Daily Archives: November 1, 2019

#cyberfraud | #cybercriminals | Insider Threats

Source: National Cyber Security – Produced By Gregory Evans

Insider Threats

Sunday, November 3, 2019

What’s an insider threat? Loosely, it’s a threat that operates from within your organization. In this CyberWire special edition, our UK correspondent Carole Theriault soeak with experts who’ll talk us through the different ways insider threats manifest themselves. 


Dave Bittner: [00:00:07] What is an insider threat? Loosely, it’s a threat that operates from within your organization. We’ll hear shortly from some experts who will talk us through the different ways insider threats manifest themselves. But consider, as you listen to what they have to say, that even the clearest forms of insider threat – the rogue, the turncoat, the sellout, the traitor, the reckless eccentric – those aren’t always easy to spot, even when you know what to look for.

Dave Bittner: [00:00:33] If it were easy, would the FBI have taken so long to realize that Robert Hanssen was spying for the Russians, years after another special agent laid out all the classic signs of someone who’d been recruited by a hostile service? Would NSA have let Hal Martin walk out the gates of Fort Meade with a terabyte of highly classified information? How did the Cambridge Five pull the wool over the eyes of MI5 and MI6? None of these agencies are notably inept, inattentive, ill-informed or poorly resourced. And if they failed, what hope do the rest of us have?

Dave Bittner: [00:01:04] In this CyberWire Special Edition, our UK correspondent Carole Theriault speaks with three industry experts who’ll give us reason to hope. Stay with us.

Dave Bittner: [00:01:18] And now a quick word from our sponsors at Okta. When it comes to modernizing identity, legacy on-prem solutions just make everything harder. From managing access for contractors and departing employees to securing cloud apps and on-prem systems, your company deserves better. Choose Okta, the modern identity platform that securely connects anyone that touches your organization to any technology they want to use. Okta reduces AD vulnerabilities, secures not only employees but contractors and customers, simplifies domain consolidation, and reduces your attack surface. Say goodbye to failed pentests and AD patches. Say hello to agile, admin-friendly IT. To learn more, visit okta.com/rethinkAD. That’s okta.com/rethinkAD. and we thank Okta for sponsoring our show.

Carole Theriault: [00:02:20] So, I kept reading about insider threats. These are the threats that are born from within the organization. And I wanted to learn more about these people – people that seem to put the organization at risk. Are they all bad apples, so to speak, or are they people just like you and me who occasionally do something that doesn’t follow security protocol?

Carole Theriault: [00:02:41] First things first, let’s define what our experts mean by insider threats. Let’s hear from Dr. Richard Ford, Chief Scientist at Forcepoint.

Dr. Richard Ford: [00:02:54] Right, so I don’t even like the name, actually. I think one of the reasons that these programs are not often successful as they could be is because of that name, “insider threat,” which sort of summons up these pictures of shady operators hanging around the water cooler doing dark deeds. Most insider threats are perfectly well-meaning employees that end up doing something foolish or getting convinced to do something foolish that compromises your data or your security in some way.

Dr. Richard Ford: [00:03:22] So to me, an insider threat is the threats that emanate from within, but it doesn’t necessarily mean that they’re malicious. So if I stole your username and password, for example, or I got you to give it to me, in some sense, you’re an insider threat. You’re an accidental insider.

Dr. Richard Ford: [00:03:38] Then you have these malicious insiders. And when you hear the name “insider threat program,” you think of a malicious insider. But in fact, what you tend to find is a lot of accidental insiders who you can help along to not being accidental insiders.

Carole Theriault: [00:03:52] Forcepoint are not alone in categorizing insider threats. After all, mitigation against these threats depends on the company being able to foresee what risk each threat type presents to the company. Here’s MC, the VP of Product at insider threat specialist firm ObserveIT.

MC: [00:04:12] So at a high level, I would break it down into three kinds of insiders. The first one is just users like you and me who come to work with a good intent, are hardworking, go back to home, family, friends. But at some point, you know, we may do some negligent things. So, for example, taking a printout so that you can read it on the train ride back home, or sending out sensitive files so that you can work over the weekend. So we call them negligent insiders.

MC: [00:04:40] The second kind of category is where the rogue insider, this mole within the mix, has a bad intent and is actually, for whatever reason – maybe financial, maybe ideological, maybe some kind of bad performance review, some kind of a personal stress situation in the mix to begin with – ends up stealing something that they shouldn’t do. So we’ll call that as a malicious insider.

MC: [00:05:07] And then there is a third category that people don’t think about, which is people falling victim to a phishing email coming from outside, and they end up compromising their credentials. We call them a compromised insider. So kind of these three mixed that we’ve started to see in companies across our customer base and different enterprises.

Tod Beardsley: [00:05:30] Just from the get-go, I don’t think you have to, like, treat your employees like adversaries all of the time. That would make for a terrible work environment. And that’s probably not not the greatest thing to do.

Carole Theriault: [00:05:41] This is Tod Beardsley, Director of Research at Rapid7.

