True crime: anatomy of a cyberattack webinar

Tammy Gedetsis (00:04):

Thank you for joining me today. I'm Tammy Gedetsis in Enterprise Security Services. Today's session we're going to talk about True Crime: The Anatomy of a Cyber Attack. This story that we're going to talk about today is a real case of business email compromise, and we have changed some names and details to make sure that we're protecting the innocent.

(00:24):

I'm really excited to have this conversation today. Throughout the presentation, please, we want this to be interactive, so send us your questions through chat, and we will address as many of those as we can at the end of this session. I have a wonderful guest panel with me here today. I have Kristi Deason, who is our Senior Client Manager in Middle Market. I have Eric Balish, who is from the US Secret Service. He is the Assistant to the Special Agent in Charge. And then to my immediate left, I have Kevin Brown from the FBI, who's the Acting Supervisory Special Agent in the Cyber Criminal Squad. To get us started today, Kristi, can you tell us a little bit about what happened on April 22nd?

Kristi Deason (01:11):

Sure thing. It was a regular morning. Got ready to plug into work, pulled up my email, started going through them. Looked through what was urgent and took care of what I needed to. One stood out. It was a forward from an internal partner, and it was requesting to add somebody to a relationship. Couple things were interesting. It was addressed to teammates that were part of a shared client relationship. I didn't really recognize who it was coming from."Hi, KeyBank team. We have a new trustee and would like to add and enroll Dean Christ. Alberson, Chief Financial Controller, to the signature card of all our accounts to have full admin and full transactional access. Attached as a copy of his driver's license, mobile number, and SSN number is redacted. Kindly email me required document/information needed to complete the enrollment. @Dean., Please follow up with Mrs. Doe. Thanks."

Tammy Gedetsis (02:16):

Kevin, can you talk to us about, we saw this email, what came through, are you seeing this often? Is this normal, and how does the FBI hear about it?

Kevin Brown (02:27):

Sure. We see it quite frequently. The statistics you see are generally increasing each year in the number of complaints we receive and the dollar value of loss that we see. The Internet Crime Complaint Center is generally how we will receive most of these threats. It is ic3.gov, and it's just a way for the public to report anything that's happened crime wise related to the internet, anything from business email compromise and ransomware to identity theft or extortion and anything in between.

Eric Balish (03:03):

It's important to put this stuff out there and get it onto these specific sites. That data can be data mined from various agencies. We're really designed to try to utilize that in such a way where we can catch these individuals. Your company, your business, you may be thinking, "Hey, I don't want to report this, it's something we're not proud of." But your piece of data, the things that you may put out there for law enforcement to recognize may be important, may be a key part of something that we can utilize to catch those individuals down the road.

Tammy Gedetsis (03:41):

Business email compromise isn't the only type of attack that we're seeing. A lot of times what we see too, I know at the bank, we'll see layered attacks that are happening. So Eric, do you want to start talking a little bit about some of the other attack methods we're seeing and how you're seeing them reported and what your clients look out for?

Eric Balish (03:59):

Sure. There's a lot of buzzwords when it comes to business email compromises, ransomware. We've all heard phishing schemes. All of these things are really designed at one thing: to try to get something of value from your company or your business or from your person, whether it's financial or whether it's intellectual property. When you're dealing with, let's say, a business email compromise like in the email that was I read a little bit ago, you have some information where a person who appears to be a trusted source is asking you to do something. It's changing some financial information about a transaction, if it's trying to get you added to an account so that someone down the road may be able to utilize that to gain some financial information, those things are what basically comprise, in essence, of business email compromise.

(05:03):

Another attack that, like I said, we've often seen is phishing. I've just got one this morning from my email. It can be something as simple as, "Hey, look at this email from Amazon. You had something, your accounts locked out. Click on this, and we'll be able to take care of it." By clicking on that, by you clicking on that, by someone in your organization clicking on that, that can give an attacker a way in to your system to basically utilize down the road.

(05:33):

Spoofing is another factor that we see often used. That can be something as simple as an individual has an email address, it looks, again, like it's coming from a trusted source. But when you take a look at that email address, that email address is really not theirs. There may be another letter added to it or another punctuation item added, which will completely change where that email is going to.

(06:02):

And then obviously ransomware, which I'm sure a lot of you have heard about, where the bad guys will get in and basically corrupt your system, encrypt everything, and basically ask you for money to get the data back from you for that ransom. These particular crimes themselves, when we're talking about business email compromises, ransomware, phishing, they're all an integrated attack. Your company or organization may not just be targeted by one of these attacks. It's likely that there are a multiple-layered approach in which the bad guy is using to attack. They may use a phishing attack to gain access to your company. They may sit on your network for a number of months or years gathering intelligence data, figuring out who the individuals are to target when you're talking about financial transactions. They may then decide to use a spoofing attack to say, "Okay, hey, I want you to change that information from Jane Smith to Joe Smith and use this email address." So it's really a multi-layered attack that organizations should be looking for in order to really protect themselves against these attacks.

