A chance phone call saved a midmarket Front Range firm from sending about $100,000 to hackers posing as its own chief financial officer.
The hackers had breached the CFO’s Office 360 account via malware, and lurked there for more than a month, gathering intelligence and sending emails. The money had already been sent when the ruse was discovered — just in time for the company to contact their bank and have the disastrous SWIFT transaction reversed.
It was the nearest of near misses, Peak InfoSec CEO Matthew Titcombe said, and it shouldn’t have been that way.
Like many small and midmarket businesses, he said, the company had holes in its cybersecurity protections and missed some critical “tells” before realizing they’d been hacked. Looking for help, they contacted Peak InfoSec late on a Friday afternoon.
“The accounts payable person just happened to get on a phone call with the CFO who was out of town and in that conversation, they discovered she’d been responding to an email thread from him to complete an accounts payable that had just come in that morning that he ‘had missed,’” Titcombe recalled. “Who knows how long they’d had his account. They just took their time. The hackers had gone all the way back through his emails — at least two years back — to find some screenshots from when [the company] had initially set up with this bank, and they were emailing the set-up back and forth.
“[Posing as the CFO,] the hackers sent the accounts payable person these screenshots, saying, ‘I can’t log in to the bank to do the ACH — can you reset my account?’ So she’d done that, and it just happened to be that during this ad hoc call on a totally different topic, they realized there was a financial fraud attack.
“The hackers went back through his entire history of emails to figure this attack out. They were also monitoring it to see when he was going to be out of town. … If you’re out of town, it’s more likely to succeed.”
It’s the kind of scenario that plays out in SMBs across the country, catching too many off guard, according to Cisco’s new “Small and Mighty” Cybersecurity Special Report.
This is the first year for the report, and Cisco’s stated aim is to give smaller organizations a real understanding of the risks they face, along with cybersecurity guidance for the future.
Hackers target smaller firms
SMBs are increasingly the focus of cyber attacks, the report says, and often serve as a launching pad or back door for bigger cybercrime campaigns. Yet only 38 percent of SMBs have an active cyber risk strategy in place (see statistics at right).
“Many small/midmarket businesses are only beginning to realize how attractive they are to cybercriminals,” the report said. “Often that realization comes too late: after an attack. Recovering from a cyber attack can be difficult and costly — if not impossible — for these businesses.”
Titcombe said the Front Range business his team helped was very lucky.
“It just happened to be an end-of-month close-out question that led them to talk about this,” he said. “Thankfully this one got caught because that hacker — over the weekend — could’ve done a lot more direct transactions. So you give away your financial keys to the kingdom at that time.”
It’s important for SMBs to know that Office 365, Gmail and all cloud-based email services are under perpetual brute force attack, Titcombe said. It’s also important for them to understand that hacking is not personal — and being small is no protection.
“Unfortunately they’ve got the expectation: We’re small, we’re not a target,” he said. “But the hackers are there to make money. They don’t care who they’re stealing from. … They’re going to see how much they can take from you — take it and run. When you look at the financial value for a hacker, the up-and-coming ones right now, aside from China, are India and Brazil. … [In India] if I can get a ransomware hit for $1,000, that’s a big paycheck for the year. If I can get a $25K, $50K, $75K transfer — I’m rich!
“When you look at it from that point of view, hackers don’t care, because we’re rich in comparison to them.”
Steps to take
For SMBs, Titcombe recommends three immediate and manageable steps:
• For antivirus and anti-malware, switch to the affordable but effective Sophos Intercept X for real-time threat protection and solid endpoint protection.
• Install a better firewall — Fortinet is a good example. (“Don’t depend on what comes from Comcast,” he said. “Hackers make those things speedbumps.”)
• Move to two-factor authentication “for everything, everywhere” — bank logins, all financial transactions, PC logins, Google and Office 365.
SMBs also need to take a hard look at who’s handling their cybersecurity efforts, he said.
“I think the biggest problem a lot of businesses have is they think their IT company knows how to protect them,” Titcombe said. “Or they’ve got somebody who’s a part-timer, who’s an engineer or in HR … next thing you know, they’re the ‘IT expert.’ But they’re really not qualified to be doing this, and they don’t understand the threat landscape.”
Cisco’s report confirms that SMBs face particular challenges in terms of affording and managing people, processes and technology for cybersecurity — but it urges them to take action.
“A final recommendation for small/midmarket businesses … is to recognize that incremental change is better than no change,” the report said. “In short, they should not let a desire to be ‘perfect’ in their security get in the way of becoming ‘better.’
“Perfect, as in all things, does not exist.”