPS1:00 About Stacy Arruda, Cybersecurity Expert1: 38 Oversharing on Social Media Can Compromise Your Security2: 51 Using Email to Breach Your Network6:41 Reporting Cyber Incidents & Breaches – Time Matters7:14 Using Defense-In-Depth to Stop Cyber Crimes9: 11 How Convenience Can Cost Billions9:50 Human Error: A Major Factor in Cybercrime12:41 BEC Crimes19:00 Cybercrime Rings Stole $11 Million21:28 Victims, Including Businesses, Should Break the Silence22:26 Building a Corporate Cyber Culture to Stop Data Breaches & Cyber Crimes27:08 Women: Targets of Cyber Crime30:22 Cybercriminals Targeting Children35:52 Florida Information Sharing and Analysis Organization (FL-ISAO)