Kevin Brown (07:19):

I'd like to add to what Eric said. The numbers of complaints that we're seeing related to each of those topics are continuing to increase each year. In particular, phishing and smishing, there were roughly 325,000 complaints received by IC3 in 2021 alone for phishing and smishing. An easy way for actors to get access to your network, like Eric had mentioned, and an easy way to get into a business email compromise or ransomware end game scheme that they're looking for. That's something we really want to pay attention to.

Eric Balish (07:50):

And it's really something that organizations have to take a holistic approach to. We can talk to CEOs, we can talk to executives that these things are happening, but it's really the entry level, your baseline workers who can basically be the start of these attacks. Once one individual in an organization clicks on that link, the attacker may be in, that's all they may need. Again, it's more about education on a whole approach to an organization to prevent these attacks from occurring.

Tammy Gedetsis (08:25):

I think we hear a lot about ransomware because that's a bit flashier, and so we see that on the news. I think we've all seen the news stories, but really when we look at the numbers, is that really pointing to ransom being the biggest threat, or are we seeing other incidences happening more?

Kevin Brown (08:42):

Sure. Ransomware, it is a big deal, and it certainly gets a lot of press, especially when it happens to critical infrastructure, gas and pipelines and agriculture and things of that nature, and it is a very important topic to pay attention to with significant dollar loss, as you can see. However, business email compromise, we had roughly 20,000 complaints in 2021 for business email compromise for nearly 50 times the dollar loss value. So we're talking about tens of millions to billions of dollars in comparing ransomware to business email compromise.

Eric Balish (09:16):

You can see that the incidents are decreasing over time, but the loss is a greater hit to organizations. It's very difficult when you look at these numbers. Large corporations may be able to take a substantial hit during one of these incidents. A mom-and-pops shop may not be. So these can be crippling to organizations in the long term.

Tammy Gedetsis (09:42):

Let's talk a little bit about who these threat actors are. Kristi, when you initially saw that this wasn't a valid email, and you go through a lot of training working at a bank, so we talk about it quite often, what was the image in your head of who you thought these threat actors were? What were you envisioning?

Kristi Deason (10:06):

I've always just envisioned someone in a dark hoodie sitting in a basement, tapping away at their computer, hoping to get somebody to bite on their email and grant access or hand over financial information that they shouldn't have.

Tammy Gedetsis (10:21):

Right. Kevin, is it a teenager in a hoodie in a basement trying to get information out of these companies?

Kevin Brown (10:29):

Those folks are certainly out there, it's not to say that they don't exist, but what we see generally when we talk about ransomware, particular variants that are out there, and business email compromise in particular, they're very sophisticated criminal groups. They have specific hierarchies, management and developers. They have recruiters that go out and try and find folks for their money meal network to handle their finances, to launder their money. They have different groups that will work on initial access, your phishing campaigns and things of that nature. Very structured, very organized criminal groups that are there specifically to make money. That's their job. They're set up very much like the corporate world.

(11:09):

You can see also separate companies that might be specializing in initial access type activity that organized groups will go to for that assistance.

Tammy Gedetsis (11:20):

So they could be having a company picnic just like we are, right?

Kevin Brown (11:22):

Right.

Tammy Gedetsis (11:24):

And gathering together. So I think that's part of it too, like this isn't a personal thing, they consider this business. They have an ROI just like our companies do, and that's something that we need to keep in mind as we're trying to protect ourselves.

Kevin Brown (11:36):

Absolutely.

Tammy Gedetsis (11:37):

Yeah. Would one of you like to comment on this? I think as we're looking at the numbers here on this slide, what I see here is really anyone can be a target. Is that what you're seeing?

Eric Balish (11:51):

That's typically the case. I mean, each corporation is taking a look at how they do business, where they put their money, and what security measures are put in place. When you're taking a look at the chart, if you look at the top, obviously the public administration, defense, Social Security, those things are targets for a number of reasons. They're targeted for cyber espionage sorts of activities, as well as some financial portions of it. But as you look down the entire matrix of organizations, everyone here is at risk. It doesn't mean that just because you're in the mining, the quarry, the tunnel boring industry that means you're somehow going to be precluded from these attacks. Those attacks may hit you harder. They may go after you knowing that they may not have the security measures of, let's say, a Social Security or some other public administration field.

(12:49):

Everybody is really at risk here to being a victim of these sorts of scams. So it's in the company's best interest to, again, I go back to that whole approach of making sure that everything is looked at from employees to education to the infrastructure that's put in place to ensure that these sorts of activities are not occurring, and if they do occur, how you can mitigate those.

Tammy Gedetsis (13:15):

No, I think that's a great point. Anything to add, Kevin?

