Phishing works because management didn't
Why are business email compromise attacks so effective?
Because people are Helpful.
Because people are Trusting
Because people are Obedient.
Phishing and Business Email Compromise attacks are acts of social engineering. They are attacks on humans and they prey upon human emotions. The most effective phishing emails exploit the target's emotions of Obedience, Fear, Kindness, or Curiosity. The most effective BEC emails target the employee's sense of obedience.
Employees want to be good workers. They want to excel at their jobs and win the praise of their supervisors. Imagine you are an accounts payable clerk or junior accountant and the CEO walks into your office and says Jump. Are you going to question how high or why?
One of the biggest fears most employees have is failing at their jobs, or at least look like their failing. No one wants to question the boss and risk appearing incompetent or untrusting. Even when employees think the email directing the high dollar wire transfer is suspicious many times the urge to carry out the task with diligence and obedience overcomes the suspicion.
This week, the Milford Daily News detailed a Business Email Compromise attack executed on the city of Franklin, Tennessee. The cities treasurer transacted a wire transfer that resulted in a $522,000 loss to the municipality, The city manager described it as a “sophisticated cyber fraud”. It was not. It was just a standard spear-phishing attack taking advantage of an organization with untrained employees and insufficient security controls.
The malicious attacker pretended to be the CFO of the construction company building the cities new water treatment plant. The original email requested payment for the project be directed to a new financial account. Being the helpful, trusting, and obedient employee that she was, the treasury quickly transferred the payment to the updated account through wire transfer. The error wasn't known until about a month later when the real business executives called to find out why they hadn't been paid.
The city manager detailed the attack during a public meeting. He confirmed the employee did not verify the authenticity of the request and executed the transfer without any oversight. The manager also admitted, “ the town had insufficient and undocumented procedures regarding verification of change of payment requests”. In other words, they had no security controls and had not trained their employees to recognize email threats.
How is this still happening? And Franklin Tennessee is not a small po'dunk town. It has a population of 83,000 people and the 2020 budget was over 160 MILLION dollars! But don't fret city taxpayers, the manager promises they are developing a “new money transfer policy”.
Of course, the director of IT quickly washed his hands of it with the beat line “Users are the weakest link”. I disagree and respectfully direct Mr. Tim Rapoza to my previous writings here and here.
During the meeting, the manager mentioned the possibility of a lawsuit against a potential liable third party. This indicates the construction company had been compromised and the attackers were sending the emails from the actual email account of the CFO. This mitigating factor may relieve some of the pressure on the town treasure for easily accepting the email and email security software for passing it through, but in no way absolves the city managers for the lack of security control systems and not properly training employees in cybersecurity and awareness.
The control policy and procedures to prevent this type of attack are fairly simple.
1) Every vendor initiated change of financial account request must be verified through voice communication with a pre-determined person at a pre-determined phone number. And have a secondary contact person documented in case the primary isn't available.
2) Every wire transfer must be authorized by two people and one must be a manager.
3) Documentation of every transacted wire-transfer over $5,000.00 must be submitted to a pre-determined financial controller within 24 hours of the transaction. This controller must then confirm the transaction and the funds were received by the intended party. (The quicker fraudulent transactions are reported to the involved financial intuitions the more likely the chance of fund recovery.)
There you go Franklin, Tennessee. My consulting fee invoice will be in the mail. On second thought, maybe I'll send it through email!