Tod Beardsley: [00:05:46] But the thing with insider threat controls is that what you’re really targeting almost always are attackers who are from the outside that manage to get access as an insider. So like, for example, let’s say I send employees a phishing link or something, and they download a Word doc and get popped by like a Word macro or something like that. Now I have control from the inside, from their workstation, using their own user account. And now I can start acting – as an outsider, I can start acting like an insider, right? Like, I’ve breached that perimeter. And I think that’s where the most value you get from thinking about insider threats is – not so much, like, the people that you trust, but it’s the user accounts that you trust.

Carole Theriault: [00:06:36] So what all these experts are telling us is that insider threats are a problem, that there are different types of insider threats, from the malicious, such as a disgruntled employee wanting revenge, to the inadvertent, like the newbie in accounts who gets duped into handing over confidential info to an attacker. It all sounds a bit 1984, doesn’t it? Surely there are organizations out there who pooh-pooh the idea of internal monitoring, citing that they trust their employees. Dr. Richard Ford at Forcepoint.

Dr. Richard Ford: [00:07:07] Yeah, absolutely, I’ve definitely met with CISOs who’ve said, but we love our employees. Well, you’re also helping keeping them safe, right? Because also, you know, if you do somehow accidentally get a wolf in that flock, that wolf can do an awful lot of damage. And in this current sort of threat environment in which we live, where you have to think about things like nation states, I think most companies should recognize that they are potentially a target – you know, if only as a stepping stone for something else. So there will be occasional employees – and they are very much the exception, not the rule – who enter your company or even apply for that job with a whole intent of abusing the company in some way.

Dr. Richard Ford: [00:07:51] I think also that we tend to use the lens of cybersecurity when we think about this. The lens of fraud is a much better lens, right? So there’s this whole concept of fraud which is perpetrated by employees, and now that all involves something cyber, pretty much, right? So these sort of worlds are merging. It used to be fairly separate, but now the footprints of those fraudulent transactions or those fraudulent acts often exist in the cyber space. And that’s where you can find them and shut them down. And that’s something that’s good for all the other employees in the company. So, again, I think the name gives us this sort of glass-half-empty thing, and the glass is really rather full indeed. It’s quite a positive thing when it’s done right.

Carole Theriault: [00:08:38] I asked MC at ObserveIT the same question.

MC: [00:08:43] You don’t want to come across as a Big Brother watching the employees or contractors. That’s not the norm, right? That’s not the intent. The intent is actually to secure the population, secure the employees. Make sure it’s a friendly working environment. So transparency as you implement these programs – communication to HR, to cybersecurity, to physical, to ethics, to audit, compliance, everybody in the mix, to executive teams – is very important because this is not a Big Brother watching. This actually with a good intent.

Carole Theriault: [00:09:14] As tech and processes increase in complexity and user interfaces streamline and simplify, I can’t see how the average user can be expected to be the be-all and end-all in stopping attacks that prey on insiders. I asked Tod Beardsley from Rapid7 if cyber training was even worth it anymore.

Carole Theriault: [00:09:34] Imagine someone named Martha who works in finance and doesn’t really care about computing. They are a great route in for a threat, but can we arm her, even if she’s not interested in it, in a way that can help protect the company?

Tod Beardsley: [00:09:48] For sure, yeah. People who are not technologists, who aren’t, like, security dorks, you know, people who are just regular people are aware, much more aware today than they were even two or three years ago of the threat of phishing, like, what actually happens. You know, the threat of someone who is pretending to be who they’re not on email to try to get you to open a document or click a link or give up a password or something like that, right? Like, that kind of attack is now pretty well-known.

Dr. Richard Ford: [00:10:21] And I do think that there are some things that companies can do to help train up their employees to kind of spot these scams and figure out who’s more likely to click on nastiness, you know, things like that. But I do think that people are more sophisticated today, mainly because it’s been in the news a lot, right? Over the last couple of years, we hear a lot about, like, Russian phishing, right? And people hear that in their regular day-to-day. And I do think people are more aware of it, which is good. I don’t think people hang out on the Internet, just consumed by fear all the time.

Tod Beardsley: [00:10:57] I do think companies can do awareness training, like, this is what a phishing link looks like, and when your email client has the big red warning, saying this is someone’s whose name you know, but it’s coming from a different email address, you know, those kind of warnings that we’re seeing more and more, especially in services like Google Apps Suite, and other kind of Outlook 365 and all those other kind of cloud-based email services.

Tod Beardsley: [00:11:23] I do think people are seeing those and they may be confused about it. And so that’s where the enterprise can step in and explain what’s going on and what does this look like. And then after that, follow up with training. Like, it’s a great training exercise to phish your own employees and then tabulate who clicked on the link and who could use – who should watch the training video, you know, things like that. I think that goes a real long way.

Carole Theriault: [00:11:51] Does Dr. Richard Ford from Forcepoint think that cyber training can help?