Kevin Brown (13:18):

No, I completely agree. The simple reality is that everyone's a target, and it could be for a variety of different reasons. It doesn't really matter what the reason is. You have to understand that you're a target simply by the fact that you're operating online in your business and individual world, and you have to protect yourself.

Tammy Gedetsis (13:36):

Kevin, you heard a little bit about the story that Kristi was telling us with this incident. Can you talk about where you think the fraudsters were in this process? And maybe even talk a little bit about this, because I think sometimes when people think about an attack, they think the attack just happens and that's it. But that's not necessarily the case, right?

Kevin Brown (13:57):

That's correct. When you look at the cyber kill chain there, as that's known, they'd very likely spent a lot of time doing reconnaissance understanding how that company acted, how they conducted their business. They were probably already in the network to have access to the email and had done lots of research as far as how people communicated, who were the folks that were sending money back and forth and why. And they waited for an opportunity to set themselves up to get in the middle of a financial transaction.

(14:32):

You'll see folks spend months worth of time in a network simply observing activity so that they can best prepare for an email like that. You can also see just a simple phishing attempt where they'll do their reconnaissance, to the left of that chain there, they'll do their reconnaissance and they're sending an email like that simply to get the initial compromise to try to get one single transaction as well. So it could have been either of those scenarios. The point simply being that they do spend a lot of time trying to understand how companies operate and who the players are within those particular companies.

Eric Balish (15:08):

We have to take a different approach on how we view these criminals. We talked about the organizations that they operate as. Normally you would see criminals going after the quick score. I'll use the investigations that we deal a lot with in counterfeiting. Someone has to manufacture a counterfeit note. They have to then go out and pass that note. They get some return on their investment. Hey, they get a quick $100, $50, whatever that might be. These organizations will take days, months, years to do their reconnaissance in order to get that one big payday. So just because you know haven't been hit, you're like, "Hey, nothing's been going on in the last six months," someone may be sitting in your network, someone may be doing their reconnaissance. They may be actively moving towards that BEC where they're going to start sending emails to say, "Hey, wire this money over here instead of over there." Those things, we have to really take a look at how the criminal actors are evolving, and we have to make sure that our approach to security is evolving as well.

Tammy Gedetsis (16:13):

Should companies also be careful about what information is available and out there? Because part of this you talked about is that they're going in there doing their research, and there's a lot of information out there. So should companies be thinking about what they're putting out there and making easily accessible to help protect themselves?

Kevin Brown (16:32):

Absolutely. When we talk about reconnaissance, it's not just how the company operates. If they identify you as a key player that they see as important to the scheme that they want to enact, they're going to do their research on you as well. They're going to look at your Facebook page if they can, Instagram, Twitter, whatever it might be, where they can understand you better so that they can give a spear phishing email in something that you would very likely click on or open. They're absolutely going to do their homework.

(16:58):

We like to talk about how companies and organizations need to have open communication at all levels of the company. It needs to start right at the top with C-suite folks and down to every single employee in the organization. They need to understand what access do they have to their networks and to the things that matter to the company, the crown jewel so to speak, and how their access plays into what they do on a daily basis because it's going to point to their victimization or possible victimization and how folks are going to look at them as an end to whatever attempt of crime they're trying to do.

Tammy Gedetsis (17:36):

I would say probably also, as you're understanding that and understanding what's happening within your company, also things like having layers of permissions and who has access to what, knowing who within your company has access to what, so that if something does get compromised, how much access they're going to have? To your point, spear phishing, they're going to go after somebody who has the keys to the kingdom, whatever that may be within the individual's company, so that's something to keep in mind.

Eric Balish (18:03):

Kevin and I, we were talking before we got on stage here, we preach this constantly. Sometimes for us it's, "Hey, it just seems like we're going over this," but because these crimes are so lucrative and companies can still be very vulnerable in these places, we continue to need to tell people, "Look, you have to do these things otherwise you will be a victim." Once you become a victim, it's much harder to mitigate those damages than before. Oftentimes, we work a number of different cases. As you saw, there were 20,000 or so BEC cases in 2021. That's a lot for us to investigate. We may not see the payoffs of a prosecution for months or even years down the road, and by that time, your company may not survive that sort of financial hit. So it's imperative that everybody gets on board to realize that these are threats and they're still occurring each day.

Tammy Gedetsis (19:03):

With that, let's start talking about what are some of those red flags, what are the things that companies should be looking at and maybe examining a bit closely when an email comes in or any type of communication really. I know we're focusing on business email compromise, but I really say these red flags, it's any source of communication that you're getting because these threat actors are using every avenue possible to try to get at the information that they want. So Kevin, can you maybe talk a little bit about them playing on the emotions and what are some of the red flags that you should be looking for.

Kevin Brown (19:38):

Sure. Generally, a sense of urgency is one that you see pretty frequently. There's some sort of emergency, there's some sort of reason why this needs to be handled right now. And that's simply because we respond to that. As human beings, it's something that we respond to very easily, and we want to make sure we're doing what needs to be done the way it needs to be done. So they'll play on that emotion quite frequently.

