086 - Recent Cyber Attacks in CT: Protecting Your Business from Financial Fraud

Show Notes

This summer, numerous businesses around Connecticut have fallen victim to cyber-attacks. These sophisticated and often expensive incidents remind organizations that they need good processes and controls in place to stay protected.

On this topical segment of CyberSound, Jason sits down with the President & CEO of Vancord, Michael Grande, to put a financial perspective on the implications of these attacks. Jason and Michael discuss common threat actor motives and methods, the importance of vendor management, cyber liability insurance, and best practices that organizations can employ.

______________
Stay up to date on the latest cybersecurity news and industry insights by
subscribing to our channel and visiting our blog at https://www.vancord.com/💻.

Stay Connected with us 🤳
LinkedIn: https://www.linkedin.com/company/vancord
Facebook: https://www.facebook.com/VancordCS
Instagram: https://www.instagram.com/vancordsecurity/
Twitter: https://twitter.com/VancordSecurity

Transcript

00:02

This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity.

Jason Pufahl  00:11

Welcome to CyberSound. I'm your host, Jason Pufahl, joined today by CEO of Vancord, Michael Grande. 

Michael Grande  00:17

Thanks for having me. 

Jason Pufahl  00:17

Sure. So, close to home for us. New Haven had $6 million stolen from a couple of different sources, but I think the predominant was, you know, sort of wire fraud or, or funds transfer relative to their school bus contract, right?

Michael Grande  00:37

Yeah, you know, it seems like a pretty, and there's no standard for any of this stuff, but a case of impersonation and email compromise.

Jason Pufahl  00:47

Yeah, business email compromise, standard stuff.

Michael Grande  00:50

And, you know, the, the role, the Chief Operating Officer was, that role was able to then dictate, you know, fraudulently the bad actors here, changes in the account designation for where payments should be going and routed for. So internally, changes were made, wire payments for the beginning of the school year were about to be sent out, and they ended up into the hands of the wrong people. 

Jason Pufahl  01:17

So I'm gonna step back a tiny bit, because I know it, was really, this is gonna be the Michael Grande show, because this is this is your area of expertise, right. But from a from a business email compromise standpoint, just so people are familiar with the idea, a lot of times, you know, these threat actors, hackers, whatever you want to call them, will get access to email, either by initially doing a phishing campaign, getting a username and password and being able to log into somebody, or, you know, maybe maybe they've gotten credentials some other way. But somehow, they have access to somebody important's email, right, COO probably in this case, and they'll monitor email communications, and when they ultimately see something having to do with the payment transaction, they effectively then insert themselves into that conversation, they start to say things like, hey, could you please make a change to the routing number or the account number, so they actually ultimately get those funds. The creative part, though, is they always delete the email in the backend. So typically, the individual who owns the account really doesn't see the emails, doesn't actually know. And this can go on for a while.

Michael Grande  02:20

You know, I think so many folks, when they think of an email compromise, they think of a brute force, you know, commandeering of an email. And, you know, unfortunately, it's a much more sophisticated and suave, you know, style that the bad actors employ, to really understand the timing. When is an important business cycle for this organization, when do a lot of funds start moving, when are communications really increased? Because that's an opportunity, they are crimes of opportunity, of course, and, you know, financial fraud, they want the fewest amount of interactions to result in the largest amount of payoff, right. And so they condense this all down. Many municipalities, federal organizations, and other entities have mid year, fiscal year beginnings. So, you know, end of June, beginning of July, and so it becomes a prime target for a lot of these places.

Jason Pufahl  03:20

Yeah, it would be unfair to call these you know, unsophisticated attacks. I mean, they know what they're doing, they understand the business cycles, they absolutely understand the technology piece of things. We kind of were joking a little bit before this, October is Cybersecurity Awareness Month, and the topics are the same as last year, right? Again, phishing is pretty much the number one thing on there, and it continues to be an issue, not because organizations haven't done a good job training, not because we don't have the technical tools in place, but the threat actors have gotten really sophisticated, they understand how to do this, they understand how to target individuals, rather than these huge groups of people. So, it continues to work.