Dr. Richard Ford: [00:11:57] I’m gonna say “yes, but.” Right? Because obviously, yes, awareness is really important and generating awareness is super important. So that’s the “yes” part. Here’s the “but” part. The “but” part is that we are what I would call “task-centric cognitive misers.” What I mean is that, you know, when you’re trying to accomplish something, you’re going to spend as little time as possible thinking about other things while you think about that task. And the fact that you’re a task-centric cognitive miser is exactly what a social engineer will use to get you out of your game.

Dr. Richard Ford: [00:12:35] I mean, there’s a lot of different techniques that can be used, right? But it’ll be something urgent. It’ll be something where you’re sort of trying to help somebody out. So one thing that an attacker will do is sort of trying to get you on their side, often. “Oh, can you help me out? My boss is going to yell at me if I don’t get this thing done.” And they do that by building a small relationship with you. That’s why actually the phone can be so deadly, because it’s much harder to say no by phone sometimes than by email. I actually have a nice collection of calls where I have answered, and have a bunch of virtual machines that people can log in to and try and poke around. It’s quite enjoyable.

Dr. Richard Ford: [00:13:16] You know, social norms, right? So, bending or relying on social norms and politeness – these things are very effective. A simple example would be, you know, when I used to do physical pentesting, showing up at a company on crutches or with your foot in a boot on crutches is great because everybody holds the door open for you. It doesn’t matter that your badge therefore doesn’t work. You wave a photocopy of a badge around and nobody’s going to make you take it off and actually use that on the proximity sensor. That’s a very effective, very simple technique.

Carole Theriault: [00:13:50] So awareness works well to try and build up the defenses of your users that, you know, just need training. But if you’re a bad agent inside an organization, of course, they’re not going to take any heed to that. So I guess this is where technology comes in.

Dr. Richard Ford: [00:14:05] That’s right. So I am a huge, huge fan of the idea. Never send a person to do something that technology can do for you. And so there’s a lot of things that you can do with behavioral analytics. That you can do with, you know, effective but privacy-preserving sort of monitoring. That can not only detect fraud or detect misbehavior – you can actually predict fraud or predict misbehavior. So these sort of predictive analytics that get ahead of the threat are really important. There’s also an element which sort of makes somebody think twice about, you know, testing the bounds of the system when they know there’s a program in place.

Carole Theriault: [00:14:48] So what I’m hearing is that cyber training is important, but it is a component, not the whole answer. Here’s Tod Beardsley from Rapid7 on whether technology can help reduce the exposure to insider risks.

Tod Beardsley: [00:15:02] For sure, there is an email control called DMARC, which stands for Domain Message Authentication, Reporting & Conformance. It’s a long acronym, so we just say DMARC. And what DMARC does is these are signals you can put in your DNS records. So, like, if you’re – I don’t know, rapid7.com, right? And you can say on the domain registrations, like, these are the entities that are allowed to impersonate rapid7.com. Because email actually doesn’t have a bunch of these built-in controls – you have to kind of bolt them on. But DMARC is pretty easy to do for IT folks. It’s pretty easy. It’s pretty low cost. And all it does is make it obvious when someone is impersonating, you know, an insider as an outsider. And so something like that goes a real long way. So that’s a technology, for example, that can help, you know, just either flag email that is suspicious, or just, you know, kick it off to the trash bin, like, don’t ever deliver it.

Carole Theriault: [00:16:07] Here’s MC from ObserveIT on how technology can be used to mitigate this insider threat.

MC: [00:16:12] [INAUDIBLE] It’s three things. One is visibility. It’s very important for you to know what your users do. What application to they browse? What does their behavior on the desktops, on the servers, on the machines, mobile phones that they access and they use to access the corporate WAN? That is very important. So we call it visibility. You need to know what is happening.

MC: [00:16:37] Second, in terms of what you build up on the technology front, you want to catch the threats before they happen in real time. We have to move into this notion of proactive and more predictive security so you can actually see these threats scenarios – we call that detection – before they happen in real time. So you can actually take an action and understand the intent, you know, of the user involved. So that is really important.

MC: [00:17:04] And the third thing that technology brings to bear is something called response. When it comes insider threats just because of the sensitivity of the data involved, of the due diligence that needs to be processed with various functions, unlike the ransomware or the malware. So you’ve got to bring that into context. And technology has pretty much automated a lot of these things now, as we look at insider threats as a much bigger threat scenario.

Carole Theriault: [00:17:26] I wondered how our experts saw the future. I asked them to look at their crystal balls and see what they saw coming in the next few years with respect to insider threats. And I got to warn you, this is typically not an expert’s favorite question.

Dr. Richard Ford: [00:17:45] I actually like this question, right? So, I think, first of all, there’s almost nothing that we see happening today that we didn’t see a hundred years ago. And it’s sort of underlying mechanisms, right? Now, the medium has changed, the methods have changed, but the motives and the ways of sort of thinking about it haven’t really changed at all from the old confidence tricks of old. So in that sense, I think that these kind of things will be around for as long as there are people around.