(19:59):

When we are looking at emails or text messages, things of that nature, in its simplest form, if you don't know who that's from and why you're receiving it, don't click the link, don't open the attachment. Take your time to verify. Make a phone call to a known phone number, or reach out in the company directory and ensure that there's a reason you're receiving that information. Our instincts are pretty good as human beings, and when you start feeling that instinct, you start asking yourself, "Is something wrong here?" there probably is. It's really that simple. It's just a lot harder for us to get ourselves past that hurdle to actually make the call and say something's not right here.

Tammy Gedetsis (20:40):

Yeah. I always say, "If your spidey senses are tingling, it's probably a signal that something is not right, not normal."

Kevin Brown (20:48):

It's certainly a lot easier to make that call and be wrong and say, "Hey, I need to wait an extra half hour to do this particular financial transaction because I need to verify it." It's a lot easier to do that than it is to try to get the money back after you send it somewhere it shouldn't have gone.

Eric Balish (21:02):

Wording, punctuation, all of that stuff as well, as you're reading something and it doesn't make sense to you or the grammar isn't exactly right. Spell-check's a wonderful thing, so generally our spell-checks will catch that sort of things and will correct it. But sometimes in the rush to send these emails out, you have foreign actors sometimes sending them out, don't understand all the specific lingo that goes into a normal email that you wouldn't normally hear. Again, be cautious of that. If you suspect that there's something wrong or it doesn't sound right, immediately hold off on that, like Kevin said, and make sure that everything's authenticated appropriately.

Tammy Gedetsis (21:46):

I think you made a good point earlier too around it being a part of the company culture is I think you need to empower your employees to know, "It's okay-

Eric Balish (21:54):

Absolutely.

Tammy Gedetsis (21:56):

"... If this is spiking some kind of emotion, pause, take a breath, verify it." And do that as a part of your company culture to say, "It's okay that you don't act immediately. Verify first." I think that goes back to that education, right, making sure everybody's comfortable doing that.

(22:15):

Kristi, let's take it back to your example. I think what Eric and Kevin just talked about for the red flags certainly came into play in this email that you received. Do you want to talk to us a little bit about some of the things that made you question the email and tie directly back to the red flags we're talking about?

Kristi Deason (22:35):

Sure. Yeah. First thing I noticed was the email address. The last name of the new trustee was spelled wrong in the email, and then it was at a non-company email address. So it came from accountant.com rather than the organization itself. The wording was not how clients typically request to have those kinds of things done. The time of the email was also long before business hours, and that person would not have been sending the email at that time. It was addressed to two partners at KeyBank who would've taken care of part of that relationship, but it came from somebody we don't ever get requests from. The email was from somebody who actually is at the company. The company logo was on the bottom. It was real contact information, it just didn't feel right.

Tammy Gedetsis (23:37):

Okay. How did Key respond? What did we do?

Kristi Deason (23:42):

The first thing I did was I reread it a couple times and then I reached out to the client, specifically the contact that I work with there, and I said, "It sounds like you've got a new person on board. Do you happen to know the sender of the email?" She replied that she did know who the sender was but had not heard of this new trustee controller. I asked if she would please make a phone call and confirm legitimacy. We heard back from her within an hour that it was not correct.

(24:19):

I worked with our fraud department, we reported the incident. They recommended the client scrub their system. The client reported it to a local law enforcement and also had their IT department come in and do a full system review.

Tammy Gedetsis (24:38):

The importance of reporting and letting us know. For our clients, from a perspective, if you see something that feels suspicious, doesn't feel right, we want you to report that right away. The sooner we know something is not right, the quicker we can start taking actions too. And depending on what type of transaction it is, maybe with a wire doing something like kill chain. But make sure that you're reaching out to your payments advisor, reaching out to your relationship manager, or calling directly to our fraud hotline. If you get a smishing text message that doesn't look right or a phishing email, you can send that to our reportphish@keybank.com. And then from a FBI perspective, if something's happening, after you call your bank so that we can start doing what we need to do, we certainly want them to report it, correct?

Kevin Brown (25:29):

Absolutely. We say all the time, when there's a potential financial loss involved, your first call always needs to be to your bank. The second thing you should do is go to ic3.gov and report the incident. Anything that's internet crime enabled should go into ic3.gov. It's the single best repository for that information. It really informs us as to trends that are occurring across the country. It helps us develop things we call pins and flashes and information notices to the general public and the private sector folks, letting them know what we're seeing as crime occurs, all of which can also be found on ic3.gov. It's a great place to go.

(26:12):

If you want to educate yourself further even beyond just the reporting, you can go to fbi.gov for general scam information or even sisa.gov and stopransomware.gov. They're all great places for information as far as what's happening out there. The point simply being, many of those products are informed by the information we get from ic3.gov.

