Schwab broker lied A former broker for Charles Schwab & Co. was fined $5,000 and suspended for 90 days by the Financial Industry Regulatory Authority Inc for lying to Schwab about a CEO Fraud attack in which he wired nearly $800,000 to someone impersonating one of his customers. Fired because he violated Schwab's policy Deming Payne, who resigned from Schwab in September 2017 after admitting that he violated firm policy regarding the documentation of outbound calls, is no longer employed in the securities industry. The Financial Industry Regulatory Authority Inc., in its letter of acceptance, waiver and consent, said that in August 2017, Mr. Payne received requests via email from an individual posing as a customer to process eight wire transfers from the customer's account. Imposter got away with $794,860 In total, wire ... Read More

Ransomware has reached a new low The repugnant attack combination of ransomware, claims to donate to charity, and even details of children’s names, diagnoses, and pictures shows there is no low too low for scumbag cybercriminals to go for more money. Ransomware protection and detection has improved over the years. So, cybercriminals are constantly looking for new ways to ensure payment. This latest version is downright revolting. The CryptoMix ransomware has resurfaced, according to a recent blog at Ransomware Incident Response vendor CoveWare. With each infection, the message goes beyond just asking for bitcoin, but instead attempts to compel victims to pay the ransom with the claim that the money will go to a fictitious charity. It's all for the kids, they say Throughout the entire payment process, the cybercriminals keep up ... Read More

What W-2 phishing looks like According to a recent federal court decision, an employee who is tricked into sharing personal information in response to a W-2 phishing email can be seen as committing an intentional disclosure under the North Carolina Identity Theft Protection Act (NCITPA). As a result, the employer could face triple damages for the employee’s mistake, adding a new element to potential exposure for businesses. Employees who fall for CEO Fraud commit an "intentional disclosure" Poyner Spruill's J.M Durnovich was right to highlight this development, which was also picked up by the nationwide Law360 site. The failure to train employees may quickly become more costly not only for for North Carolina employers. This decision will be looked at by other courts who very well might come to the same conclusion that not taking reasonable ... Read More

CEO fraud reaches 1 in 6 users With an average of 1 in 6 users receiving email-based impersonation attacks (CEO fraud attempts) , it spells bad news for organizations. Cybercriminals need users to believe the emails being sent are legitimate. No better way can be found than to impersonate someone known to the sender. According to email security vendor Mimecast, email impersonation—aka CEO Fraud or Business Email Compromise—has risen 80% over last quarter in their latest Email Security Risk Assessment Report. Impersonation works Utilizing the findings from the inspection of over 140 million messages, Mimecast’s report is particularly statistically relevant and should be given the proper attention. The massive increase in impersonation denotes the cybercriminals finding greater successes with impersonation than without. Over 40,000 impersonated email messages reached users’ inboxes, demonstrating that bad guy ingenuity can ... Read More

CEO fraud victims had weak cybersecurity A recent U.S. Securities and Exchange Commission report of nine companies that had been victims of CEO fraud...had sufficient internal controls in place as required by law. The report focused on what the FBI calls “business email compromise” and what in InfoSec circles is known as CEO Fraud: cyber criminals pose as company executives to dupe staff into sending company funds to bank accounts controlled by the hackers. The FBI estimates such scams have led to a whopping 12 billion dollars in losses since 2013. In some cases, attacks on these companies lasted months and were only discovered when law enforcement intervened. Each had securities listed on a national stock exchange and lost at least 1 million, though two lost more than 30 million and one ... Read More

Big $$ in social engineering According to an alert published last year by the FBI, Business Email Compromise (BEC) and Email Account Compromise (EAC) have caused $12 billion in losses since October 2013. Traditionally, social engineering and intrusion techniques have been the most common ways to gain access to business email accounts and dupe individuals to wire funds to an attacker-controlled account. These methods play out as follows: Social engineering and email spoofing: Attackers will use social engineering to pose as a colleague or business partner and send fake requests for information or the transfer of funds. These emails can be quite convincing as the attacker makes a significant effort to identify an appropriate victim and register a fake domain, so that at first glance the email appears to belong to a ... Read More

Business manager had a hacked email account The bank isn’t always responsible for making you whole after a business email compromise. Indiana’s Lake Ridge Schools lost more than $120,000 from a seven-million-dollar construction fund established to build an athletic complex. The funds were stolen via a wire transfer ordered through a hacked email account. That account belonged to a business manager who was authorized to request payments. The money was requested in the form of wire transfers to several people thought to be contractors on the project. At the time the wire transfers were requested, the business manager was on vacation and the bank, BNY Mellon had received an out-of-office notification days before. Email had a different font Lake Ridge Schools sued BNY Mellon, alleging that the bank’s failure ... Read More

Government shut down does not stop the thieves Once again we are starting tax season, and Internet thieves are spinning up phishing campaigns to exploit the myriad opportunities afforded by this annual ritual to trick unsuspecting users into coughing up their money, identities, and the credentials to online accounts. Curiously, these campaigns are proceeding even though the U.S. government is partially shut down, causing widespread confusion over whether the IRS will be sufficiently operational to process tax returns and issue refunds. The bad guys, of course, appear to be facing no operational difficulties and are more than happy to step in to take your refunds, your bank accounts, and your identity. Although we have not as yet seen the now infamous W-2 phishing campaigns that have plagued previous tax seasons, they are almost ... Read More