Dr. Richard Ford: [00:18:16] I think technology in some ways makes it easier because it’s easier – I mean, the amount of power you can wield on one terminal is absolutely amazing. So technology helps this stuff scale up, potentially. We don’t recognize, for example, the cash value of the information that might be on a single laptop. Whenever I’m traveling out of the country with my work laptop, I always stop and think about the actual value of the information that’s stored on it, and it’s always quite shocking to me. But most companies, you know, don’t pay a lot of attention to the value that any individual user may have accrued in terms of intellectual property in their devices. And I think, you know, you start to view the world differently when you think about the amount of trust you’re placing in those users.

Tod Beardsley: [00:19:08] There’s a set of technology known as “user behavior analytics.” And so what that does is that you are essentially profiling all of your users. You get a sense of, like, when they log in and from where do they log in. Like, are they always logged in locally in the office or do you have, like, a work-at-home set of employees? Or do you have international employees, you know, people who normally log in from someplace else.

Tod Beardsley: [00:19:32] With user behavior analytics, you can start collecting these things and then notice when a user account starts behaving very strangely. Like, they’re logging in at weird times of day, or they’re logging in from some country that you don’t do business in, or they start talking to a lot of computers, local computers, that they don’t normally ever talk to. Like, Martha in finance usually talks to finance computers. You know, she’ll log into whatever the accounting software is, even if that’s cloud-based. If she starts, you know, running around and pinging every workstation on her – on the floor, like, on the local network – that’s weird for Martha, right? Martha’s not known to be a hacker. So that’s the kind of thing that you can alert on, and the IT security group would see this alert and know that something’s up with – maybe not something’s up with Martha, but something is up with Martha’s user account.

MC: [00:20:25] You take a step back and start thinking, what are the core elements that help you build an insider threat program, or how do you tackle insider threats in your corporation? And it comes down to fundamentally three things. Firstly, the people. You know, it’s all about the people when it comes to insider threats. Second is the process and policies that come along with it. And third is the technology bit.

Carole Theriault: [00:20:49] So it is that age-old trifecta: people, processes, and technology. Which all need to be accounted for when building a defense strategy against insider threats. You want your people on the lookout. You want a reliable policy in place in a cyber emergency. And you want the right technology to secure all your efforts.

Carole Theriault: [00:21:10] My deep thanks to our three insider threat experts, MC, VP at ObserveIT, Dr. Richard Ford, Chief Scientist at Forcepoint, and Tod Beardsley, Director of Research at Rapid7. This was Carole Theriault for the CyberWire.

Dave Bittner: [00:21:27] We note in closing that perhaps we should distinguish insider threats – the spies, the embezzlers, and the IP thieves – from the people our experts call the well-intentioned insiders – hardworking and committed colleagues who make mistakes or find themselves taken advantage of – calling them, perhaps, vulnerable insiders. All of us are vulnerable insiders. It’s not that Martha in Finance, Nigel in HR, or Nikita in Engineering are untrustworthy. Rather, it’s that they need their organization’s help to stay safe. And since, as Dr. Ford said, the real threat hasn’t changed fundamentally in centuries, only updated its technology, the wisest course seems to be this: help your people remember that fraud, deceit, and compromise are always with us and help them look through the sheep’s clothing to see the wolf beneath.

Dave Bittner: [00:22:20] Our thanks to Carole Theriault for producing this CyberWire special edition.

Dave Bittner: [00:22:25] And thanks to our sponsors at Okta. You can learn more about their modern identity platform at okta.com/rethinkAD. That’s okta.com/rethinkAD.

Dave Bittner: [00:22:37] For everyone here at the CyberWire, I’m Dave Bittner. Thanks for listening.

Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.

Source link

The post #cyberfraud | #cybercriminals | Insider Threats appeared first on National Cyber Security.

View full post on National Cyber Security

hacker proof, #hackerproof

#cyberfraud | #cybercriminals | Payroll Fraud: A Growing BEC Threat to Businesses and Employees Alike

Source: National Cyber Security – Produced By Gregory Evans

The FBI reports that direct deposit change requests increased more than
815% in 1.5 years

$8.3 million.

This number represents the total reported losses due to payroll diversion schemes that were reported to the FBI’s Internet Crime Complaint Center (IC3) between Jan. 1, 2018 and June 30, 2019. This form of payroll fraud also sometimes falls under the category of business email compromise (BEC) scams because the criminals commit these crimes using email as their method of choice.

Payroll fraud is a major — and often overlooked — threat to
businesses and their employees. The FBI’s data indicates that the average
dollar loss reported per complaint was $7,904. But again, these numbers just
include the reported losses — they don’t include those that haven’t been
reported or have yet to be discovered.

But what exactly is payroll fraud or a payroll diversion
scam? And why are these types of fraud a growing issue for businesses and
employees alike?

Let’s hash it out.