Michael Grande  03:20

And you know, not to jump around. And certainly this is not a, an expression of any type of opinion about the the controls that may have been in place for New Haven, in the school system, you know, understand that all sorts of organizations employ a lot of different training and a lot of controls. And we're certainly not privy to what was in place or not in place at the time. So this is more just a general expression of sort of best practices that a lot of organizations can employ. I will say reading an article recently about the large MGM hack, there was a line that I really was very, really scary, actually, in that one of the groups involved and the bad actors said, they were able to use LinkedIn to figure out who in the organization they could take advantage of, and then place the call to the internal help desk team and that's how they gained access. And, you know, that could happen in any size organization.

Jason Pufahl  04:59

So it's hard, you know, when I do security awareness training, I have a slide always about social media. And I always sort of say like, this is not a public service announcement where I say don't use social media, but you do need to understand what the potential risks are. And there's a lot of data out there for these threat actors to mine before they actually execute these attacks. So, alright, so we know business email compromise, we know they got in, what sort of what best practices can companies use to protect themselves against this? Because at the end of the day, the actual the actual transfer of funds, it's not really a technology issue?

Michael Grande  05:34

No, it's not. You know, there's, there's a lot of financial controls. And I'll touch on a few that really easily come to mind from a defensive perspective. But also really important to keep in mind here that business process and business enablement, right, that's technology and security protocols, you don't generally want to, you know, make it more challenging to do business on a regular basis. But it seems like what happens is, that's exactly what happens, the more security protocols that are put in place, the more difficult it is to transact business. So it's really important to, you know, tether sound financial controls with an understanding of good security awareness. You know, having a budget and forecasting in place, so you understand how much money you should be spending in certain areas seems very basic. But you know, a lot of organizations don't necessarily review that on a regular basis and update it. Segregation of duties. Honestly, if there's one primary takeaway, and for very small business owners, it's hard, right, you don't have enough folks that may have access to different accounts, in order to really split up some of that, those controls as safely as you'd like to. And in many cases, it may just be one principal of an organization and maybe a clerk or an internal office administrator, who's who's doing some check cutting. As you scale up in organizations, obviously, you've got accounts receivable, accounts payables, all these different departments that are having some degree of input. And then usually that heads off in some sort of management structure, either Chief Financial Officer or Finance Director, etc. What I really think is so important, though, is that a lot of these duties, both, both on the receiving and on the expense cutting side, are split up. Because in doing so, with verification in place, you have multiple sets of eyes, multiple controls over money that's going out. And that's really the most important. Generally, we're not finding, this is not a Robinhood situation where, you know, people are stealing from very wealthy companies and just depositing money into the, into the accounts of the smaller businesses. Interesting problem to have, doesn't exist current day.

Jason Pufahl  07:43

So, let me interrupt you for a quick second, though, so from a checks and balances standpoint, if they're if you're fortunate, you have a couple of people, if one person receives a request, they should probably reach out via different medium. So if you got that request via email, maybe make a phone call directly to the person, right? Because email, of course, if it's compromised, you're in that same position.

Michael Grande  08:03

Absolutely right. Always, you know, multiple levels of verification should take place. We have an internal rule where an email request is just one method. And it's not the only method that or it's not the final method that can be employed to either change account information, or change a vendor contact or anything like that. We have set up internally multiple layers that ultimately end in a voice verification, meaning a good phone number that we're aware of, of a client, or of a vendor, verifying the information that we have in place. And that's just just good practice, to ensure that we cover those bases. Always having an audit trail also really, really helps. It helps if mistakes are made, mistakes get made all the time and it's understandable. I meant to send this here, but I accidentally sent it here. The financial system as it's set up, especially when it comes from wires, rather than other forms of payment, right? If you have a check, and we'll talk about this in a moment, but you know, wire is a, in that moment when a wire is sent, and this is why wire fraud is such a large component of of all these financial crimes, it's gone. And it doesn't necessarily come back and isn't easily retrievable. It's sent through the wire system, and it could be to a nameless, faceless entity, if they've changed the account information on the end, the rightful recipient has almost no chance of trying to clawback those funds and the sender, the person who sent the money, is going to have a really, really hard time if they don't catch it in time to stop the transfer. So that's why we see wire transfers as the primary mode of crime when it comes to a lot of these fraudulent activities. There are new systems in place with banks and I think it's really important to touch on them briefly, on how payments and vendor payments primarily are approved. And what's happened is the very big banks and even down to small community banks, have realized that a lot of the burden needs to be shifted back to them, they have the technology, they've implemented technologies to try to make it easier to transfer money. And what they then need to do is then train their clients, how the safe practices and best practices are. So you'll notice, even for some personal accounts, you'll have something called Positive Pay, meaning you can send a check. But daily, it needs to go in, someone from your staff needs to go in and verify both the account where it's being sent, the amount that it was sent for, the check number, all that information needs to be verified in order for that check to cash. Reverse Positive Pay is another very common term out there, that just means, it's going to be paid unless you say don't pay it. So the banks have tried to set this up in a manner that makes the most sense for their clients. You know, we have a large banking relationship with a very large national bank, we also have relationships with smaller community banks. What's nice is, is that the positive side of regulation is that it's now being sort of applied to all, everyone has to enforce some of these standards, which is really for the client benefit.