Tammy Gedetsis (26:35):

I know the stopransomware website has some great toolkits and information that the clients can use and look through and there's best practices and tips and toolkits that they can actually take out of the box and start using, so it's great information.

Eric Balish (26:53):

Wherever your company's located, there's generally whether there's a Secret Service office, an FBI office. So if you need some more personalized questions or attention, always feel free to give them a shout. They may be able to help you with something that you may not understand. Or if you're trying to report on something that hasn't been able to get into the database, let those offices know and they'll be able to lead some assistance to you.

Kevin Brown (27:19):

Timing back to what we were talking about earlier as far as the culture within the company, one of the things you want to have is a relationship with law enforcement, like Eric was saying. That relationship ahead of time so that you know who to call when you have an incident is really important. ic3.gov or any of these other places to go and physically type in the information are really important. But you might have an incident that's beyond, that's bigger than that that you really need some attention on right away. And that's where making that call that Eric's talking about really matters. There's certainly general numbers to any of our offices that you can call, but there are also folks just like us in each of those offices that you can develop relationships with now so that you can just run things by them and say, "Hey, we saw this, what do you think about that?" And they can help you.

Eric Balish (28:06):

If it's reported in a timely fashion, there are tools that are available to basically try to mitigate things quicker. Let's say you wired something to a illegitimate wiring account, there may be opportunities to get some of those things back. The longer you wait, the harder it is. I'm going to toot our own horn a little bit here. We had a case not more than six months ago from a local company. Came in, immediately identified that there was something suspicious after they sent a wire. We were able to at least help them mitigate some of their losses because of that timely reporting. Again, the longer you wait, the harder it is for law enforcement to be of assistance in those initial stages.

Tammy Gedetsis (28:50):

I'm sure you get this question a lot. We say it's important to report. Great, they've taken that step, they've done the reporting. Do we catch them?

Eric Balish (29:00):

So much like the criminal groups themselves take months, years to perpetrate an attack, the prosecution goes that same way. So it may take us months or years to basically put the pieces of the puzzle together. When an incident's reported, it's unlikely that your company, your organization is the only person that this particular individual or group of individuals or organization has targeted. We're basically putting the pieces of the puzzle together from your incident as well as other similar incidents to try to locate and figure out the nexus of where that specific crime is coming from.

(29:37):

In addition, we have a lot of that stuff that is originating overseas, so that takes a bit of time to work with local law enforcement in other countries. The answer to that question is, it does. We do catch these individuals. It may not be at the rate and speed that companies or organizations may like, but we do have some success in trying to bring down an organizational structure, as Kevin was describing, to basically ensure that this doesn't occur. It's not all overseas. We've had some instances, some cases here in our office locally where money has been wired, not overseas, but to individuals here in the United States. We've had some success in retrieving some of those funds for those particular companies.

(30:24):

Now, it wasn't the be-all end-all for them, it didn't help them a whole lot in their financial status, but at least it was something that we could help them mitigate once that incident occurred.

Kevin Brown (30:39):

Yeah, I agree completely with Eric. There is success, and there are times like the pipeline attack last year or REvil and Sodinokibi arrests that were made that were very publicly known ransomware incidents. But there's lots of times where things happen behind the scenes that you might not get the press release for you, you might not see it, where we're taking down infrastructure or we're going after the larger group and we're indicting them and maybe placing sanctions on them or working with foreign partners to try to extradite folks back here to go through the actual legal process. It does take time, but we absolutely are successful. The only reason we can be successful is when we collect the information from the folks that are victimized. That really does start with that initial reporting and working with your IT folks and getting some really good technical artifacts from your systems if you're victimized by these bad guys.

Eric Balish (31:37):

Bad guys are using that data. They collect it, they pass it on, they use it to their advantage. We need to do the same. That's why that reporting becomes critical.

Tammy Gedetsis (31:46):

So now that we've talked about all these things that are happening and we've sprinkled some best practices in throughout, but let's talk a little bit about what are those things that our clients can be doing on a regular basis, on an everyday basis, from the individual in the company all the way through, what are the things that they should be doing to help protect themselves? Kevin, do you want to talk about a couple of these?

Kevin Brown (32:07):

Sure. I think it really starts with communication. It really starts with that conversation with everyone in the company, as I mentioned, that culture of paying attention to security, to protecting the company assets, whether they be financial or the secret sauce, so to speak, whatever that is. That conversation, that discussion about why that matters and how you fit in is super important.

(32:32):

I also think you need to pay attention to updates. We talk about the IT specific things, updating your systems, your hardware, your software, making sure everything is working properly. When we talk about ransomware, one of the best ways to protect yourself from ransomware attacks is to have really good backups that are offline, that can't be accessed by the actors, and then being able to work through that process of restoring from those backups, practicing the plan that you have in place, that you have written down, all things that really can help you survive an attack and maybe not be so affected.