6 Types of Payroll Fraud Causing Headaches

What’s payroll fraud? Well, the answer depends on whom you
ask. Many people define it differently. In the most general terms, payroll
fraud is any type of fraud that involves the theft of a company’s money using
the payroll system. Payroll fraud often targets people who work in human
resources, payroll, finance, as well as tax professionals.

Much like donuts, payroll fraud comes in multiple flavors. Payroll
fraud can

  • Come from the top (the employers themselves
    perform the fraud),
  • Intentionally/unintentionally involve employees,
  • Be committed by other third parties.

Let’s look at each of these categories more in depth.

Employer Payroll Fraud

We’ll start by discussing a type of payroll fraud that’s committed
by employers (corporations, organizations, etc.) themselves: worker

This type of crime involves a company or supervisor
intentionally misclassifying employees to avoid workplace laws and paying
certain costs (such as payroll taxes and workers’ compensation insurance). This
illegal practice often involves classifying employees as independent
contractors instead of employees. This deprives the employees of their right
and protections under the law.

study by Harvard University shows that 17 of the surveyed states report
having laws that specifically address and/or establish penalties for
misclassifying employees. And in some states, such as Alaska, misclassifying a
worker is both a civil and criminal liability. Some will impose financial
penalties against organizations that intentionally and knowingly misclassify a
worker as an independent contractor.

Now, we’re not here to discuss the rights and wrongs of
these types of practices by businesses and organizations. We’re just trying to
shed some light on the different types of payroll fraud that exist — both those
that relate and don’t necessarily relate to the cyber security industry in
particular. But, let’s move on to our second category of payroll fraud — the
types of payroll scams that involve an organization’s employees doing bad
things on their own.

Employee Payroll Scams

These types of scams involve everything from simply changing
payment information to creating entire false employee profiles. Here are three
of the most common types of employee payroll fraud:

  • Ghost Employees. This type of scam
    involves an employee with access to the payroll system creating a fake employee
    profile. This “ghost” employee receives direct deposit payments for work that
    is not completed.
  • Pay Rate Alteration. This type of payroll
    scam involves an employee colluding with a member of human resources or finance
    to get their hourly pay rate fraudulently changed to a higher amount.
  • Timesheet Fraud. This type of fraud
    involves an employee adding unauthorized hours to their timesheets to pad the
    hours they work. Often done in small increments — 15 minutes here or 30 minutes
    there — this type of fraud may go unnoticed by overwhelmed supervisors. 

Although timesheet fraud can occur by accident — should an
employee simply forgetting to clock out at lunch or at the end of their workday
— there are cases in which employees intentionally neglect to clock out to rack
up hours for time they don’t work. This is the difference between being
involved in an accidental situation and committing an intentional crime.

Third Party Payroll Fraud – How Phishers Are Stealing Payroll Funds

80 Eye-Opening Cyber Security Statistics for 2019

This third and final category of payroll fraud is one that’s
of particular interest to us. Third-party payroll scams, more specifically W2
scams and payroll diversion schemes, are often committed by unrelated third
parties who use phishing
tactics while targeting payroll or human resources personnel.

The first tactic is used to get the victim to provide
sensitive personal and/or financial information. The second aims to get them to
transfer money.

Either way, both forms of phishing have a single overarching goal: to get the intended victim to perform some type of action through the use of social engineering tactics.  

W-2 Phishing Scams

This is the type of tactic you often read about just before
the start of tax season. This type of crime occurs when a cybercriminal
attempts to gain access to another person’s W-2 information — including their name,
address, Social Security number, income, and withholdings — so they can either
sell it or use it to file fraudulent tax returns. They can do this by contacting
victims directly or by reaching out to companies HR or payroll personnel to get
this information for their organizations’ workforces.

Payroll Diversion Scams

This type of direct
deposit scam involves a criminal sending an email to an employee in an
organization’s payroll, HR or finance department. The email is designed to look
like it’s coming from an employee — often an executive — and asks the target to
update or change their direct deposit payroll information. They provide new
bank account and routing information to an account that the criminal controls.

However, payroll diversion scams don’t always involve a
criminal reaching out to payroll or HR. Other methods of payroll diversion
schemes involve the criminals either:

  • hacking into the payroll system itself, or
  • using phishing emails to gain login information
    from the victims that the attackers can use to access their payroll systems or
    payroll information.

With both W-2 and payroll diversion fraud, the employees —
and their employers — are often on the losing end of these situations.

Both types of schemes can also technically fall under the category
of employee payroll fraud because dishonest employees can simply do the same
actions to benefit themselves and don’t necessarily require a third-party
accomplice. However, they’re becoming common tactics used by cybercriminals who
are unrelated to the company and simply want to make a quick buck.

If only these criminals took all of their creativity and
determination and applied those traits to things that would be both productive
and beneficial for society…

If only.

With all of this in mind, what does a payroll diversion scam
look like?

A Real-World Example of a Payroll Diversion Scheme

At The SSL Store, we’re no strangers to phishing emails and
tactics. In fact, we receive many emails from people pretending to be our CEO
and vice presidents. We also receive phishing emails targeting members of our
customer experience team in more personal contexts.

