CEO Fraud Scam costs firm $6 million

Knowbe4 and CNBC reported some pretty stunning breaking news. I cannot come up with a better case for new-school security awareness training for employees in accounting and HR.

A lawsuit filed on Friday September 16, 2016 by Tillage Commodities Fund alleges that $6 billion SS&C Technologies Holdings, a financial services software firm, showed an egregious lack of diligence and care, when they fell for a CEO fraud scam that ultimately led to hackers in China looting $5.9 million.

Tillage claims that SS&C didn’t follow their own policies, which enabled the theft, but to add insult to injury, staffers actually helped the criminals by fixing transfer orders that had initially failed. The documents were posted online by the law firm representing Tillage in the case. Above is the stock price on Monday, before the news hit. We will see if/how this changes the next few days.

In the lawsuit, lawyers for Tillage say staff at SS&C failed to “exercise even a modicum of care and responsibility in connection with known and obvious cybersecurity threats.”

For example, according to the suit, “the email requesting the largest wire transfer during the lifetime of this scheme ($3 million) states nothing more… than: ‘How was your weekend? Let’s round business up today.'” The suit states that one staffer “directed the release of Tillage’s funds oftentimes merely minutes after receiving the fraudulent wire requests.”

The scheme was amateurish, the lawsuit says, including the use of an email account that spelled Tillage with three ‘Ls’ instead of two – something that should’ve been spotted. Further, the emails contained “awkward syntax and grammatical errors – which were wholly inconsistent with prior Tillage communications – and which were entirely unclear in substance.”

Watch for red flags

All these red flags should have been caught by employees if they were trained to follow policy and keep a sharp eye out for possible CEO Fraud.

The lawsuit is seeking a whopping 10 million in damages, and of course other punitive damages and legal fees.

The upshot? If everything asserted in the lawsuit is correct, procedures and policies a must-have, but employees need to be trained to follow them as well. Otherwise, they’re just pieces of paper with words and boxes to check when it comes to compliance.

Weak link

We all know that your users are the weak link in your IT security, and one of the very successful tactics the bad guys use is spoofed email addresses. When an email seems to come from a person they know, or has authority, the chance they fall for an attack increases dramatically.

Cyber Safety Net is a KnowBe4 partner. Reposted with permission from https://blog.knowbe4.com/investment-fund-loses-6-million-in-ceo-fraud-and-shuts-down. Cyber Safety Net – keeping you safe online. See https://cybersafetynet.net/cyber-security-awareness-training/Open link to train and strengthen your human firewall. See https://youtu.be/UFpFesrcnvY and https://www.knowbe4.com/security-awareness-training-features/ to learn more.