At the First Friday Breakfast meeting in March, Special Agent Carmine Nigro, Private Sector Coordinator for the FBI Boston Division, brought us up to speed on the FBI’s perspective on confronting cyber threats.
When the FBI is asked what some of the future threats are, the Internet of Things is one of them. We are using more of these devices – and they’re great, but hackers will exploit any vulnerability. This becomes even more of a concern as medical devices become connected. On the FBI’s list of priorities, cyber is at the top of the list, along with counterterrorism and foreign counterintelligence.
Complaints and reported loss in Massachusetts is up from previous years, with 6,725 complaints and $40 million in reported loss in 2017. SA Nigro thinks the actual number of cyber attacks is higher, because people don’t know where to report. He also said there’s reason to believe the number will keep going up, partially because so many more devices are internet connected. Those statistics don’t include the Business Email Compromise (BEC), a cyber attack he also addressed.
As we’ve seen, criminals are using cyber as a way to commit crimes. SA Nigro said hacks include, theft, espionage, terrorism, and warfare, and is done by criminals, activists, insiders and others.
SA Nigro encouraged us all to report phishing emails and attacks at ic3.gov, even if you don’t lose any money. The email you report could be a new trend they haven’t seen yet, and reporting it helps them connect the dots. You’ll also find the latest scams at ic3.gov.
He said 71% of victims do not detect the breach themselves, and that weak or default passwords contribute to a third of the compromises. Intrusions take an average of 87 days to detect, and 114 days to contain.
Two types of cyber attack he went over at the meeting were the Business Email Compromise, and Ransomware.
Business Email Compromise – the CFO fraud
Losses in the FBI Boston area of responsibility for 2017 totaled over 43 million dollars – only 10 million of which was recovered. The most critical element in recovering money is time. If your company is part of the business email compromise, you have a 24-48 hour window to recover it. Once money leaves the United States, it’s extremely difficult for the bank to get the money back.
This scam is carried out by compromising legitimate business accounts. An elaborate scam, the CFO fraud takes time and patience to pull off. Snooping or surveillance is conducted on executives and/or their staff. Compromised systems are monitored, and files are scanned for invoices. With the information gathered, they are able to impersonate executives through email. SA Nigro said the level of detail is high, and most emails sound like they came from the actual CFO.
Targets are legal services, business to business, and real estate transactions. As a buyer, seller or closing attorney, if something changes at the last minute, pick up the phone and make a call to confirm. People have gone to their closing only to discover the payment was wired to the wrong account. There is also an increase in W-2 phishing emails at this time of year.
Scammers craft an email message, with an immediate action that needs to take place: “Transfer this money, here’s the routing information.” They pattern language from the CFO’s own emails so it sounds familiar and legitimate. They send the email from a fake domain, which is a slightly altered version of the company’s own domain. For instance, versions of the Tech Council’s domain might be cctechcouncli.org, cctech.council.org, cctechcoucil.0rg, ctechcouncil.org, cctech-council.org, or cctechcouncil.com. Some companies are buying all versions of domains, while others figure out variations and block emails from fake domains, so employees don’t fall for a scam.
When the FBI asks people why they didn’t pick up the phone and confirm the request, the response is that they did confirm the request, but only by responding to the email – which only goes to the spammer.
To avoid falling prey to this scam:
- If you receive a wire transfer request, start a new email or make a phone call to verify.
- Verify wire transfer requests with two-factor authentication
- Create intrusion detection systems
- Educate and alert employees
- If the scam comes by phone rather than email, ask for full name of caller (with correct spelling), and ask for a callback number.
If you receive a spear-phishing email, patch and update security immediately, using antivirus and anti- spyware software. Furthermore, employees should not be permitted to check personal email on company computers. Companies have set up standalone computers, not connected to network, for employees to receive personal email.
To prevent a BEC:
- Avoid posting business or vacation travel of company staff on social media, which lets scammers know when executives are out of reach.
- According to the SANS institute, a strong password has 15 alphanumeric characters. Do not use any of the top 20 passwords. #1 is “123456” (you can probably guess the others without much trouble).
- Test your password security at grc.com/haystack.htm
If you realize you’ve been the victim of a BEC within 24-48 hours, the bank can do a swift recall. For domestic transfers, also request your financial institution send a hold harmless letter to the beneficiary bank.
Ransomware
Ransomware has reached a broad set of victims locally and nationally, including hospitals, local police departments, and schools.
Arriving by spear-phishing email or website visit, Ransomware encrypts your hard drive and installs files to circumvent removal. Demands to decrypt your information range from $300 to $1000, and paying the ransom does not guarantee access to data.
To avoid being the victim of Ransomware, back up your data so nothing is lost if data cannot be unencrypted. Make sure your back up is physically disconnected from the computer. If you are comfortable that 99% of your data is secure, you’re not going to pay the ransom.
To defend yourself against Ransomware:
- Education is key
- Limit social media/press releases
- “Hover for cover” – check links before you click
- Use two-factor authentication
- Beware of link shortening and hotlinks
- Go to Onguardonline.gov for tips to protect information
SA Nigro also said there are phone scams, designed to look like they are coming from the police department or a local number. If you receive a call demanding money, end the call, look up the actual phone number, and call to confirm.
At the end of the meeting, Special Agent Nigro reiterated the importance of reporting. If you see something that is concerning or stands out – even though you haven’t clicked on it – report it.
Resources
Reporting Business Email Compromise (PDF)
Business Email Compromise (PDF)
Increase in W-2 Phishing Campaigns PSA (PDF)
Ransomware (PDF)
Special Agent (SA) Carmine Nigro has been employed with the Federal Bureau of Investigation (FBI) for over 30 years. He entered on duty as a Special Agent in December 1987. In March 1988 SA Nigro was assigned to the Houston Division. Prior to his transfer to the Boston Division, SA Nigro served in New York, Rome, Italy, and FBI Headquarters, Washington D.C. In May 2000, SA Nigro was transferred to the Boston Division where he supervised a Special Operations Group. In April 2004, he was selected by the FBI Boston Executive Management to establish a Field Intelligence Group. In February 2008, SA Nigro was appointed as the Counterintelligence Strategic Partnership Coordinator. In December 2016, SA Nigro was designated as the Private Sector Coordinator for the FBI Boston Division.