Tag Archives: Eduard Goodman

Cyber Attacks Shift to Small Businesses

Small- and mid-sized businesses (SMBs) are increasingly at risk for data breach class-action lawsuits that typically have targeted large corporations.

Large companies are learning to address cyber threats. Hackers are responding by setting their sights on SMBs. So it’s simply more productive and efficient to attack poorly protected companies that could take weeks or even months to notice they’ve been breached.

As the risk of exposure moves downstream, the associated class-action lawsuits surely will follow. Statistics from the Identity Theft Resource Center show that the number of data breaches reported in 2016 exceeded 2015 levels by 40%, a worrying trend for those in the small business sector that likely will bear a greater percentage of those breaches going forward. The data stores held by SMBs may be smaller, but they’re no less rich in value to hackers. They contain financial data, healthcare information and other tantalizing personal details.

Security falls short

Unfortunately, because SMBs often lag behind larger companies in the sophistication and scope of their defensive measures, they’re much more susceptible to litigation centered on charges of negligence or a lack of due diligence. Exposures in the SMB sector also could go undetected for long periods, leaving more records vulnerable and increasing the size of the victim pool that may be interested in suing.

See also: The Key to Survival in Wild West of Cyber  

Smaller firms’ responses to the risk of cyber attack and litigation depend largely on their industry. Even the smallest healthcare entities are typically well-adapted to address potential data breaches and cyber risks. Long-standing mandates such as HIPAA — as well as a robust, centralized breach-reporting mechanism — have made companies in the medical space a little paranoid about their heavily regulated environment.

Behind the curve

Other small business sectors aren’t as prepared for the risk of a breach. Outside healthcare, the professional services industry, including legal and accounting, is much less aware of where threats exist or how to mitigate them. Many small firms don’t understand their responsibilities regarding data privacy or how data breach notification laws apply to them. Without a good awareness of data privacy concerns, obligations and solutions, these businesses are easy targets for any hacker who happens upon them.

Litigation bills add up

Data-breach class-action lawsuits can result in million-dollar judgments, but devastating costs may be incurred even if a settlement never materializes. A breached small business still needs to defend itself against litigation, and that takes money. Between legal counsel, forensic investigations, data recovery and any other steps the company may be required to take, the company is likely to incur significant financial penalties no matter which way the lawsuit goes.

See also: Can Trump Make ‘the Cyber’ Secure?  

Some SMBs are realizing they aren’t prepared for a cyber attack. The truly savvy ones are waking up to the prospect that, just as with the professional and employment liability insurance they already have, it would be wise to pursue coverage to defer defensive and recovery costs around their cyber liabilities. With the specter of more breaches — and more class-action lawsuits — coming down the pipeline, SMBs must find a way to minimize the threat of exposures while also putting protective measures in place should they find themselves facing litigation.

This article was originally posted on ThirdCertainty. It was written by Eduard Goodman.

New Attack Vector for Cyber Thieves

It has become commonplace for senior executives to use free Web mail, especially Gmail, interchangeably with corporate email. This has given rise to a type of scam in which a thief manipulates email accounts. The goal: impersonate an authority figure to get a subordinate to do something quickly, without asking questions. The FBI calls this “CEO fraud,” and a surge of these capers has resulted in scammers stealing a stunning $750 million from more than 7,000 U.S. companies from October 2013 through August 2015.

Here is an example where the scammer targets an attorney from a big city in the Northeast.

Attack vector: The scammer gathers intelligence about real estate transactions handled by an attorney and drills down on a specific deal in which the law firm is handling the purchase of a $450,000 home for a client. The scammer learns this attorney is in the habit of using his personal Gmail account interchangeably with his law firm’s email. As the transaction approaches the final step, the attorney’s paralegal receives a spoofed email that appears to come from her boss. She instantly follows a directive to cancel a check for $450,000 that she is about to mail and instead wires the funds into an account designated by the scammer.

More video: Scammers exploit trust in Google’s platform

Distinctive technique: The funds initially get routed to another law firm in the Southwest. A subordinate in this law firm also appears to have been spoofed by the scammer to be prepared to move funds once again, this time into an account set up in a U.S. branch office of Sumitomo Bank, a giant global institution with headquarters in Tokyo. “At this point, it is not likely the $450,000 will ever be recovered,” says IDT911 Chief Privacy Officer Eduard Goodman. “Once a transfer like this is made, you can’t really unring that bell.”

Wider implications: U.S. consumers are well protected by federal law, and banks usually will reimburse individual consumers victimized by cyber criminals. However, banks are under no legal obligation to offer any relief to businesses, large or small, that have been tricked like this. Most of the $750 million lost in documented cases of CEO fraud has most likely been absorbed by the duped business entities.

Infographic: More Americans living with data insecurity

Excerpts from ThirdCertainty’s interview with Goodman. (Answers edited for length and clarity.)

3C: Businesses are losing one heck of a lot of money to CEO fraud.

