Once again, it was the human factor and skilled phishing tactics from the bad guys that was responsible for such a material loss. And, from the sound of it, policy and procedure either weren’t in place or weren’t followed.
This is a very simple tale; in fact, so simple, it sounds like all the attackers used was a single email. Reports of one of the agencies of the Puerto Rican government, the Industrial Development Company, transferred the millions on January 17th. A simple email purporting to be a contractor was received requesting a change to banking details for payment remittance.
The FBI’s Recovery Asset Team is now involved and is working to attempt to recover the funds.
Anytime emails are sent asking for any kind of information or changes made involving bank accounts, transactions, and transfers, organizations need to protect themselves proactively:
- Establish a policy that mandates all requests be validated using an alternative medium, such as in-person or over the phone.
- Users whose roles have them even marginally involved with money-related transactions should undergo Security Awareness Training to both understand that these types of scams occur regularly and how they can spot a suspicious email before the damage is done.
It’s one thing for government agencies to be hacked via ransomware, like we’ve seen in Baltimore ($18 million lost) and Atlanta. It’s another thing to be fooled by a phishing scam. The incident is a reminder that no one is safe, and one wrong move can cost millions. As we’ve seen in Baltimore and Atlanta, the cost of recovering ($10 million) from cybercrime tends to grow quickly.
Contact Consulting IT today for advice, training and auditing on your IT Infrastructure.