Jason Pufahl  11:13

Is it fair to say, and this is the naive side of me who doesn't deal with the finances all the time, is it fair to say that in an age where we want everything to go faster, all of the time, banks are actually inserting process that slows these transactions down a bit and maybe gives an opportunity for a client or a payee to recognize that they made a mistake? Or is that not the right way to think about this?

Michael Grande  11:34

No, I certainly think from a marketing perspective, that's how it's it's being positioned. And I think it is fair to say that. I'm not going to get the the old saying, right, but you know, now it's prevention is worth a pound of cure. And yes, there are more steps that are involved in the beginning of the process, or in the midst of the process, but much better to ensure that it's done correctly, the 99% of the time, it still gets transferred, the funds still move to the places they need to do, vendors are paid, payroll is covered, we didn't even touch on payroll yet. But all of those things will still move. And those very, very few times when a mistake is made, it's caught, or when fraudulent activity comes up, it can be caught. You know, another control. And this is this is something I'm partial to, we're lucky enough, we have a fantastic financial team at Vancord, and we're able to segregate those those duties as we talked about before. But when it comes to reconciliation, it's a very boring accounting term. But it basically just means making sure that the records that you have of the money that's come in and gone out, is verified. And that anything that's outstanding, is flagged and watch for because it either should have been cashed or should have been deposited. That's an area, especially with small businesses that people ignore, and many small businesses don't take the time to reconcile accounts. They don't, you know, they've got a checking account, as long as it's got money in it, they can make payroll, they feel good, everything is going alright, hey, we're making money. The reality is, there could be people internally, also doing things nefarious and taking actions.

Jason Pufahl  11:36

Yeah, the insider threat's a real risk, for sure. 

Michael Grande  12:39

Insider threat, especially from a financial perspective, is a real risk. And so splitting up those duties, rotating responsibilities, so the same person doesn't get to, you know, reconcile an account that they have full control over. That's a key, you know, quick story back when I first got into banking, I was I was told that I had to take a two week vacation my first year. And I was shocked, I had never taken more than a day off. And they said, no, no, you have to take the two weeks, because that gives us time to sort of review accounts that you touch on a regular basis to ensure that nothing is going on. And I don't think that those rules are still in place. They may be for different types of banks. You know, I was at a small community bank, but you know, those types of safeguards, you know, are really, they're put in place for everybody's benefit: clients, vendors, etc. And then, you know, the last thing I would say is to really have a really good process and protocol, as it relates to vendor management. Understanding how that process should be put in place, how new vendors are brought onboard to an organization, if you're going to be sending money out. It doesn't matter if you're a nonprofit, it doesn't matter if you're a for profit large national corporation or a small mom and pop, setting some level of protocol in place, like when we have a new vendor, we understand we get this information, we verify it, having that in place and following that is you know, it's what you talked about security fundamentals all the time. It's the basic fundamentals of good sound financial management.

Jason Pufahl  14:59

So, certainly, the checks and balances part make a ton of sense, the verification part makes a ton of sense. It's great to hear the banks feel like they played more of a role, maybe now, how about cyber liability insurance? So I know with New Haven, they got greater than half of their money was recovered? And I don't know the specifics about why, maybe maybe it was not wire transfer and there's something else there, but where does cyber liability insurance fit here? And are they, are they going to potentially make a business whole if they were a victim of this?

