CEO Fraud Archives - L2 Cyber Security Solutions

#WeekendWisdom 066 Money Mules

Liam — Fri, 19 Feb 2021 02:15:59 +0000

Welcome to #WeekendWisdom number 66. This week were going to talk about Money Mules.

https://www.l2cybersecurity.com/wp-content/uploads/2021/02/WeekendWisdom-066-lo.mp4

Where is this coming from?

Have you ever wondered how the criminals who scam businesses out of lots of money through the use of fake invoices, invoice redirect fraud, CEO fraud, how do they move that money around? They use money mules.

Who are these Money Mules?

Money mules are people who have been recruited by the criminals. They’re generally just ordinary people who are maybe a bit hard up and need a bit of extra cash. They are recruited by the criminals to just make use of their bank accounts.

How does this work?

So the criminals will transfer funds in from the businesses that they steal from. They put it into the money mules account and they’ll be given instructions about where to send that money onto. The money mules would be paid a commission for doing so.

Where do they find them?

They usually recruit people like students or the unemployed. As I say, it’s people who are in need of money. They use slick ads, I’ve seen some of them on Facebook, that say

This Limerick mother of two earns €3,500 a week!

or

This Dublin man earns €3,400 a week!

Slick ads, easy money. It’s always just too good to be true.

Is there anything wrong with that?

It is also a crime.

So if you yourself or if you know somebody who is acting as a money mule, please stop doing so now or get them to stop doing so now. Report the matter to An Garda Síochána or your local law enforcement.

So that’s it for this week. Lets be careful out there and we’ll talk to you again next week.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person*.

L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training and Phishing testing.

*With appropriate social distancing and other health and safety measures adhered to.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

The post #WeekendWisdom 066 Money Mules appeared first on L2 Cyber Security Solutions.

#WeekendWisdom 039 Bank of Ireland Cyber Fraud

Liam — Thu, 30 Jul 2020 23:05:17 +0000

Welcome to #WeekendWisdom number 39. This week we’re going to talk about Bank of Ireland Cyber Fraud.

https://www.l2cybersecurity.com/wp-content/uploads/2020/07/WeekendWisdom-039-lo.mp4

Earlier this week, the Bank of Ireland was fined over €1.6 million for failures in relation to a Cyber Fraud case from back in 2014.

How did Bank of Ireland suffer Cyber Fraud?

What happened back then was a client of their Private Banking arm had their email account compromised by some cyber criminals. They sent an email to the Bank of Ireland staff requesting them to make payments of some €106,000 and the bank staff followed through on those instructions and made the payments.

The client subsequently realised the fraudulent transactions on their account. They notified the bank which immediately refunded the amounts to the client.

Why did they get fined?

However they did not report the matter to An Garda Shíochána in good time and they also did not highlight the incident correctly to the Central Bank of Ireland, the Irish regulator. So for those reasons they were given this significant fine.

If a bank can fall for this, how can I stop that happening in my business?

As I mentioned back in #WeekendWisdom number 31, this is very, very much like a CEO fraud or business email compromise. So the advice then still stands. Never carry out payment instructions based on an email alone.

Always seek verification of a payment instruction by way of maybe a telephone call. Only use a number that you have on file for that authorised person. Just never act on an email because compromising email accounts is incredibly easy.

So that’s it for this week. Let’s be careful out there and we’ll talk to you again next week.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person*. This training can show your staff how this type of fraud is committed so they can be recognise it if the cyber criminals try it on them.

L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training and Phishing testing.

*With appropriate social distancing and other health and safety measures adhered to.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

The post #WeekendWisdom 039 Bank of Ireland Cyber Fraud appeared first on L2 Cyber Security Solutions.

#WeekendWisdom 031 CEO Fraud

Liam — Fri, 05 Jun 2020 08:38:57 +0000

Welcome to #WeekendWisdom number 31. This week we’re going to talk about CEO fraud.

https://www.l2cybersecurity.com/wp-content/uploads/2020/06/WeekendWisdom-031-lo.mp4

What is CEO Fraud?

