When Procedures Aren’t Followed
Our latest round of Cyber Roundups is out, and it contains one of my favorite BEC (Business E-mail Compromise) stories to date. BEC, a form of spear phishing, often impersonates a high ranking official in an organization to perpetrate wire transfer fraud. The story, which broke in November 2016, disclosed the incident which occurred in May.
The East Baton Rouge Parish school system fell victim to a wire transfer scheme which cost them $10,000 after recouping partial funds from the bank and receiving a cyber insurance payout. The school system then spent an additional $10,000 on a post-incident audit, according to the article.
The power of social engineering is evident in this scam. The school system had procedures in place to handle (rare) wire transfers which required two parties to sign and document the authorization. The employee did neither, possibly because the e-mails, impersonating the superintendent, indicated that he was “busy” and should not be bothered.
At Cyber Safe Workforce, we teach that when money or other valuables are set to be exchanged via e-mail request, you must verify the transaction with the requester PRIOR to taking any action. Ironic and clever, then, to have the scammer indicate they are too busy and to proceed anyway. However, independent (a phone call or in-person conversation) verification could have prevented this incident.
Increased cyber awareness would have identified warning signs in the scenario. Being asked to proceed, even when procedures cannot be followed, is a red flag. Either it’s impersonation OR potentially a crooked individual.
Cyber security is about managing risk–not about preventing all bad things from happening. Procedures are in place to mitigate risks and audits identify these risks. Hopefully, the issues are discovered internally before a scammer exploits them.
Read more compelling stories about disruptions, breaches, disclosures, and financial loss in our latest Cyber Roundups.