Eric Balish (33:10):

If you look on a cost basis, communication is really the cheapest way. So if you can instill in your employees, in your company that this matters to us, that's going to save you money in having to buy necessarily hardware for doing certain things or having to respond to an incident. Obviously those things still can occur, you still have to plan for that, but by communicating all it is sending out an email, having webinars like this, anything that you can do to get that information out to the rank and file, that becomes critical and basically show the company that, "Hey, we do take this seriously. We don't want the company to be victimized." Because if you think about it, if the company does become a victim and they do default or have to go out of business because of such an attack, the employees are getting hurt as well. Nobody wants that end game. We all want to try to fix that, get it under control, have that security in place and be mindful that that is truly an important avenue that we need to address.

Tammy Gedetsis (34:20):

I think we've talked about a lot of some of the best practices. I think the big ones too, and I know we talked about this before the session even started, is really trusting your instincts. But I always say verify. I'm suspicious of any communication in any channel that I get it in. If I get a text message and it's somebody I'm not expecting or I don't know who it is, I don't respond, I don't click on the link. It's really simple things like that that can help prevent some of these attacks. I think one thing sometimes we hear from clients is that they don't realize that phone numbers can be spoofed, Caller IDs can be spoofed, so you can't trust what you're seeing on your screen. Kristi mentioned this earlier in the way it looked like an email was coming from this address. If they're asking you to do something or click on something or open something, don't do it unless you're expecting it to come, and then verify with an outside unknown trusted number. I think that would stop a lot of these things at the get-go.

Eric Balish (35:24):

If you think about some of the phishing emails that come on, Social Security Administration, we've had issues with some of those sorts of emails floating around there. How often does Social Security Administration contact you-

Tammy Gedetsis (35:36):

Never.

Eric Balish (35:36):

... normally via phone or email or whatever, or any agency for that matter? They don't because they have an internal process in which you are required to communicate with them. They're not pushing this information out. So it's always good to, again, remember, "Hey, is that the normal course? Should I be expecting something?" If I am, then you can be a less cautious than if you're like, "Hey Apple's just sending me an email saying, "Hey, I need to click on this because my Apple account is frozen." Those are the sorts of things you want to watch out for.

Kevin Brown (36:13):

I think simply put, it's just stay informed. Keep yourself informed as an individual as to what's happening in the community online. Go to, again, places like ic3.gov, look at the various scams that are out there, how they work, look at the different reporting of what specific types of crimes have been occurring over the last few years and understand basically how those things occur. That'll help you know that that email's suspicious or understand that text message didn't need to be sent to me, so I'm just going to ignore it. Just educate yourself, it's really that simple.

Tammy Gedetsis (36:49):

Yeah. The one we didn't touch on yet is around using strong passwords. I think the really big thing here is don't use the same password across multiple sites. Most of us have been in some data breach at some point, our data is out there, so simply put, if you have a password, you can't use it across different websites because if they've gained access to one, they now have access to all of your things. And they have software that they can use and then splash it out there to try to gain access. That's a simple one too, and making sure that you're using strong passwords, you're not using simple things like fall123, but really having strong complex passwords. We're human, we can't remember all these passwords. There are things like password managers that can help you manage that so you're not manually typing that into all the websites or remembering it.

Kevin Brown (37:43):

Tammy, I think that's a really good point about your information being out there in data breaches. Here in Cleveland, we have a dark web working group that both Eric's folks and ours at the FBI and the United States Attorney's Office, as well as some other organizations, we meet regularly to discuss what's happening, investigations related to the dark web. We see very often the sale of personal information is a big commodity online. You're absolutely right, using that information from a previous attack is an easy way for actors to get that initial access, that step two in that cyber kill chain that we were looking at.

Eric Balish (38:21):

One of the things we often hear a lot is that either, "I, myself, I don't have a lot, my company doesn't have a lot. Why would we be targets?" You're targets, you have information. Your information is the target. So that's what these individuals are going after and they can cause a lot of havoc. Again, always have a security mindset. Understand that you could be targeted at any point and that you will be targeted and your data, like Kevin was saying, is likely out on the free internet being bought and sold.

Tammy Gedetsis (38:54):

We've talked a little bit about what you're all doing. We've talked about what we're hoping our clients will do. So what is KeyBank doing? We're doing things like this. We're having webinars on a regular basis. We have information out on our website, key.com/cybersecurity. We update that on a regular basis. Just as Kevin was mentioning, out on IC3, we're posting similar content on a regular basis so that we can keep you up to date with the things that we're seeing, the threats that are out there, and how you can protect your company.

(39:25):

In addition to that, please have conversations with your payment advisor because there are a ton of products out there as well that could help assist you in various things. We have APIs that can help with the confirmation of accounts against BEC scams. Unfortunately, check fraud has not gone away, and it is increasing. Check fraud is still around. And so, there are products out there that can help make sure that if you issued a check the right PE name is on that. So make sure you're having those conversations because there are tools that can help you as well.