It is a type of scam that is perpetrated by organised criminal gangs where they will send an email, apparently coming from the CEO of that organisation. It will be sent to the CFO, financial director or accountant. They request that some invoice or an outstanding amount is paid urgently and by electronic funds transfer (EFT) to a new account. Details of this new account are then provided for the money to be transferred into.

It will also be implied in the email that the CEO is unavailable to take a telephone call to verify the instruction. They might be in a meeting or getting on board flight. So if the CFO, finance director or accountant makes that payment, that money is gone and it would be irrecoverable usually.

How big a deal is it?

It is a huge deal! In fact CEO fraud, or as they call it in the US, Business Email Compromise (BEC), it was actually the number one type of cybercrime by value in 2019. Some $1.7 billion dollars were lost to CEO fraud. Nearly 24,000 victims of that crime in 2019 in the US. So it’s quite significant.

How can you protect against it?

The simple way to protect against this is that no matter what the situation any email correspondence to instigate a payment must be verified by a follow-up telephone call. It has to be carried out. There must be another verification step there in order to validate the instruction.

So that’s it for this week. Let’s be careful out there and we’ll talk to you again next week.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person*.

L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training.

*With appropriate social distancing and other health and safety measures adhered to.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

The post #WeekendWisdom 031 CEO Fraud appeared first on L2 Cyber Security Solutions.

Could the attempted theft of €4.3m from Meath County Council happen to your business?

Liam — Thu, 22 Dec 2016 09:23:23 +0000

As was widely reported at the weekend, Meath County Council were the victim of an attempted theft of some €4.3 million. A lot of the reportage was pointing to hackers and this being a cyber attack, but based on what is known, in my opinion, it’s not really.

This attempted theft was facilitated by the use of technology, but not necessarily the abuse of it. They’re no longer commenting about it now while the matter is investigated, so we’ll need to await the outcome of that before we know for sure.

However this sort of theft is incredibly common and is known variously as CEO fraud or Business Email Compromise (BEC). Basically what the bad guys do, is send an e-mail or even a text message that appears to come from the CEO, the MD, the Head Honcho, the Big Boss. This e-mail/text is sent to somebody in the finance department and it instructs them to urgently transfer or wire funds to some account that is outside of the EU area. If the transfer was within the EU area, it can be recalled under SEPA regulations, but outside of the area the money can be a taken and never seen again.

If, in your business, you have a finance function (however big or small) that has a single person who is able to initiate a transfer of funds in any amount, on their own, then you could easily fall victim to this type of fraud. The thieves will have done research on your organisation and will know who is involved in the various departments and how you operate. This enables them to make their e-mail/text much more believable.

The FBI in the US have reported that this fraud has occurred in 80 countries. From October 2013 to February 2016, there have been over 17,600 victims with total losses amounting to over $2.3 billion – that’s an average of just over $130,000 from each victim. This whole area is increasing rapidly and this will happen more and more.

So what can you do to prevent it happening to you?

Well quite simply, have the banking set-up, such that at least two signatories are required for every transaction, no matter the size. Then follow this up with a strict policy on how money transfers can be requested – particularly where the target account is new. If you are simply transferring to a known, established account (belonging to a vendor you deal with for example), then this should be OK (as long as there is a supporting invoice of course). However, if an e-mail requests the transfer of funds to an unknown account, then certain due diligence should kick in. For example, the CEO/MD/Whatever should be contacted by phone and additional verification sought. If the CEO cannot be contacted, then there should be no further action taken until they are reached. Very importantly, the CEO needs to acknowledge this policy and never subvert it, no matter what.