Some of these phishing emails include payroll fraud tactics.
Take a look at the payroll diversion scheme email that our office manager
(Nellie) received just a couple of months ago from someone posing as one of our
vice presidents, Kyle:


If Nellie was in a rush or wasn’t paying full attention when
going through her inbox, she may not have noticed one small yet important
detail on the email: the “from” address field. Paying attention to this
component is key for detecting whether an email is legitimate. If she simply
looked at the sender’s display name in her inbox without checking the email
address itself when she opened the email, she may not have noticed that the
email came from “[email protected]” instead of Kyle’s official thesslstore.com
email account.

Thankfully, Nellie is educated on cyber security best practices
and how to recognize phishing emails. This is why employee cyber awareness
training is so crucial to the safety and financial security of

Why Payroll Diversion Schemes and W2 Scams Are Such a Big Deal

Still not convinced that payroll fraud — or, more
specifically, a payroll diversion scam — is a big deal? Let’s paint a more detailed
picture to provide some clarity.

It’s Monday morning and your human resources team is playing
catch-up with the emails from over the weekend. Among the many messages that
Michael, the payroll administrator, received is an email request from Bob in marketing.
The email states that Bob just signed up for a new bank account with a new
bank, and he wants to transfer his payroll direct deposit from his existing
account to the new one.

Sure, no problem.

As the efficient employee you hired him to be, Michael
immediately sets to updating Bob’s payroll information to reflect the change in
his account. After all, he wants to ensure that Bob’s next bi-weekly paycheck is
sent to the new account without delay. Once the update is made, Michael sends a
response email to Bob to confirm the change. Bob thanks him, and that’s
seemingly the end of it.

Fast forward a month, and Bob sends another email to the
human resources team. This time, he is inquiring about why he has not received
his last two paychecks. Figuring there must have been a mistake with the account
number, Michael goes back and verifies the account information with the
information Bob’s first email included. The account information matches, but
something else doesn’t: the “from” field of the email address. Although the
email appears to be from “Bob Matthews,” the actual email address is from an
unrelated Yahoo account ([email protected]).

Cue the pit that’s forming in Michael’s stomach — and yours.

When Michael reaches out to the bank to reverse the payments,
he’s told that it’s too late: the new account that the two paychecks were sent
to is closed, and the money — as well as the criminal who stole it — is long

What All of This Means for Your Organization

The Association of Certified Fraud Examiners (ACFE) estimates that 5% of businesses’ annual revenue is lost to employee fraud and abuse. While this may sound relatively minor, consider this:

“While this number is only a general estimate based on the opinions of the CFEs who took part in our study, it represents the collective observations of more than 2,000 anti-fraud experts who together have investigated hundreds of thousands of fraud cases. To place their estimate in context, if the 5% loss estimate were applied to the 2017 estimated Gross World Product of USD 79.6 trillion, it would result in a projected total global fraud loss of nearly USD 4 trillion.”

Now, we’re talking about potentially substantial financial
losses. But it doesn’t stop there. In the case of the payroll diversion scenario
we described, not only is your company now out the money that was stolen, but
now you also need to pay Bob for the paychecks he never received. Furthermore, your
company may suffer reputational damage as a result with other employees and
prospective employees if word gets out about the incident. Not to mention, you
may have to deal with any legal issues and fines that may result from the

Now, imagine if this type of scenario happened on a much
larger scale, involving several — or, worse, all of your employees. Not
only would it be a logistical, financial, and reputational nightmare, but it
could potentially put you out of business if you don’t plan and prepare for
such a situation.  

Examples of Recent Payroll Diversion Scams

Earlier this year, nearly half a million dollars was diverted from the payroll of employees who work in Tallahassee, Florida. In this case, the cybercriminals who performed the attack actually hacked into the city’s direct deposit payroll system.

In Butler County, Ohio, several local government offices were repeatedly targeted by payroll scammers. Some employees’ direct deposits were changed to fraudulent accounts, and multiple duplicated checks worth more than $7,000 each were generated by the scammers as well.

The biggest case to occur recently, however, involves MyPayrollHR, a now-defunct cloud payroll provider based out of New York. The company’s CEO, Michael T. Mann, was arrested and charged with bank fraud. He reportedly admits to stealing an estimated $70 million in payroll and tax deposits from customers.

How You Can Prevent Payroll Fraud and Phishing Payroll Scams

When it comes to preventing or combatting the most common
types of payroll fraud, strict policies, meticulous audits, and diligent
management play important roles. Another thing that also has a major impact is
mandatory regular cyber awareness training for employees.  

