Lions & Lambs: A Story of Social Engineering Fraud

By Lowers & Associates,

Lions and Lambs

Disclaimer: For privacy reasons, the identity and certain event details described in the Lowers & Associates #OurStory series have been modified.

Over the last several weeks, the Lowers & Associates (L&A) team has shared security insights on LinkedIn through a series we called “Our Work, Together.”  Applicable across multiple industries and for companies of all sizes, these insights are drawn from L&A’s collaborative approach and decades of risk mitigation experience.

To build on this concept of shared work, we now want to turn the lens inward on our subject matter experts to gain a deeper understanding of how they acquired these insights. Specifically, we want to understand how their claims investigations or assessment experiences, for example, have shaped their current approach to risk mitigation.

In “Our Story, Together,” some of what you’ll read will be entertaining, some of it will be cringe-worthy, some of it will be downright sad. Part of our success over the last 30 years, though, is recognizing and celebrating that our team is the sum-total of its experience – good, bad, and ugly. Meaning, our shared personal experiences help our team shape perspective, communicate empathy, and define purpose, all of which inform our investigative and consulting work, adding value for our clients. Every L&A client requires a certain level of focus, and our team sharpens that focus by appreciating the journey together.

While this work together helps our team write its story, protecting our clients’ people, brands, and profits enables your business to write (and tell) its story. And we believe there’s still a great deal we can learn from each other.

This week, Brad Moody tells a story of social engineering fraud that, had the CEO created the culture of a high-reliability organization, may have had a different outcome (click here for L&A’s HRO resources).

Brad, one of the memorable jobs that has stuck with you involves the lion-loving CEO. What happened with that? 

Brad Moody: So, I deployed to the location on behalf of our client, an insurance carrier, to investigate a client of theirs that experienced a huge loss that may or may not have been a cyber event. Our job was to figure that out. Well, what quickly became apparent was that the wire transfer process in place was well-documented, performed, and controlled. However, the CEO of this company was very aggressive and very intimidating to employees, and what looked like a cyber event was actually a social engineering fraud that was enabled by the CEO’s behavior.

What happened was, this CEO mentioned on social media that they’d be attending a conference at a specific time, and engaged with visible “marketing” dialog back and forth with the CFO of the same company (who was also set to attend this event), tagging one another in this public forum. Eventually, the Controller of the company also got in on the discussion. For a bad actor, this was plenty of evidence that, during that time, certain high-level decision-makers would be absent from and perhaps not paying full attention to operational details.

The bad actor in this fraud did indeed take advantage of all this information and created a fake domain name, switching two letters in the company’s name, like a lowercase “l (el) and an uppercase I (eye)” scenario. At the same time, the bad actor engaged with the HR department of the company in question under the guise of applying for a job. What they were really trying to understand was the email signature and naming convention (was it first initial and last name, full name separated by period, etc.). They did that until they eventually got a return email, which gave them the next piece of information they needed.

From there, the actor identified the CEO, CFO, and Controller’s email nomenclature and email signatures, which they were able to ascertain through a series of emails and out-of-office replies.  At that point, the actor had enough information to carry out the fraud. Using the fake domain, the actor developed a fake email trail that began with the fake CEO “emailing” the fake CFO about sending a wire transfer. Affirming this fraudulent transfer, the fake CEO email then forwarded the series of fraudulent messages to the REAL Controller, demanding that this wire transfer be made, to the tune of over $8 million.

The message from the fake CEO to the real Controller was a very convincing message about how they were all out of office, and it needed to happen immediately for this top-secret merger and acquisition, etcetera. Unfortunately, the Controller wasn’t looking closely enough at the signature and prior chain of emails, but recognizing that this was a unique situation, responded by clicking Reply All, to which a response was sent to the fake CEO and the fake CFO asking for confirmation if the wire transfer was real.  The bad actor replied as the CEO, “Yes, I told you make this happen, it needs to happen in the next 10 minutes.”

