Have you read about this yet?
The tech companies that fell victim to a $100 million “fraudulent email compromise scheme” against two unnamed “multinational internet companies” have been identified last month as Facebook and Google, thanks to Fortune.com.
Basically, here's what happened: In 2013, a 40-something Lithuanian named Evaldas Rimasauskas allegedly hatched an elaborate scheme to impersonate a large Asian-based manufacturer (Quanta Computer) with whom both Facebook and Google did business with regularly.
According to the Justice Department, he forged email addresses, invoices, and corporate stamps in order to redirect payments into his own bank accounts.
I've said it before and I'll say it again: Email is Still the Number 1 Threat Vector
Luckily, this didn't end up too bad for Facebook and Google
“Facebook recovered the bulk of the funds shortly after the incident and has been cooperating with law enforcement in its investigation,” a company spokesperson told Fortune.
“We detected this fraud against our vendor management team and promptly alerted the authorities,” a Google spokesperson told Fortune. “We recouped the funds and we're pleased this matter is resolved.”
What's the lesson here? And how to protect your company?
Everyone is a target and everyone can be had. That is the bottom line.
We get phishing emails at UTG quite frequently because hackers know that MSP’s have a treasure trove of information about many customers. Facebook and Google both have large security teams (and I am sure training programs) but it will ultimately always come back to what a user will click on.
I'm seeing more and more that companies have their training and testing programs upside down (if they even have one). Meaning, they are testing regular employees all the time, but not “bothering” executives with the testing and training campaigns.
The problem with that logic is that “Susie” receptionist cannot transfer millions out of the company but “Bob” the CFO can, and he is only being tested or trained once a year, on the high end. Most companies don’t like to hear that they have it backwards but we don't mind helping them right the ship!
Most groups will try to leave key decision makers off the training list as their schedules are “too hectic” or “we don’t want to create more work for them”. However, they are the primary people that need the training because it is frequently executives/C-Levels that have the authority to access funds, as well as vendor management, accounting and a few other roles.
This creates a gap in security awareness. You ultimately will never have a silver bullet for human error, but knowledge is power—so give EVERYONE in your organization the power!
While we're working to add details to our website very soon, ask us now about our Security Awareness Company Trainings.