Access the full text logs of this transmission for compliance and review purposes.
Actual (00:00)
Welcome back to status secure. Today’s briefing is about the new face of financial theft. 10 years ago, phishing was easy to spot broken English, a Nigerian Prince trying to share a fortune. But today phishing is a precise strategic delivery vector for B2B financial ruin. it doesn’t look like spam anymore. It looks like your client, your vendor, or your managing partner.
it is a surging epidemic that is getting completely out of hand because we have mistaken convenience for security. But what happens when the convenient email you trust is actually a customized digital weapon aimed directly at your client’s capital? What do you think, Ciso?
The CISO (00:37)
So, you know, I guess we should kind of explain because this isn’t new, right? People have been doing phishing email scams right now for as long as, you know, emails have been around. So it’s not new. mean, what’s new is probably that it’s, you know, it’s what they call high fidelity phishing, right? And so in modern B2B where, you know,
It’s just the beginning. It’s trying to actually get to be man in the middle. so, you know, there’s a lot of, mean, they always come up with terminology for stuff and, know, like, and so one of things they call it now is business email compromise. But it’s basically, you know, trying to simulate emails, doing that.
you know, supply chain phishing, trying to not just get your, like, the folks in your organization, but folks in your vendor, your supply chain organization, right? And so they’re trying to get those vendors so that way they can become man in the middle and then, you know, compromise and intercept invoices, right? So, you know,
We always talk about this, this never changes, right? People are kind of like your first line of defense. You have some control over the people in your organization. You can train them, you can put signs up, can, you know, on their, like on their screensavers, you can put messages to remind them, right? To make it always forefront in their thoughts. But you can’t control your vendors, you know, their staff and what they’re doing to educate or…
you know, or protect their staff from these types of ⁓ sophisticated phishing scams, right? And so once you have an incompetent user that clicks a bad link, and they’re not from your company, they’re not your organization, they’re a vendor’s company, right? You know, now they have information that they might be able to use and they deploy tools, right? So…
MFA bypass kits that make the file email undistinguishable from ⁓ a real one. So now you’re getting emails from your vendors that look like they’re real, an invoice from your vendor that says, you need to pay. This is our new routing number. Send a couple of hundred thousand dollars here. So that’s where they’ve headed now because they know that that’s actually,
If they send $1,001 and the invoice is a couple hundred thousand dollars or even $50,000, they’ve just made money and it’s not that expensive for them.
Actual (03:20)
Yeah, you know, what this reminds me of is when I was doing some of my training in the military and I would imagine and I’ve sat in this boat of, I think of hackers, you maybe people who aren’t in the industry per se, right? They might think of hackers as, this crazy world out there on cyberspace and they do all these fancy things that can like hack into these things and they don’t really understand what they’re talking about, but
maybe we assume it’s a lot more complicated than it needs to be. And one of the things we trained on was, yeah, there are those complicated ways to maybe get into things that you’re trying to get into. However, if you can just, what they would talk about is you can get your hands on a computer and get your hands on their stuff. Then you win. Right. And so yes, while maybe the nefarious actors,
⁓ have these super cool hacking techniques that they’re trying over here. But on this hand, they’re also trying a lot more simple things, what we call social engineering. And this kind of world that we’re talking about today reminds me a lot of that, which is I show up to your house wearing a UPS outfit. You think I’m the UPS guy. You give me your package or I give you a package. I’m totally trusted. You open your door. I can look in your house.
Maybe I come in, you invite me in, I ask for a drink of water, whatever, lemonade. I come in the house, I get to scope your security in your residential home. I can see when you’re home, who answers the door, who’s there during the day, who’s not there during the day, and find the vulnerabilities. And then, you know, now I have access and later I can come in because now I know. And you didn’t know, you were none the wiser, right? That is a lot easier of a way to get in than like,
trying to sneak in, not knowing the information, sneak in at night when all the security systems are up and running in everyone’s home. And that’s a lot more of a complicated scenario than just walking in the front door because I got invited in because I’m wearing an outfit that says I’m legit. And that’s what this is. And so this is also the best way for them to win. Right? Because if you click my link and my link leads to a payment gateway,
and you put in your information and pay it. I didn’t have to hack anything. I didn’t have to do anything. You voluntarily showed up to my doorstep and gave me your money. So that’s a very easy win for me. Right? And this is going back to the Striker cyber attack we discussed on episode eight last week. Well, again, I was at that conference and when I was talking to one of the representatives from Striker, they were talking about almost like, it was almost like a
what I would imagine like a brute force attack, like via email phishing. It was like one after another, after another, after another, after another. And they were so like annoyed with it. It was like, my gosh, they just keep coming and keep coming. And I would imagine if you’re the company doing that, you just, you just spam these phishing emails because even though, you know, a thousand of them people are smart against and they can, they can spot it and say, no, there might be that one that slips through the cracks and, and they win just by.
so much volume is kind of what it sounded like to me. So on that note, I guess, when we hear about what you talked about, someone actually inserting themselves as a middleman, right, in between a live transaction or somehow they know the information that there’s about to be an email from a vendor to, you know, someone in that supply chain saying, it’s ready for me to get payment. And
then they do that. I guess the question is how, how is that happening? Or I would look at it go, how do they know that there may be a payment already waiting? Right, like how, because I can understand how they can get the contact information and send the email and all that. But how do they know that there’s already a payment happening that they can jump in on?
The CISO (06:56)
Well,
yeah, let’s talk about Stryker as an example. So I mean, it’s been tied to an organization that is upset about what’s happening in Iran. But let’s say it wasn’t that. Let’s just say it was some other malicious actor who didn’t want to cause chaos, but wanted
financials, wanted money. They compromised the admin credentials. Instead of doing anything, they could just sit there, put some tools on the network and sit there and watch for session tokens. Cause now they can just sit there and monitor, right? They’re doing surveillance. They’re finding out, okay, who’s in finance? Who sends out invoices?
