Recently, we’re hearing about more systems integrators being impacted by phishing and social engineering attacks: Non-technical strategies that rely on human interaction and error to break standard security practices so hackers can gain access to your confidential information.
Just last week, a member reached out to NSCA about an attack that involved a compromised customer email account (and a six-figure breach as a result). An email conversation between this member’s accounts receivable department and a large customer was intercepted. An email was created to look like it was coming from the systems integration firm, and was sent to the customer – informing them about a change in payment policy (from checks to wire transfers). The customer was sent wiring instructions, and unknowingly wired money to an attacker’s account. The FBI is now involved.
Unfortunately, these types of stories are no longer uncommon.
Business Email Compromise
Business email compromise is hitting the systems integration industry hard and fast. An attacker contacts your customer(s), looks and acts like you, and requests a change of payment (e.g. for an invoice) to a new bank or account. Your customer unknowingly deposits funds to the attacker’s bank account rather than your company.
The real estate industry has battled these attacks for years – some of which are halted, given the relatively short time window of expectation around the transaction. Systems integrators are also a high-value target with an even larger window of opportunity for scammers to strike. Why? Because the time between initial contact with a customer regarding an invoice and the invoice being paid can be between 30 and 60 days.
An example happened recently at MacEwan University. The school was scammed out of more than $11 million over weeks when its finance team received an email from an attacker impersonating the university’s construction contractor (someone they regularly communicated with). The university thought it was paying invoices to the contractor’s new bank account, but the payments were actually being wired to the attacker’s account. They only realized the mistake when the contractor inquired about payments.
Cybercriminals use several tactics to initiate these attacks:
Scenario 1: Employee email account is compromised.
- Step 1: Perhaps your finance manager uses a weak email password, for example; an attacker guesses it and logs into the email account. This is a legitimate possibility; many employees don’t use strong passwords (the most popular password is “123456”). After gaining entry, the attacker remotely monitors email to understand relationships between your company and its customers.
- Step 2: The attacker sends an email to your customer using your employee’s account. They request that payment be made to a different bank account. They will likely change the reply address to one of their own, working diligently to clean out sent messages so they aren’t detected.
Scenario 2: Email is spoofed by a cybercriminal.
- Step 1: A cybercriminal researches your organization to come up with a target and strategy. A recent blog post about the installation you did at a customer’s new location provides plenty of information for them to put together a plan. Using details found on LinkedIn, it’s simple for attackers to conduct discovery on key employees at both organizations. They may even send an email to your finance manager in hopes of a reply so they can see (and copy) the email signature.
- Step 2: The attacker creates a “spoofed” email that looks very close to your finance manager’s, but with a couple of small changes to the domain. (The “o” is now a “0,” for example, or the “l” is now a “!”). They copy your employee’s signature and begin to send emails to victims, acting like your organization but using their own email address.
Scenario 3: Your customer is compromised.
- Here, it’s a reversed approach that doesn’t stem from you. An email compromise doesn’t necessarily have to occur on your side. Perhaps your customer’s email was breached, and the attacker monitors communication with your finance team from the other side. Or they spoof your organization’s email and start their attack.
If your company is caught in a scam like this, you may be tempted to blame the customer. Why didn’t their team verify the requested change before sending attackers the money? This is a valid point, but if there was a compromised email on your side, your customer may argue that your lack of security was the cause. Additionally, if you haven’t set the expectation with customers about how you will securely communicate financial or billing information, they may not realize that something fishy is going on.
6 Ways to Improve Cybersecurity Now
Preventing these scams requires a proactive cybersecurity approach. Here are some simple tips:
- Use Strong Passwords: Educate your employees on password strength and enforce a tough password policy. Develop a way to make passwords strong on every application (email, project management systems, financial applications, etc.). Don’t allow employees to “recycle” passwords or use one password – no matter how complex – for multiple systems. If there is a compromise on one, then attackers have the key to all systems. It’s not easy to remember multiple complex passwords, so many organizations are moving to company-managed password vaults to securely store them.
- Turn 2FA On: Requiring only a password to access email and applications is not enough. Before a user can be “authenticated” or logged in, two-factor authentication (2FA) requires a second step after entering a password. Ways to accomplish this include entering a code from the system sent by text message or generated in an authenticator app, using a biometric method, or entering a code from a token. Even if you know the password, you still need to prove who you are with something you have on your person. Since many integrators are moving to cloud applications for business systems, turning on 2FA adds a second layer of security.
- Announce It: Many title companies and other real estate industry organizations are placing notices on emails explaining that they’ll never request customer payment changes via email. Consider having your finance team place a similar message on invoices and email footers. Ensure that this is outlined in your policies – and that your team follows them.
- Use Secure Email and Portals: Email is getting out of control. If an attacker can spoof your company email and impersonate you without needing to get into your account, you could be in a tough spot. So change the process! Consider communicating finance discussions with your customers only via secure email. Inexpensive tools can encrypt emails from you to the recipient. They don’t arrive like normal email messages – they first identify to the user that the data inside may be sensitive. If used regularly, a customer who receives an attempted spoofed message may question why they’re receiving a sensitive email without the secure email tool. Many organizations also use secure customer portals, cutting email out of the chain. All messaging and communication occur through the secure portal. When new messages are placed in the portal, the recipient receives an email notification informing them to login to view them.
- Communicate Clearly and Often: Customer communication keeps scams at bay. Bring your finance department to customer project kickoff meetings. With the customer’s finance team on the other line, you can explain why you take security seriously and outline how you conduct business on the finance side. Detail how you will communicate (and then stick to it) to improve security on both sides. Perform regular verbal check-ins with your customer’s finance department.
- Get Cyber Insurance: In the end, if an incident occurs, you don’t want to be left holding the financial stick. Cyber insurance protects against business email compromise and other types of cyberattacks. But don’t use this as your only means of protection. (You have car insurance, but still maintain your vehicle and drive safely to protect yourself and others, right?) The same can be said for cybersecurity – conduct your business safely and have insurance in case something happens.
These are just few things you can do now to quickly start improving your defenses. Cybersecurity needs to be a mindset throughout your organization; multiple layers are required to be truly successful.
Consider contacting a cybersecurity company to conduct a full assessment of your company’s cybersecurity posture. This can assist in developing a comprehensive and ongoing program to get your business in order and keep you going in the right direction. As an NSCA Business Accelerator, Defendify helps NSCA members understand cybersecurity and its role in their businesses, as well as deploy affordable, layered cybersecurity and establish guidelines to set employee/organizational expectations.
Want to learn more about cybersecurity? Login to www.nsca.org and visit the Essentials Online Library. There, you’ll find more resources, tips, and advice on how to improve your organization’s cybersecurity posture so you can protect your most important asset: your data. –Rob Simopoulos, Defendify Cofounder/Partner and Chuck Wilson, NSCA Executive Director