(39:58):

So now, we have been gathering your questions, so I'm going to switch here and we're going to let the audience ask us some questions so that if there's something we didn't hit or maybe something we can clarify for them. I think we talked a little bit, but is there anything we missed on the easiest way to spot a business email compromise scam? I think we hit on a lot of things throughout the conversation, but anything we missed there we want to reiterate for this audience?

Kevin Brown (40:28):

Just understand who it is that you're communicating with. The more you know about your regular course of business, you know right looks like, if it doesn't look right, it probably isn't. Be suspicious of things that aren't in the normal course of business, the timing of the email that Kristi had mentioned, the slight difference in the domain name or the email name, whatever that might be. That's really a key to those business email compromises.

Tammy Gedetsis (40:55):

I know another thing we'll talk to our clients about is if you have a vendor that you normally do business with and then all of a sudden you're getting an email from them asking you to change payment information, whether it's where you're sending the payment or how you're sending the payment, so maybe you normally send them via ACH and now all of a sudden they're like, "Send me a wire to this new account number," that should be a red flag for you. So you should make sure that you are calling that known contact at a known phone number, not using the information in the email because then you could be calling the bad actor, and reaching out and verifying that. Because that does happen, there are some times where payment information changes. But we need to make sure that you're verifying that before you change any of that. That's another thing that I know we've seen on the banking side for those particularly.

Kevin Brown (41:45):

Yes.

Tammy Gedetsis (41:47):

Are there things that a company can do to help specifically protect themselves around ransomware? I think we mentioned a few things, but what should companies be doing specifically for that type of threat?

Kevin Brown (41:59):

Sure. Again, I think the easiest way to protect yourselves is those offline backups, really good offline backups that you know how to restore quite easily. It's not going to necessarily stop the attack, but it could very well help prevent a financial loss or additional loss beyond just the response. It really is the simple best way. Updating your software and making sure that everything in your system is up to date really can have a significant effect. The bad actors know what's out there that they can exploit, and they're going to attack that unless and until you update that software.

Eric Balish (42:43):

Small businesses may not know where to go for these resources. So again, you're looking to an IT professional company to give you guidance on your specific needs for what you have. So if your concern is, "Hey, I'm concerned that a ransomware attack may take down my system," go to those IT professionals that could lend you some advice and say, "Hey look, this is how we need to tailor our response based on what we determine is important to our company."

Tammy Gedetsis (43:11):

Okay, there's a question around clarifying who can use ic3.gov. Is that specifically for just banks? Is that for really for any companies? Who should be filling out those forms and responding on ic3?

Kevin Brown (43:29):

Anyone that's a victim, whether it be a company that was a victim and you have a specific member of the company, whether it be at IT staff or an executive, they can fill out that form. It could be your legal representation if you have a statutory obligation because personally identifiable information was lost, whatever it may be. It could be you as an individual if it was an identity theft situation. It's really for anyone that has internet-enabled crime information, put that in the ic3.gove. There's no restriction on who can or cannot report.

Tammy Gedetsis (44:05):

Okay. Perfect. We had another question coming in saying, "It's often difficult to differentiate between a legitimate communication from something that's an actual threat. Is there any way to know for certain if it's legitimate or not?"

Eric Balish (44:22):

I think it goes back to just, in essence, everything we've said. If it doesn't appear like you're supposed to be getting something, again, got an Amazon one this morning, again, didn't have anything coming from Amazon, again, the wording was off, the font didn't look right, just a typical thing along those lines, just delete it. Just delete it, let it go. Don't click on any links. Specifically, don't start forwarding it around like, "Hey, can you tell me if this is legitimate?" Or afford it to your whole company and say, "Hey, I just got this, what do you think?" Again, that just increases the actor's ability to get into your network. But again, it's that sense of urgency, it's hey, you're getting something when you're not really supposed to or you're somehow locked out of your system. Those are the sorts of things you want to be on the lookout for.

Tammy Gedetsis (45:13):

I would say if you're not sure if you have an Amazon package, because I may get quite a few of them, if you're not sure, I don't do anything with that communication itself. I would log directly into the legitimate site. That goes from your bank. And also note, we should probably make sure the audience is aware not to Google search for things because those can be paid ads. They should be typing directly the known website that they know directly into the URL because those Google Ads could be paid false places to go. So that's what I do, is I go to legitimate website. I don't do anything via text. If I get a communication and I'm not sure if I have a package coming, I just go right to the site that I'm using. Which is probably a good thing too to think about right now. We're coming up on the holiday season, so we're definitely going to see a lot of scans with those too good to be true. I think that's another thing or role to keep in mind. If it's too good to be true, it's not legitimate, it's a scam. You're not going to get that video game system that you can't find in any of the stores by going to some link on social media that can take you there.