  • Conduct Regular Assessments and Audits. These evaluations should include cyber and fraud risk assessments, and audits of financial documents and employee schedules. The first will help you to identify any potential vulnerabilities that need to be addressed. The second helps you to identify any potential anomalies that could be the result of fraud.  
  • Evaluate Your Payroll Information Update Processes and Internal Controls. How are changes to payroll currently made within your organization? Carefully review and adjust your existing processes to ensure that they are most effective. Make it mandatory that before any direct deposit is changed, that the requesting employee is contacted directly using an official communication method. Don’t respond to the requesting email or call any phone number provided in the email message. Instead, call the employee using the number listed in your organization’s internal employee directory.
  • Implement Email Security Measures. Use software, spam and phishing filters that automatically scans emails and email addresses for spam and “spoofing” emails.
  • Implement a Policy of Least Privilege. Only allow access to sensitive systems (such as payroll and personnel records) to those who need it to perform their jobs. Regularly review and update the access controls to ensure that the access information is current. 
  • Make Employee Training Mandatory. Employee needs to be held regularly to keep the information fresh in employees’ minds. It should cover security and cyber awareness training. These types of trainings help employees learn to recognize and react appropriately to phishing and spoofing emails, as well as other email and phone fraud schemes.
  • Review Documents to Stay Informed. Take the time to regularly review all financial statements for any unusual activity.
  • Segregate Financial Duties. No one person should have control over all aspects of a company’s finances. Not only is such a practice bad from a logistics standpoint — what happens if that individual is in an accident? — but it’s also bad from a risk standpoint. Think of it like the protocols and systems in place to protect U.S. nuclear weapons. There’s a reason why the keys and codes to nuclear weapons are controlled by multiple people: to provide a failsafe so that no one person has complete control over arming and launching the weapons.
  • Email Signing and Personal Authentication Certificates. Email signing certificates are a way to help your employees confirm the identity of an email sender as well as protect the integrity of the messages they send through the use of email encryption. Also known as S/MIME certificates, these email signing certificates to help employees verify whether the emails they receive are legitimate and were actually sent by their colleagues.  

As criminals become more creative, it’s up to all of us to
become more vigilant. It’s crucial to not only stay informed but to also be
prepared for the worst by having mechanisms and protocols in place to aid in
both response and recovery from such incidents — no matter how big or small.  

As always, leave any comments or questions below…

*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store™ authored by Casey Crane. Read the original post at: https://www.thesslstore.com/blog/payroll-fraud-a-growing-bec-threat-to-businesses-and-employees-alike/

Source link

The post #cyberfraud | #cybercriminals | Payroll Fraud: A Growing BEC Threat to Businesses and Employees Alike appeared first on National Cyber Security.

View full post on National Cyber Security

hacker proof, #hackerproof

#cyberfraud | #cybercriminals | Alpharetta Warning Public About Online Dating Scams, Threats

Source: National Cyber Security – Produced By Gregory Evans

ALPHARETTA, GA — The City of Alpharetta is warning the public to be cautious when using online dating websites after a citizen was recently blackmailed.

The Alpharetta Department of Public Safety recently took a report from a citizen who was using a dating app and made a decision to send intimate pictures to the person they connected with, the city said.

“The victim has now paid thousands of dollars to the person to keep those pictures off social media channels,” the city said. “The perpetrator, in this case, has not gone away and continues to threaten and demand more money from the victim.”

Cyber dating and the apps that make it possible attracts millions of people. Many in search of companionship, many seeking long-term relationships, and many seeking to steal identities or worse, the city said. The world of online dating is fraught with top-of-mind risks (Is that photo really the person I’m talking to? Could this person be a predator?), but there is also a growing list of concerns related to data privacy.

“The fact is, dating sites and apps have a history of being hacked,” Alpharetta said. “For example, in 2018 BeautifulPeople.com was hacked and the responsible cyber criminals sold the data of 1.1 million users, including personal habits, weight, height, eye color, job, education and more, online. In early 2019 detailed user records of more than 42 million dating app users were found on a Chinese database that was not even protected by a password. The user records found on the data base contained everything from IP addresses and geo-locations to ages and usernames, giving potential hackers plenty of information to take advantage of.”

But, there are also many stories of people who found each other via online dating apps and are in very happy relationships today, Alpharetta wrote. So, the city said it does not want to scare any adult away from using them. The city said it wants everyone to be safe with their online dating activities.

With that in mind, here are a few tips that the city encourages all online daters to use:

Account Security

As with all of your Internet accounts, use a strong, unique password and two-factor authentication, if it’s available.

Beware of anyone sending you links, and especially links using shortened URLs. Hackers will try to lure you away from the dating app to sites that can more easily harvest your data. This is one of the most common Tinder scams. Rest your cursor over any link before you click it to see the address.

Only ever access your dating app on a secure WiFi network. An even better option is to protect the Internet connection of your dating app with a trustworthy VPN. This will add an extra layer of security to the app’s encryption.

Privacy And Social Engineering

Never share your full name, address, or place of work in your profile. Tinder, Bumble and Happn all allow users to add information about their job and education. With just this information and a first name, Kaspersky researchers were able to match a dating app profile to a LinkedIn or Facebook account 60 percent of the time.