Michael Grande  15:30

Well, I've heard on many occasions, from folks who will either call us or I'll get a phone call or a message that says, you know, I think I was the victim of some fill in the blank, you know, financial fraud or crime or, you know, and then when you dig down a little more, and you find out that they originated the payment, and they, they had the opportunity, they were asked by the bank 15 different times, I sent a wire this morning, just so you know, I can speak to this, I received a 10 minute phone call, explaining my identity, explaining my background, and verifying that it was okay to wire those funds. That happened this morning to me. So they generally, in many cases, just to click through and say yes, I'm aware of these risks and I'm still going to go through with that. There's probably and I don't know this for sure, but if if, you know, if I was a betting man, I would say the more information that is available to investigators, after the fact that a person knowingly went through a transaction, had the opportunity to stop it, and still didn't and had the opportunity to verify the information. Cyber liability insurance does cover a variety of these things. But in some cases, they will probably start pushing back and not covering, and I think in some cases, when there's a knowing risk or an internal issue that led to it, negligence perhaps, there's a high probability that they will not pay.

Jason Pufahl  16:57

Yeah, I mean, I think I think they treat that like a self inflicted, incident essentially, right, like you had opportunities, you still didn't, you didn't take those opportunities and change your behavior. This is what you find yourself in.

Michael Grande  17:07

Yeah. So, it's troubling. There's obviously, we could, we could spend a lot of time talking about this.

Jason Pufahl  17:13

And then this is a big dollar one, right. $6 million is a lot, I think, you know, we've been on the side of some seven figure transfers, but I feel like most of the time, it's, you know, $50,000 here, and not to say they're insignificant, but they they can be overlooked. So is there, do you have and maybe subsequently, do we have thresholds where, anything over $1,000 gets extra scrutiny, or something like that?

Michael Grande  17:36

Yeah, absolutely. And, you know, it's, it's a, it's not a question of trust, it really comes down to just, you know, back to what I was talking about before, good controls and good protocols. Whereas, you know, certain staff have certain access to transfer and keep the course of business moving, right, and not slow down our momentum on a daily basis. And then there's different things that maybe the Chief Financial Officer of the organization needs to have approval over. And then beyond that, there may be things that I need to have approval over. And beyond me, there may be things that the board needs to have, you know, the way we're structured with a Board of Directors that needs to have approval over. Obviously, as I spoke about the beginning, not slowing down progress, and keeping things moving is is the goal of every every cost centers organization, right. The finance department isn't necessarily a billable entity. You know, we're thinking in terms of how do we make this efficient, easy, have a great client experience, and keep things moving? But yeah, approvals, internal controls, all of those things are really important.

Jason Pufahl  18:44

So, great topic. Clearly, it's certainly a threat that I think every business owner has, has to recognize is real. And to your point, really, really at the beginning of this, it is about sort of that that speed of execution sometimes for these attackers and you know, getting $1,000, it potentially is a nice payment, 6 million, clearly better, but it's not all about big dollar funds. It is about getting some return on their investment of time, how quickly can they execute it, but we see these all the time, there are real risk. There are controls and I think steps that businesses can take to really protect themselves. And I think you laid it out nicely.

Michael Grande  19:24

Yep, and, you know, at a conference I was at in July, the head of one of the district offices of the FBI spoke up to a group of MSSP's and and leadership and said very clearly, they want to know when funds are illegally begotten, meaning if if if there's a transfer if there's even if it's a ransom payment, which we didn't touch on, but if there's some level of embezzlement or extortion or other types of payment, that is going out, even if it's neglectful, potentially internally, they want to know because they want to be able to trace those funds. I do believe in the case of New Haven, they did recover, I think at least half?

Jason Pufahl  20:02

Yeah, I want to say 3.8 million, I think.

Michael Grande  20:04

So, you know, obviously, the banks have to play a really big part there in participating, but you need the strength of the FBI and other large law enforcement groups behind you.

Jason Pufahl  20:13

Right. So well, hey, thanks for joining, talking about this. Obviously, you know, Michael knows what he's talking about. If anybody wants to dive into this further, happy to chat a little bit about experiences we've seen, or really more specific ways to to protect your business and put some of these proactive controls in place. So, Michael, thanks for joining.

Michael Grande  20:32

Absolutely. Thanks for having me.

20:35

We'd love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn, and remember, stay vigilant, stay resilient. This has been CyberSound.