Eduard Goodman, IDT911 chief privacy officer

Goodman: Yeah, absolutely. This one was for about $450,000. There is another woman with a ballet company who recently lost about $100,000. It’s significant chunks, let’s put it that way. And because this is happening in a business setting, it’s a little bit different in that your bank won’t stand behind you. It’s caveat emptor. There is no consumer protection. When something like this happens to your business, you’re out of luck.

3C: Why aren’t suspicious transactions flagged more often?

Goodman: The government will tend to go after companies for anything that may have to do with consumer violations. But when businesses impact other businesses, the government doesn’t do a damn thing, even if the victim is a really small business and they’re essentially consumers in and of themselves. Banks have that unfair advantage to say, ‘Well, sorry, should have flagged it, but we just process it for you.’

3C: So by using free Web mail this attorney sort of invited spoofing?

Goodman: He kind of comingled accounts, that’s the thing. He had his law firm’s email, and he also had a personal Gmail account. He would send emails from both accounts. That is something that has become a very common practice. He probably had previously emailed himself something from his actual work account into his Gmail account. This scammer probably got into his Gmail account, and then made the connection to his law firm account.

Then it was off to the races. The paralegal gets the wire transfer request from an email that’s very close to an authentic law firm email except there’s an extra letter in the domain name. It looks very credible.

3C: Could this have been avoided?

Goodman. Yes, by taking the extra 45 seconds to make a phone call. Pick up the phone and verify things instead of getting caught up in the workday.

Expect More Cyber Turbulence in 2016

In February 2015, Anthem, the nation’s second-largest health care insurer, disclosed losing records for 80 million employees, customers and partners. That was followed a few weeks later by Premera Blue Cross admitting it lost records for 11 million people.

Then in July 2015, the U.S. Office of Personnel Management began a series of mea culpas. OPM ultimately conceded that hackers swiped sensitive personnel records for 21.5 million federal employees, contractors and their family members. Anthem, Premera Blue Cross and OPM were among the high-profile breaches in a year when the Identity Theft Resource Center counted more than 750 publicly disclosed data leaks.

ThirdCertainty asked three IDT911 experts — Brian Huntley, Eduard Goodman and Victor Searcy — for their 2016 prognostications. (Full disclosure: IDT911 underwrites ThirdCertainty.)

Wire fraud and politics 

Brian Huntley, IDT911 Chief Information Security Officer
Brian Huntley, IDT911 Chief Information Security Officer

 

Huntley: In the coming year, fraud and theft will plague the merchant payments and ACH wire transfer systems. Small and medium-size businesses are especially vulnerable. If enough SMBs get victimized, it could result in a public outcry about the inherent vulnerabilities in these systems, especially as consumers and small business owners come to realize there is minimal regulatory protections in these types of cases.

This being an election year, U.S. presidential candidates will focus on cyber war strategy and armament. Armchair quarterbacking of the 2015 U.S.-China cybersecurity agreement will arise as the centerpiece of this debate. We could see the U.S.-China cyber accord ascend as the basis for peer agreements between other nation states.

Meanwhile, the search will continue in different industries for an information security control framework that is akin to what the financial services sector has in the Federal Financial Institutions Examination Council’s (FFIEC) Information Security Guidelines and the health care sector has in the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

Data tranfers and children’s privacy

Eduard Goodman, IDT911 Chief Privacy Officer
Eduard Goodman, IDT911 Chief Privacy Officer

 

Goodman: U.S. companies with a European presence will encounter a tremendous amount of uncertainty in 2016 with respect to Europe’s stricter Safe Harbor data privacy rules, relating to the sensitive data transfers to businesses in the U.S.

European regulators can be expected to harass the likes of Facebook and Google. And the threat of sanctions for noncompliance with Europe’s tougher Safe Harbor standards could easily filter down to many smaller companies, as well.

In another area, the recent hacking of toy maker VTech and Hello Kitty parent company SanrioTown.com signals that the theft of children’s information could become a worrisome new trend. As children obtain earlier access to social media, smartphones and Web-enabled toys, details of their personal information and preferences are rapidly becoming part of the greater data ecosystem.

As a result, we will see more breaches that involve the theft of information for individuals under the age of 18. Hopefully, we also will see more public dialogue about the concept of preserving children’s privacy, whether it be school record data, health information or data files containing images, video and audio recordings.

Taxpayers targeted—once again

Victor Searcy, IDT911 Director of Fraud Operations
Victor Searcy, IDT911 Director of Fraud Operations

 

Searcy: One of the most pervasive identity theft scams involves the filing of a faked federal tax return using an ill-gotten Social Security number. Sadly, this will continue to be true again in 2016.

In the 2010 and 2011 tax seasons, the Internal Revenue Service paid out $8.8 billion of taxpayer money to identity thieves. And statistics pulled from a sampling of customers assisted through IDT911’s Resolution Center in 2014 show a 120% increase in tax fraud victims in 2014 and another 134% increase in 2015.

We expect this number to grow again in 2016. It can take months for a victim to sort out the mess with the IRS. Worse, there is little stopping criminals from using a victim’s Social Security number and other personal information in other scams.

IDT911 stats show that 16% of tax fraud victims also were victims of financial identity theft; 12% of customers experienced multiyear tax fraud; and 16% were victims of both federal and state tax fraud.