Do not link your account on a dating app to your Facebook account. This makes it easier for hackers to connect your social media profile to your online dating one. It also would expose your data if Facebook were to suffer a data breach.

Using the same logic, do not link your Instagram, Twitter, or WhatsApp accounts to your dating app or share them in your profile.

For accounts or relationships based on your email, don’t use your everyday email address. Instead, get a separate, anonymous email just for that specific app or relationship.

Always disable any location-sharing features in your accounts on dating apps.

If you are uncomfortable sharing your cell phone number with someone you just met online, there are services that allow you to create a separate phone number. These services give you temporary phone numbers that last a couple of weeks for free or for a small fee. Since they are temporary, it is hard to use such a phone number on your dating app account, but it could give you some time to meet your matches in real life before you trust them with your phone number.

If an account looks suspicious, try doing a reverse image search of the profile pictures. If your search finds the photo is from a modeling agency or a foreign celebrity, you are likely looking at a fake account.

Eventually, you will have to share information about yourself. You are trying to convince someone that you are interesting enough to meet. Try to talk more about your interests, ambitions, and preferences and avoid specific information that could identify you. More “I love pizza” than “My favorite pizza restaurant is on the corner of Main St. and 2nd Ave.” Never be afraid to say “no” if someone asks you for personal information that you’re not yet comfortable sharing.

Avoid sending digital photos to users you do not trust. Digital photos can contain metadata about when and where the photo was taken along with other information that could be used to identify you. If you must share a photo, be sure to remove its metadata first. Also, always keep in mind that any explicit pictures you send could be used for blackmail.

If you are chatting with someone and they are responding incredibly fast or if their responses seem stilted and full of non-sequitur questions, you should proceed carefully. While it is possible you have enchanted someone so thoroughly that they are struggling to respond coherently, it is more likely you are chatting with a bot. Online bots are getting harder and harder to detect, but one test you can try is to work gibberish into a phrase, like “I love a;lkjasdllkjf,” and see if the bot repeats the non-word or transitions into a non-sequitur question. (If it’s a human, you can always cover by saying your phone slipped.)

This may seem obvious, but if someone asks you over a dating app to send them money, your answer should always be “No.”

Do not immediately friend your matches on Facebook. Once someone has access to your Facebook account, they can see your friend and family network along with your past activity and location. Wait until you have been dating for a month or two before friending them.

Physical Safety

Have a mutual understanding of boundaries. No matter what kind of date you have planned, it is always safer to know exactly what you’ll be doing. By discussing a plan beforehand, you can both go into the situation knowing what you are and aren’t comfortable with.

Meet in a public place first. No matter what kind of date you’re going on, it is always safer to meet in an open and public place first. Avoid meetings that take place in remote areas, vehicles or anywhere that makes you feel uncomfortable.

Always let someone know where you are. Before meeting up with someone, let a friend or family member know where you’ll be. Some apps let you share your location with others so that someone can keep an eye on you during your date.

Source link

The post #cyberfraud | #cybercriminals | Alpharetta Warning Public About Online Dating Scams, Threats appeared first on National Cyber Security.

View full post on National Cyber Security

hacker proof, #hackerproof

#cyberfraud | #cybercriminals | Netflix email scam tells victims to ‘update your payment information’, news update

Source: National Cyber Security – Produced By Gregory Evans

If you receive an email from Netflix telling you to update your payment information immediately, you could be the victim of sophisticated new scam.

The streaming giant has once again been embroiled in a phishing email scam, which uses the same branding and username seen with official Netflix correspondence.

Victims are told they are required to update their payment information to continue using the service.

“We recommend that you update your payment information immediately to secure your account otherwise you will not be able to use our services,” the email reads.

An example of the email scam. Picture: MailGuard (Supplied)

A link is provided for users to change their payment details, which takes unsuspecting victims to a Netflix branded log-in page when clicked.

Users are prompted to login using their account credentials – doing so takes them to another phishing page asking for their credit card details.

If the victim enters their credit card information, cyber criminals will harvest their confidential payment data alongside their Netflix login information.

“Cybercriminals have taken great pains to incorporate the exact colour scheme, logo, fonts and popular images commonly found in Netflix pages in a bid to convince the user that the email is actually originating from the entertainment company,” explained email security company MailGuard.

“The inclusion of the threat in the email that the recipients won’t be able to use Netflix’s services if they don’t update their payment information is also a trick designed to spark panic and urgency.”

The fake login page looks almost indistinguishable from the real site. (Supplied)

While painstaking effort has gone into mimicking the brand, the email contains several red flags such as grammar and spacing errors which would likely not be present in an official email from Netflix.  

How to protect yourself (Supplied)
How to spot a scam (Supplied)

Anyone who receives the email should delete it immediately. If you are concerned your account might be locked, head to the official Netflix site and check your details in the settings. 

Source link

The post #cyberfraud | #cybercriminals | Netflix email scam tells victims to ‘update your payment information’, news update appeared first on National Cyber Security.

View full post on National Cyber Security

hacker proof, #hackerproof