Kevin Brown (46:23):

Yeah. Unfortunately, there is no absolute certainty. There's no way to say, "Yes, we're 100% sure or not." You have to go through that process. You have to be suspicious, and you have to do your own verification. I like what you said about not trusting anything that's in that communication, whether it be from Microsoft or Amazon or whatever it is. Go into your account the way you normally do. Don't use that website, that link, that phone number. Use what you always use. It might take a few extra minutes, but it's certainly worth the time to get to a level of comfort.

Tammy Gedetsis (46:57):

Another question that we have coming in is around password managers, I know I've heard this question before too, would be curious. If you're using a password manager, how secure is that? Is that something you would still recommend? I'll save my thoughts, but thoughts on password managers and using those?

Kevin Brown (47:18):

I think they're great. The reality is the length of the password really matters more than anything else. It's hard to remember longer passwords, and those help you generate random, lengthy passwords, and you only have to remember one to get into the password manager. I think they're a good tool. No particular one for endorsement, but yeah, absolutely use them, they're a great resource.

Eric Balish (47:47):

Use trusted ones. Go online, see what people are saying about those particular items, and then use them. Use them to all you can.

Tammy Gedetsis (47:57):

I think another thing too, and if anybody's been around security for any amount of time, there's no one silver bullet, it's all about layers of control. You want to do that for your passwords, but you also want to use things like multifactor authentication, which we haven't mentioned yet, right? It's about having those layers of control because there's no one single thing that's going to stop a fraudulent event from happening. It's really those layers of things that are going to help prevent it. It's just making it harder for them to get in.

Kevin Brown (48:25):

Good point.

Eric Balish (48:26):

Like Kevin said, it's a matter of staying on top of what's going on. The stuff we're talking about today may be 16 months, 12 months from now may be completely different. So it's again, staying on top of what the current trends are and basically utilizing the information that's out there to protect yourself and your company.

Tammy Gedetsis (48:43):

We had a question saying, "People may understand not to click on a link or open the attachment, but is there a danger if somebody previews an attachment to check the validity?" So they're not downloading it, they're previewing it? Is there a concern with that?

Eric Balish (49:01):

I would always be just cautious of clicking on anything prior to me understanding that that email is in essence legitimate. That's the first thing you want to do. If you're getting miscellaneous attachments from a variety of different locations, you may not know one's legitimate or not. Again, just as we've talked about, go through that process and just verify it. If you think that there's something wrong, your gut's usually right. Don't click on it, make that verification, make sure that that's accurate, and then work from there.

Kevin Brown (49:31):

I would say talk to your IT folks, your IT contacts, whether that be a contractor within your organization. How does your system work? When you do the preview, what's actually happening with that attachment when you do preview? Talk to them about the specifics of whatever products you're using.

Tammy Gedetsis (49:50):

Okay. I think that is it for questions. Any closing comments? Anything we missed? This was a great conversation.

Eric Balish (49:59):

I think the big thing and the big takeaway is just make sure that yourself, your organizations are just communicating what's going on in your specific environment. If you are the victim of an attack, if you have sustained some sort of loss, make sure you're doing the accurate reporting, talking to law enforcement. We can be a guide to provide some assistance to you and your organization. Talk to your clients, talk to your employees. All that communication will help us prevent these attacks from going forward.

Tammy Gedetsis (50:32):

Okay. Well, thank you all for coming and talking with me today about this important topic, and thank you all for joining us. Have a great day.

Kevin Brown (50:41):

Thanks, Tammy.

Eric Balish (50:42):

Thank you.

 

In this session, Tammy Gedetsis, KeyBank Senior Manager – Information Security, hosts expert panelists, Kevin Brown, FBI Acting Supervisory Special Agent – Cyber Criminal Squad; Eric Balish, U.S. Secret Service Assistant to the Special Agent in Charge – Financial Crimes; and Kristi Deason, KeyBank Senior Client Manager – Middle Market Payments, as they dissect a real-life case of business email compromise.

You'll learn:

  • Current fraud trends in a world changed by the pandemic and global conflicts
  • How to spot the red flags of business email compromise and protect yourself and your assets
  • Who the bad guys are
  • How to build solid protections and best practices to keep from becoming a victim

 

For more information visit key.com/cybersecurity.

The information and recommendations contained here have been compiled from sources believed to be reliable and represent the best current opinion on the subject. No warranty, express or implied by KeyBank, is made as to the absolute correctness or sufficiency of the information contained. This is meant as general information only; particular situations may require additional actions. This document is designed to provide general information only and is not comprehensive nor is it legal advice. If legal advice or other expert assistance is required, the services of a competent professional should be sought. KeyBank does not make any warranties regarding the results obtained from the use of this information.

Connect With Us

  • Social Share Icon
  • Social Share Icon
  • Social Share Icon

Find an Expert