What’s comical about this is that the actor actually gave the wrong routing instructions for the delivery of the initial wireframe transfer, and the bank actually rejected it – it was to an offshore account in Singapore that didn’t exist because the bad actor had already closed it from another fraud! So, the actor replied to the Controller with the correct routing number, to which the Controller promptly wired the money. The CEO wrote back and insisted that it hadn’t gone through, so the Controller tried again and in a matter of minutes, this company lost not just $8 million, but $16 million.

That’s a rough one.  What did your investigation reveal about how this happened and what was the coverage they had in place?

Brad Moody: Well, one of my recommendations ended up being around their control process. On paper, it looked good, but it was missing steps. There were obviously a few things that went wrong in this scenario, but clicking the Reply All button, that was bad. If the Controller had typed in the email of the CEO and CFO, autofill would have helped the Controller out. Likely, they would have noticed the discrepancy in time and there would have been at least some hesitation, for sure. But I’ve seen this exact thing happen now in three different fraud cases after the fact, so it continues to work for the bad guys.

Once we’d printed everything out, we were able to see clearly what happened.  At this point, the FBI has been engaged and everyone is looking at what went wrong, but our job was to determine on behalf of the insurer if this was a cyber-crime or social engineering. Unfortunately for this business that experienced the loss, this was an act of social engineering and their policy only covered social engineering up to $10,000.

What was the fall-out?

Brad Moody: There were some other things we noticed going on and this looked to be an actor that had some familiarity with the group. The CEO also had some odd things going on in their personal life but removing the CEO from their role at the company was as far as it went, and no one went to jail.

In terms of process, you know, we went in there, and it’s our job to quantify the loss. This was a true breakdown in controls, driven by a lack of empowerment in the organization. It’s something that’s very simple and that can happen. But you think about process and, we’re still people, right? Just pick up the phone and call somebody! Sure, email and text are easy, but those can offer diminishing returns sometimes.

Another thing to remember is that banks aren’t required to stop or shut down transactions; they are given instructions on what to perform, and if you tell them an action is OK, it goes. So, as part of this process, for example, there should have been a call to the bank from the company that indicated before it happens, “Hey, I’m going to be performing this large transaction.” Part of the training is the relationship building with your financial institution, it’s so important.

This CEO really had their people tightly wound, huh? 

Brad Moody: When we walked into the CEOs office, it was shocking, actually. You know how some people have inspirational posters of some mountain top and it says, “Life” or something? This CEO had a picture of a lion and the message said “Intimidation is the only way to rule your employees” or something to that effect. Turned out this person was the one who got their lunch eaten.

Top 7 Risk Management Articles from 2017

By Lowers & Associates,

High reliability organizations, active assailant risk management, and healthcare security are just a few of the topics that dominated the Lowers & Associates Risk Management Blog in 2017.

Here we provide a summary of our 7 most-read articles from 2017.

1. 5 Principles of High Reliability Organizations

High Reliability Organizations (HROs) are anomalies. They exist in the kind of very complex, fast-evolving environments where you would expect chaos to prevail. But it doesn’t. HROs are able to cope successfully with unexpected conditions. That’s what makes these unusual organizations so attractive to researchers. What can we learn from them?

Read the full post >

2. When Active Assailant Situations Become Known-Unknowns

Not long ago, most Americans regarded active assailant incidents as black swan events, unpredictable and largely indefensible. However, with the increasing frequency of these events, the time is at hand when venue owners, employers, and operators of gathering places need to evaluate and mitigate the risk of these incidents, or potentially face legal consequences. And the number and type of venues at risk may increase.

Read the full post >

3. Test Your Fraud Knowledge

In case you’re thinking fraud is not an issue in your organization, you should know that extrapolating from actual fraud cases examined in 2016 and reported to ACFE, organizations worldwide lose 5% of topline revenue to fraud. Virtually every type of organization from business, government to non-profit sectors is vulnerable to fraud.

Read the full post >

4. Slideshow: What Makes a High Reliability Organization?

High reliability organizations (HROs) operate within challenging conditions. Think of air traffic control, aircraft carriers, and nuclear power plants for clear examples of such conditions. Mistakes in these settings often have catastrophic consequences. Yet they seldom fail.

