Fri, Oct 30, 2020
In a recent webcast, organized in collaboration with the Irish Business Employers Confederation (IBEC), Kroll’s Cyber Risk and Business Intelligence and Investigations experts advised businesses on the best ways to protect themselves from the continued increase in cyber and fraud attacks during and post COVID-19.
This 60-minute webcast covers:
In the first half of the webcast, Kroll’s leaders in the Cyber Risk practice Jason Smolanoff, Senior Managing Director and Global Head, and Andrew Beckett, Managing Director and EMEA Leader, discussed the increase in cyberattacks and crucial steps organizations must take to protect their information from a cyber breach during COVID-19.
In the second half of the session, Business Intelligence and Investigations experts Zoë Newman, Managing Director and Global Co-Head of Financial Investigations, and Kevin Hart, Associate Managing Director, discussed corporate fraud and supply chain risks and how COVID-19 is helping bad actors to capitalize on the pandemic.
How has Cyber Risk Been Affected Throughout COVID-19?
“It's fair to say that during the COVID-19 lockdown, we've seen a number of distinct changes. Obviously, there's no business as usual, everything's changed, and the attacker community has certainly sought to exploit the fact that people are at home. They're not in the office, they're not sitting alongside colleagues with ready access to somebody they can just turn to and say, "Does this look all right to you? Does this look normal? Should I be doing this?" So companies are actually suffering from not having invested in greater cyber awareness training for their staff. Those organizations who have taught their staff to recognize phishing emails are certainly better placed than a lot of others.
Not only have the attackers increased the number of attacks we're also seeing a greater variety of them. That said, there are the usual suspects, business email compromise, where an attacker seeks to insert themselves into correspondence around payment of an invoice and redirect those funds. We've also seen a massive spike in ransomware as well, and indeed the way that ransomware is delivered and what it's doing once it's on the network has changed.” – Andrew Beckett
A Business Email Compromise Attack
“Business email compromise means that an attacker has gotten into the email correspondence between parties. Usually they've done that by targeting somebody with likely access, so your payments team, your finance team/director, maybe even EAs. They somehow gain access to the email, and quite often we're seeing that either as a webpage that you're encouraged to click on and then submit credentials, or a popup that comes up and says, "You need to re-authenticate Office 365.” They're capturing your user ID and your password, and they're using that to get into emails. They're then looking at your email over a period of time, sometimes days, sometimes weeks, and in a number of cases we've looked at months. Understanding how the victim, how the person they've targeted communicates, the language they use, the way they speak to colleagues, how they address them, so that they can craft their email when they make their interjection in the right language, using the right phraseology, talking about the correct transaction that they're trying to get the money re-routed.” – Andrew Beckett
“We just had a university in the U.S. who was the victim of a business email compromise attack. They got an email that looked and felt like it was coming from the CFO. They asked to have $300,000 wired to a bank in Asia. As a result of that, the controller and the person who processes payments, both after being interviewed felt like something was wrong, because the CFO never makes requests like this. The one thing that they didn't do was pick up the phone and say, ‘Hey John, do you really want to send USD 300,000 from a relatively small university to a bank in Asia?’ They didn't do that, and the money was lost.” – Jason Smolanoff
How to Respond to a Ransomware Attack
“A ransomware attack is where your data is encrypted, your machine stops working and you get a pop up message on the screen asking for a ransom to be paid to unlock it. You can't access your data, you can't log on, you can't see what orders you've received, who's paid you. That ransom message on your screen is not the start of the ransomware attack. In most cases, the attackers will have been targeting you for days, sometimes weeks beforehand, and there are tell-tale signs that you can look out for. As with any cybercrime, there are simple steps that you can take in order to protect yourself. Start with backups of everything and back up regularly. Modern technology means that we can back up our systems live and have a real-time backup. But those online backups that are on the same domain are going to be just as vulnerable to the ransomware, to encryption, as your live network, so you've got to look at how you separate your backup network from your live network. Think about offline protection, adding tape in, so that it is physically disconnected from your domain, so that if it's compromised you've potentially got a clean backup. Keep a series of backups and include endpoint monitoring to track and monitor precursors to an attack.” – Andrew Beckett
Understanding Internal and External Types of Fraud
“When talking about fraud, there are two main streams. There's external fraud, and there's internal fraud. External is simply fraud committed against your organization from the outside. It could be any number of attack vectors. Internal fraud happens when there's an internal player such as an employee or a third party, somebody in your supply chain for example, that has access to information that the public wouldn't have.” – Kevin Hart
“It's very important to distinguish the two, particularly for corporates, because how a corporate can defend itself against them is very different in each circumstance. We're constantly asked the question, ‘Is fraud on the rise as a result of the COVID-19 situation?’ Well the answer is, it will be in some areas, not in others. It's more about how criminal enterprises will take advantage of the new environment that corporates are operating under from the external threat to corporates.” – Zoë Newman
“Nowadays criminals that are looking to defraud companies are criminal enterprises in themselves and they act very swiftly and nimbly to adapt to the environment their victims are facing and how they can best penetrate those environments. From an internal threat perspective, there's an issue that individuals are becoming more detached from corporate and head office. Compliance and internal audit don't just hear things, they're not around to drop a question across the corridor. Corporates tend to be very good at compliance policy, to roll out the dreaded annual fraud awareness or corporate corruption awareness training that people roll their eyes at and try and get through as quickly as possible.” – Zoë Newman
“The COVID-19 pandemic has changed the way we work, there's no doubt about that. In terms of the usual way that we look at a high-pressure situation is looking at pressure, opportunity and rationalization. Those are very well-known factors that if there has been a fraud, and when you dissect and try and understand why it happened, if you look at those three areas, you usually find the answer. The Association of Certified Fraud Examiners (ACFE) put together the global data on fraud. A typical fraud case will take 14 months before it's detected, causing on average about EUR 10,000 per month while it's being perpetrated. While we're in this COVID-19 situation, six-seven months into it, there's still some time before we start seeing it come out.” – Kevin Hart
“What corporates and investors need to be aware of, private equity in particular, is not so much the risk of fraudsters sitting in organizations waiting to commit fraud because in practice this is limited, but instead the innocent professional that may end up crossing the line. To counter this there needs to be a strong tone from the top, and real second and third line of defense crosscheck against the figures within an organization to see what's being reported.” - Zoë Newman
Kroll’s forensic investigations and intelligence team delivers actionable data and insights to help clients across the world make critical decisions and mitigate risk.
Global, efficient investigations into allegations of fraud, bribery, corruption and money laundering.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
by Arturo del Castillo, Maria Alejandra Vahos
by Laurie Iacono, Keith Wojcieszek, George Glass
by Andrew Rathbun, Eric Zimmerman