Mitnick In The News
E-mails that want your property
Sep 1, 2016 - CPA Canada, by David Malamed
Companies around the world are becoming victims of scammers who take the identities of entrepreneurs. In Canada, this means that billions of dollars are lost each year.
Attention to the red button
In June 2015, Ubiquiti Networks, a company in San Jose (California) specializing in wireless communications, said in its quarterly report with the Securities and Exchange Commission (SEC) that it had been stolen $ 46.7 million US through e-mail fraud, including fraud or scam called the false orders for international transfer (FOVI) or, in English, Business Email Compromise (BEC) scam.
"Identity was usurped some of our employees and sent requests for funds on behalf of our finance department, said the company in its report to the SEC. This fraud has resulted in transfers of funds from our Hong Kong subsidiary to other overseas accounts held by third parties. "
Robert Pera, founder and CEO of Ubiquiti, and owner of the Memphis Grizzlies (NBA) has not released details of the case. The company however, that it was working with the FBI and that it expected to recover at least US $ 15 million.
Ubiquiti the case is far from an isolated case. Last June, the FBI issued a public notice indicating a dramatic increase in the number of "BEC scams." The opinion recounted that, worldwide, authorities in 100 countries and individual US states had received complaints about this type of fraud. From October 2013 to May 2016, the authorities received reports of 22,143 victims, whose total losses amounted to more than US $ 3.1 billion. From January 2015 to May 2016, the FBI was an increase of 1300% in the number of listed victims and probable losses.
A CBC News investigation revealed in November 2015 that the FOVI scams were costing Canadians hundreds of millions of dollars each year. "The phenomenon has suddenly seized momentum in 2014, losses from almost zero to $ 19 million," said NBC Daniel Williams of the Canadian Anti-Fraud Centre (CAFC). "According to a study by the CAFC and police, less than 3% of these frauds are reported. Therefore, losses are probably much higher, in the range of $ 500 million to $ 1 billion. "
Usually, the scam begins by sending an email (which the author seems to be the boss of the target company) to a finance department employee, in which the so-called boss asks an employee to transfer funds. "When the employee meets, email the author earns her trust by deceit and leads to transfer a large sum in an account of a bank other than the company, said Richard Greenane, IT advisor Ireland . It's simple, but very effective. One of the tricks used to convince the employee to tell him someone will call him to give him the details of the transaction. Obviously, this call is also a deception. "
This scam is usually perpetrated against companies "working with foreign suppliers or make regular wire transfers," the FBI stated in its opinion. Often funds transferred to foreign banks are transferred several times. "The final destinations of these transfers are usually banks in China and Hong Kong. "
Since its appearance, this type of fraud has evolved. Criminals are now go not only for entrepreneurs but also for lawyers who request immediate transfer for an urgent transaction.
Victims are reluctant to explain how they have been duped, but it appears from the limited information they are required to provide under the qu'Ubiquiti regulation is far from the only company in his case.
Earlier this year, FACC Operations GmbH, an Austrian company that manufactures aircraft components for Airbus and Boeing announced that cyberfraudeurs stole around € 50 million in its bank accounts, reports the website softpedia.com . The bulk of the money, do we later learned, was diverted to bank accounts in Slovakia and Asia.
In May, FACC announced that it had fired its CEO Walter Stephan, because of this scam that he had lost a total of € 52.8 million, € 10.9 million had already been recovered (the the company had previously sacked its Chief Financial Officer). The attack had serious repercussions for FACC, who "declared total losses of € 23.4 million for the year, largely due to the loss of € 40.9 million due to the scam line, "reported the website. Since then, the bank Crelan, Belgium, announced that she too had lost more than € 70 million in this way.
How shall fraudsters? On the one hand, they use manipulation techniques to obtain specific information on targeted companies (who should we join, what the jargon of the business, etc.). On the other hand, they exploit the tendency of employees to meet, often without thinking, to a request from the CEO or CFO.
"Why are handling techniques so effective? Not because people are stupid or lacking in judgment, but rather because, as humans, we are all vulnerable to deception and we can therefore give our confidence to a clever manipulator, "wrote Kevin Mitnick, former hacker become cybersecurity adviser, in his book the Art of deception. the importance of the human factor in computer security. "The manipulator anticipates suspicion and resistance, and is always ready to transform suspicion into trust. A good manipulator imagine his attack as a chess game, providing questions that the target is likely to ask him to prepare the answers. "
A common manipulation tactic is to flatter, cajole or intimidate a victim on the phone until he provides information such as the company's passwords.
Vice magazine interviewed one of these fraudsters experienced in handling, who spoke on condition of anonymity. He explained that the manipulation was done largely by phone. "People reveal personal information without thinking, just because a caller asked what type of virus they use. "
According to him, the most effective strategy is humor. "If I can make a person laugh in 30 seconds, the game is practically won. "
Before calling his victim, he first track in the profile. It gets its name by the receptionist. He then consults social media to learn all he can about it, and then uses this information to establish contact. For example, he learned through social media that a woman he loved targeted Dexter TV series. "Armed with such information, he explained, it is easier for me to start coax. "
Usually, the people targeted by scammers communicate unencrypted emails with leaders of wire transfers within the company, according to the FBI.
Protection against fraud FOVI to begin with the most obvious measure: the awareness of all staff to the manipulation techniques used by fraudsters. Must provide annual training sessions on the subject and integrate such initiation sessions for new employees. As scam artists covet passwords, it is appropriate to require that no employee, in any event, not communicating a password by phone, much less email. A password must be communicated in person or after a rigorous verification of the legitimacy of the applicant.
Equally important is the implementation of effective controls to ensure verification of incoming checks and compliance with procedures for approving transfers of funds. However, these controls are useless if the company culture allows senior management to ignore it. If scammers learn that such business leaders have used to intimidate their staff to do their bidding, they will target this company.
Even if it goes against common practice, companies should consider reducing the use of email to conduct their financial transactions. "If you use email, advises Chubb Ltd., establish a Callback process to customers and suppliers for all transfers of funds. "
Finally, companies would be well advised to assess their vulnerability to email scams. It is better to entrust this task to absolutely reliable specialists, responsible for simulating a scam without the knowledge of all staff, except for some executives. The results can be reassuring or demonstrate the ease with which scammers could jeopardize corporate security.
Through training and the implementation of effective controls, it becomes much more difficult for hackers to perpetrate a fraud FOVI.
David Malamed, CPA, CA • IFA, CPA (Ill.), CFF, CFE, CFI, is a partner in forensic accounting at Grant Thornton LLP in Toronto.