Apr 11, 2017 - 2:00pm

Business Beware: That Email Might Not Be What You Think



Chief Information Security Officer, U.S. Bank Corporation

Evaldas Rimasauskas.

That’s a name that probably doesn’t mean anything to you, but it should. Over the past few years, Rimasauskas orchestrated a sophisticated scheme that tricked two U.S.-based internet companies into wiring over $100 million to bank accounts he controlled. Thanks to the cooperation of the victim companies, their financial institutions, and law enforcement, Rimasauskas was arrested in Lithuania.

The Rimasauskas case should serve as a reminder to companies of all sizes that they can be victims to sophisticated phishing schemes called business email compromise (BEC). The FBI reported last June that over $3 billion had been lost as a result of BEC schemes.

During this type of scam, a company’s finance department receives an email thinking it is from the CEO or another executive directing the department to immediately send funds via wire. The email, however, is not from the CEO and your money gets sent to criminals who spoofed or otherwise hacked the email account.

At U.S. Bank we are also seeing tax season variations, asking for sensitive employee W2 data.  Sometimes the email is even accompanied by a phone call from a consultant to make the scam even more plausible. 

As the chief information security officer of a large bank, I worry about protecting our organization. But more often I see our clients falling victim to this scheme. Businesses come to us when they discover fraud. In some cases, if noticed quickly, banks can stop the wires. Yet once the transactions are complete, the money is usually gone.

That can be devastating to a business.

And if it’s your employees’ sensitive W2 data, nothing can be done to get it back—businesses have to go into credit protection mode. What can you do?

Talk about these schemes with your finance department, human resources, and your CEO. Ask them to be suspicious of emails that seem out of the ordinary or that come from unusual email addresses. If you get one, don’t hit reply. Pick up the phone and call the person you’re expecting the invoice from. Create a culture where caution is encouraged. 

Further, consider implementing dual authentication for money movement (e.g., wires, ACH) above certain thresholds. Verify changes in payment information to vendors and suppliers. Be judicious with information about your company and employees that is available online.

Finally, have a response plan for what you would do, quickly, if you fall victim. This should include your bank and law enforcement.

Security Hygiene

BEC is just one cyber risk that businesses face. With threats changing daily, we recommend you implement good security hygiene. These tips are meant to help prevent an attack and if one does occur, to get back to business quickly:         

1. Implement the Basics

Smaller businesses may not always have the luxury of a large information security budget. Use your resources wisely and take these basic, low-cost steps.

  • Maintain security patches—outdated computer operating systems are extremely insecure.
  • Remove or strictly control administrator/privileged accounts or access rights to information and email.
  • Use strong authentication (e.g., one-time PIN tokens) for remote access to the network or remote email.
  • Ensure anti-malware controls are in place for email, servers, and workstations.
  • Log and monitor systems and networks.

2. Educate End Users

Training end users—your employees and your executives—is paramount. Teach employees what kind of emails and hyperlinks to avoid, what type of passwords (or stronger authenticators) to use, and what information should never be sent over email. To keep pace with emerging cyber threats, employee education must constantly evolve.

3. Have a Game Plan

Every business needs to have plans and protocols in place before an incident occurs. Response planning and recovery drills ensure that all relevant parties will be notified of an incident and will know what to do. Include your counsel, communications team, executives, board of directors, and law enforcement partners when planning. Then exercise your plan. You can file a complaint with the FBI if you’ve been targeted by BEC or another scheme.

4. The Buck Stops Here

Assign one person by name to be accountable for your information security program. For smaller organizations, this may be an added responsibility for an existing person. That person needs to understand your risk tolerance and ensure controls are put in place to manage your program.

5.  Stay Engaged

The cyber landscape changes daily. Join an Information Sharing and Analysis Center if your industry has one and sign up for the U.S. Chamber’s cybersecurity newsletter.

More Articles On: 

About the Author