Criminals in 2012 are increasingly targeting the accounts of business owners and executives as a way to facilitate financial fraud and CIOs can help protect their organizations against these attacks.
RSA, the security division of EMC, says one in every 300 emails circulating the web in 2011 contained some elements pointing to phishing, and those phishing efforts were primarily focused on perpetrating financial fraud.
"Compared with the total numbers of phishing attacks recorded in 2010, phishing numbers have increased considerably through the past year," RSA says in its fraud report, The Year in Phishing: January 2012. "The cumulative number of phishing attacks recorded through 2011 was 279,580-a 37 percent increase from 2010."
RSA predicts phishing attacks would continue to spread in 2012.
In December, the Federal Bureau of Investigation (FBI) warned that it had seen a rising trend in which cybercriminals compromised email accounts to request and authorize overseas wire transfers. It also reported criminals were using variations of legitimate email accounts to trick banks into thinking a wire transfer had been legitimately initiated.
"The FBI has observed a trend in which cybercriminals are compromising the email accounts of U.S. individuals and businesses and using variations of legitimate email addresses associated with the victim accounts to request and authorize overseas transactions," the Internet Crime Complaint Center (IC3), a joint effort by the FBI and the National White Collar Crime Center (NW3C), said in an alert issued on January 20. "The wire transfers are being sent to the bank accounts of individuals typically located domestically or in Australia and the funds are being sent directly to Malaysia. Investigations indicate that some of the money mules in the U.S. and Australia are victims of a romance scam and are asked to further transfer the funds to Malaysia. As of December 2011, the attempted fraud amounts total approximately $23 million; the actual victim losses are approximately $6 million."
The public sector is the biggest target of phishing attacks, but criminals are also targeting small and medium enterprises (SMEs), according to RSA. Jorge Rey, director, Information Security & Compliance with Kaufman, Rossin & Co., P.A., concurs with that assessment. Rey notes that SMEs are often vulnerable to such attacks because they tend to focus less on security and have fewer security resources than larger enterprises.
"In the past six months, I've had several clients call me and tell me that it occurred," Rey says. "We also consult with banks and hear about it. It's not something that is happening to our clients on a daily basis, but on a larger scale I would have to believe it happens on a daily basis."
Rey says he has seen a customer lose as much as $400,000 from its accounts due to such activity.
Eight Steps You Can Take
Business owners and CIOs can take steps to defend themselves from these crimes. Rey recommends organizations take the following steps:
- Talk to your financial institution. "The first thing you want to do is understand what your liability is as a business owner," Rey says. "If something happens who is responsible for what? That way you know how to manage your liability." You should also ask your bank to describe its solutions for preventing fraudulent wire transfers.
- Perform regular security audits and risk assessments. This will help you understand you're your vulnerabilities are, what data is at risk and what you can do to better protect your organization. As part of your assessment, create a response plan. "Have an IT audit with professional auditors who will help you identify your risk or give you assurance you are doing the right thing," Rey says. "This is something that should happen on a periodic basis at least twice a year. There are new threats ever year. Nowadays, computers are creating malware, it's not even people creating malware. It's a very automated process."
- Install an anti-virus solution on your computers and network and keep it completely updated. While a determined attacker can get around an anti-virus solution to install malware on your machine, you don't want to be the low-hanging fruit.
- Dedicate a computer for financial transactions and only use it for financial transactions. You should use a unique password to access the computer and don't use it for other activities, like reading email. "Take the computer, put it in a corner and use that computer to do these transactions," Rey says.
- Segregate responsibility for initiating wires from the responsibility for authorizing them, and ensure that each party uses different computers with different authorization credentials. "That way, even if the hacker can compromise your user ID and password and he goes and initiates a wire, someone else would have to approve the wire before it goes out."
- Keep a suspicious mind when you receive email that asks you to click on a link, open an attachment or that seeks your credentials-even if it's from a trusted source like your bank. You can often spot a fraudulent email because of poor grammatical structure, misspellings, typos or other errors. But some fraudulent emails can be very convincing. For instance, it could look exactly like an e-mail from your bank. Sometimes, only the URLs embedded in the e-mail can give it away. Criminals will sometimes modify the top-level domain of a URL (e.g., switching .com to .net) or substitute a letter for a number or vice versa (e.g., switching abc0123.com for abcO123.com). "If you're not expecting an e-mail, you should not assume it's legitimate," Rey says. "Always double-check."
- Be careful when following links on social networking sites or when asked to give information over the phone. Criminals like to compromise social networking sites because users often treat them as safe, trusted places. Clicking on the wrong link can expose you to adware or spyware. Likewise, don't give up authorization credentials over the phone.
- Review your online banking records on a daily basis. If someone has managed to access your account, you may be able to spot it and prevent a fraudulent payment. But you have to stay on top of it. You have a very small window of opportunity.
How to Respond If You've Been Compromised
If you find that your computer or account has been compromised, there are a number of steps you should take:
Talk to your bank. Ask them to disable your online access and give you a new account. And ask if it recommends any additional steps.
Try to trace what happened and how it occurred. Stop using any computer that is potentially infected. If you can, clean the computer.
Use a non-infected computer to change your passwords.
If theft is involved, you should talk to the police.
Look at your insurance policy. Make sure you understand your liability and what your policy covers.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.