Read the full post >

5. 7 Ways to Test the Reliability of Your Organization

If you are a manager in an organization, especially one that faces a complex, dynamic environment, you should be interested in learning how the principles of the High Reliability Organization (HRO) can help you. Your aim should be to develop an organization that moves continuously toward greater reliability of critical outcomes, using every failure as an opportunity for improvement.

Read the full post >

6. 18 Fraud Facts to Drive Your 2018 Fraud Prevention Plan

When it comes time to review your fraud risk management and prevention plan, it pays to have some hard statistics in front of you. This slideshow features 18 facts straight from the ACFE’s bi-annual Report to the Nations on Occupational Fraud and Abuse. The report can help you understand and respond to the threat of organizational fraud in your company, and the facts presented can serve as benchmarks for your organization while helping to uncover areas you may have failed to address.

Read the full post >

7. 3 Key Components of an Effective Healthcare Security Program

We make many assumptions about our healthcare. We assume our doctors and nurses are well trained and know what they are doing. We assume that the ER is open when we need it and the facility where we receive care is clean as well as safe and secure. While legitimate expectations, they are not always the case. When it comes to healthcare security, having an effective program requires planning, training and consistent implementation. Our latest whitepaper, 3 Key Components of an Effective Healthcare Security Program, walks through the most critical aspects of healthcare security and introduces some ways to ensure your program delivers.

Read the full post >

We look forward to continuing to deliver valuable content you can use to better protect your people, brands, and profits in 2018 and beyond. Happy new year!

 

  Category: Risk Management
  Comments: Comments Off on Top 7 Risk Management Articles from 2017

Is Your Organization Moving Toward High Reliability? [SlideShare]

By Lowers & Associates,

High Reliability Organizations (HROs) offer benchmarks for other organizations and systems whose missions are critical but operate in challenging high-risk environments. Successful HROs offer insights on operations, culture, performance, and evaluation that can be adapted to other organizations to improve the reliability of achieving objectives.

Early research on HROs attempted to understand how organizations such as aircraft carriers and the air traffic control system could continuously produce desired outcomes despite the high uncertainties of input conditions (environment) and the inherent interdependence of operations. Observing these unlikely success stories led to the distillation of 5 principles:

• A preoccupation with failure.
• Reluctance to simplify.
• Sensitivity to operations.
• Commitment to resilience.
• Deference to expertise.

Recently, managers in less fraught, but still complex, organizations and systems have begun to adapt these principles to deliver a similar high reliability in outcomes. Among others, good candidates for applying the lessons of HROs include the cash management system and healthcare organizations and systems.

The Joint Commission on healthcare accreditation is sponsoring work to develop a path for healthcare organizations of various sorts to move toward high reliability outcomes. A 2013 Joint Commission paper by Mark Chassin and Jerod Loeb titled “High Reliability Healthcare: Getting There from Here” summarizes a process to move toward the goal. An important point it emphasizes is that the improvement is continuous: HROs seek perfection, but never finally reach it.

Chassin and Loeb lay out stages healthcare organizations might follow on the journey toward becoming an HRO. Other types of organizations would have to adapt these to their own circumstances, but they do provide a template for moving forward.

Our latest SlideShare, What makes a High Reliability Organization? provides deeper information about the 5 principles, and illustrates how they might be applied in your organization.

Take a look here:

Slideshow: What Makes a High Reliability Organization?

By Lowers & Associates,

High reliability organizations (HROs) operate within challenging conditions. Think of air traffic control, aircraft carriers, and nuclear power plants for clear examples of such conditions. Mistakes in these settings often have catastrophic consequences.

Yet they seldom fail.

HROs have the unique ability to deliver stunning reliability in complex environments. How do they do it? What makes an HRO? Our latest slideshow provides a glimpse inside. Read through it here:

 

[Infographic] Recognizing and Managing the Unpredictable

By Lowers & Associates,

One of the most fascinating things about High Reliability Organizations (HROs) is their paradoxical nature. Despite existing in potentially hostile conditions where factors not under their control can emerge at any moment, they achieve the capability to absorb the unexpected and continue operating successfully.

… Continue reading