As mentioned earlier, the thieves will have done their homework on the company. The true story I tell during the Internet Security Awareness and Safety Training is about the finance director of a company receiving an e-mail from his boss asking him to urgently transfer funds to a client account in order to secure a new contract. As it’s for a new contract, it’s to go to a new account. Also the amount of the funds is just within the Finance Directors approval range for a solo authorisation. The CEO concludes the e-mail saying that he is just getting onto a long haul flight, so he will now be incommunicado for several hours.

The CEO was indeed travelling long haul that day, which the Finance Director knew, so it all looked fine, so he sets up the transfer on the system and is about to process it when a niggle hits him. There was just something that wasn’t quite right, so he chanced calling the CEO, who answered from the departure lounge at the airport. Of course there had been no e-mail sent by the CEO – it was all a hoax. But if the Finance Director didn’t have that niggle to call, the money was gone, never to be seen again.

So put a strong policy in place and make sure your staff are instructed in it and are never criticised for adhering to the policy. This last part if critical, because if they do get criticised, then the policy won’t get enforced and the risk of theft will become greater.

The post Could the attempted theft of €4.3m from Meath County Council happen to your business? appeared first on L2 Cyber Security Solutions.

Internet Security Awareness and Safety Training

Liam — Sat, 02 Apr 2016 08:00:53 +0000

Justification:

Did you know that malicious software gets past commercial, enterprise grade anti-virus and e-mail filtering products on a worryingly regular basis?

Firewalls and Anti-virus packages lure people into a false sense of security. While they do provide protection up to a point, if somebody opens an e-mail attachment that contains new malicious software, these protections are effectively useless.

Cyber incidents, most notably Ransomware attacks have seen massive increases recently. 93% of contaminated e-mails in Quarter 1 2016 have carried a Ransomware payload (source – PhishMe Q1 2016 Malware review). 30% of people that receive evil e-mails open them and 12% of those that do, then open attachments or click on links (source – Verizon 2016 Data Breach Investigations Report).

These statistics highlight the fact that a significant weak link in any organisation, where it comes to using the internet and e-mail, are THE STAFF, but it’s not their fault as they may not have the necessary awareness of the risks.

The best protection to cover this gap are staff that are aware of what the threats are and how they manifest themselves. Once they are armed with the knowledge of what to look out for and how to protect themselves, they will be much less likely to cause a security breach.

The training which L2 Cyber Security Solutions provide is probably the most comprehensive on offer in the country. Other providers only focus on protecting e-mail usage, whereas we make the learner aware of other threats such as Malvertising, Social Engineering and WiFi Eavesdropping. We also have a well-received section on how to create unique and strong passwords, as well as covering mobile device best practices all in one course.

Programme Aims:

The purpose of this programme is to equip the learner with the knowledge and skill to identify threats on the internet, thus raising their awareness and to take steps to protect themselves from these threats.

Programme Objectives:

Learn what threats there are.
Spot Social Engineering in action.
Identify malicious e-mail.
Acquire safe web browsing practices.
Learn good computer & mobile device practices.
Create strong and unique passwords.
Learn the 10 Commandments of good Cyber Security.

Programme Delivery:

An interactive workshop, with individual and group participation in discussing Cyber Security.

Audience:

People who have access to and utilise the internet and e-mail, whether for business or personal purposes, as part of their day-to-day activities.

Prerequisites:

A basic understanding of Internet browsing and e-mail usage is a prerequisite.

Materials Provided:

A copy of the Security Awareness Training slide deck.
A copy of the exercise on good/bad e-mail.
Handouts with details on:
- Password tips
- Two Factor Authentication tips
- The Ten Commandments of Cyber Security
An evaluation sheet.
A follow up e-mail with a softcopy of the “Ten Commandments of Cyber Security”, which has clickable links to the relevant detail for each commandment on the L2 Cyber Security Solutions Blog.

Contact us for more information:

Tel: 087-436-2675

E-mail: info@L2CyberSecurity.com

The post Internet Security Awareness and Safety Training appeared first on L2 Cyber Security Solutions.