And then what they’ll do is they’ll put the tools in and they’ll see the wait for them to, you know, actually be discussing a upcoming invoice. And then when they actually send the invoice, the invoice, they’ll intercept it. They’ll intercept it and they’ll just modify the invoice details a little bit, maybe add a paragraph that says, Hey, we apologize for the inconvenience, but we’ve had to, you know, we’ve, we’ve needed to change our routing and our banking.
account for, you know, due to some malicious activity. How ironic. and so now the unsuspecting, you know, customer, right. Has gotten emails from this person before knows that they’re the person who sends invoices was expecting the invoice. Right. And of course, why would they not follow the instructions from their vendor? Right.
So that’s where it gets very sophisticated and it’s hard because they’re already in your network, they’re already using tools that you may not be looking for because they’re using very advanced tools that sometimes, it’s hard for security teams.
And we all know this, it’s hard for security teams to keep up with everything that like the threat landscape is always changing. And if you have to go and ask for budget, I don’t know, for those of you out there who’ve ever had to go and ask for security budget, you know how hard that is. So until something happens, it’s hard to get budget to put in a new tool to monitor for this new threat, right? So, ⁓ you know, so it’s a…
It’s a challenge. You don’t want it to happen, but then you can’t afford all the latest security tools. So it’s a real thing. It happens.
Yeah.
Actual (09:29)
Yeah,
and I guess on that, you know, let’s talk about the liability of when it happens. So if let’s say a client’s funds are stolen because someone in the finance, whoever accepted the wire transfer request from an intercepted invoice thread without whatever, whatever the verification process would be, maybe it doesn’t, they just, did it, they hit, the button, they hit send. So what
I guess what does that look like? this a technology failure? Is it a fiduciary sort of issue? Like, is it gross negligence? I don’t know. What does it look in your experience from what you’ve seen? What happens from a liability standpoint?
The CISO (10:05)
So we talked about this before, which is reasonable care, right? Because that’s what regulators, they’re going to take a look at. First, you have a couple of issues. First, your client, your customer is going to want their money back. That’s the first thing. They’re like, hey, this email came from your organization. It was fraud. We want our money back. So you’re going have to deal with that. Hopefully, your cyber liability insurance will cover it.
So make sure make sure you know what what your cyber liability insurance covers, but that’s the first That’s the first thing you’re have to deal with the next thing is of course, you know the courts and regulators and So they’re gonna come they’re gonna find they’re gonna what they’re gonna do is they’re gonna investigate. you do? Did you do reasonable care? Hey sending an email with Routing information like did you
you know, did you put in safeguards with your clients, right? Asking them to like, you know, if they get any changes in their, in, you know, in your financial accounting to, you know, pick up a phone and verify that change. Like those are the kinds of things that they’re going to ask for. You know, sometimes speed, some organizations will be like, well, that’s an, that’s an additional step. That takes time, right?
you know for you know, and and you’re relying on like I You know a step that maybe your client doesn’t want like they’re like what what do mean? I got an I got an invoice from you now I have to call you to make sure that that invoice is valid. What’s going on? Okay, so, know, sometimes they don’t want to do that, but you’re You’re compromising security for speed Okay And ⁓ and unfortunately in the courts
They don’t care about speed. They care about, you didn’t do everything you could to protect your clients from fraud and yourself.
Actual (11:54)
Yeah. And so on that note, let’s discuss what our marching orders would be for those listening this week. Obviously we can’t just stop using email though. There are ways for some companies for certain ways people provide services that they can, you know, capture money in a different way. However, a lot of people are still relying on email. We also can’t tolerate total vulnerability in terms of the phishing attacks and just kind of
not paying attention, right? So what are some good action items, some steps that, you know, somebody could implement after listening to this this week with their team to be better about this, to prevent something like this from happening to them.
The CISO (12:33)
Good question. I would say right away, we talked about it a little bit, know, enforce out of band voice verification for every single wiring instruction. I know it’s, know, a lot of financial people would be like, yeah, but that’s a lot of work. Are you talking every single, like what about for small amounts? Well, you want to do that anyway, because if they start getting small amounts, they can add up.
So, and plus you want to train your clients and yourself, like this is the process, right? This is the process. sooner you do it, the more you do it, the more that just becomes standard procedure, right? You need some way to verify payments before actually sending the wire transfer. That’s number one. Number two, look at your authentication infrastructure.
Okay. So email security shouldn’t belong in IT. It needs to belong in security. Okay. Because a lot of organizations email, they consider email, you know, that’s part of technology, the technology stack. So it’s usually in infrastructure, in an infrastructure team and not a security team. Make sure you’re putting in like, you know, like advanced threat protection. You know, a lot of security folks are used to DLP.
Email DLP, Data Loss Protection. That’s a good way because if somebody’s sending, maybe you say that account information is not going to be allowed to be sent through email. So your DLP will pick it up, send it over to security for review, and then security will be like, yeah, that’s a routing instructions that’s not allowed. And they’ll just kill that email before it even gets out.
and also, know, enforced strict MFA for, you know, to monitor for account takeovers. So you just have to, these are pretty like pretty common known security measures. Make sure you actually implement them though.
Actual (14:26)
Got it. So the perimeter is no longer just your network, right? It is the embedded software and internal controls that manage your client’s capital. When your transaction is networked, your responsibility is also networked. So our mission success today is about asset integrity. So let’s go ahead and execute to that standard. And ⁓ that’s it for today’s episode. So we’ll catch you guys next week.
