Global cyber security executive gives insight to accountants

Speaking at the Institute of Internal Auditors International Conference, Paul Jackson, managing director of Stroz Friedberg, said despite the attention given to ransomware attacks in recent times, much needs to be said of other scams, including the business e-mail compromise (BEC) or chief executive scam.

Earlier this year, the US Federal Bureau of Investigation (FBI) released new global BEC/CEO scam statistics, with over US$5 billion in losses attributed to the fraud.

BEC/CEO scams occur when hackers send emails imitating a chief executive to employees, requesting sensitive data or initiating fund transfers.

“The most effective ones are those that hack into the email accounts of that executive, because then they’ll be able to send an email as if it’s coming from that person,” explained Mr Jackson.

“They’ll be able to get inside the mailbox and study how they write, how they communicate, how they give instructions, such that the finance person may not be suspicious when they receive the instruction purportedly from that person.”

Criminals are now also seeking to go beyond straightforward monetary gain, instead using these spoof emails to retrieve personal data within the company such as tax data, HR data, or payroll data.

“Why on earth a chief executive would want to request that who knows but employees get intimidated when they see an email from a chief executive or an executive and they normally or very often will comply and send that information,” said Mr Jackson.

“That is more insidious because that kind of data can be used for ongoing fraud against employees.”

Mr Jackson, who was a former chief inspector, head of computer forensics and training with the Hong Kong police force, said it was worrying how cyber criminals were getting more organised.

“I attend a lot of the Interpol sessions on the underground economy, on the organised crime groups, and it’s becoming increasingly apparent that they are structuring themselves like ordinary businesses - they have CEOs, they have heads of HR, they recruit teams of hackers,” said Mr Jackson.

“The average payout for a successful attack is a staggering US$140,000 as a result of email compromise as compared with the average payout of ransomware which is only US$722. The reason why criminals are going after the email compromise is because it’s simple - it’s low risk and high rewards.

While Mr Jackson concedes that no one is expecting an accountant or auditor to be fully across technological systems, professionals should recognise the need to bring in an expert to advise and implement a security system.

“The companies that are hardest to break into, that are hardest to compromise, that are hardest to social engineer their employees, are those that use innovation in their training,” said Mr Jackson.

“What these companies do is they screenshot effective [scams] and send them around saying, ‘unfortunately a couple of our employees were caught out, would you have clicked on it?’ Make them feel interested.

“Make sure this is driven from the top, make sure that the boss is engaged with this, that they share stories of where they’ve been tricked as well and we’ve found that this is extremely effective.”

Mr Jackson also highlighted the need for red team testing, a tool where white hat hackers attempt to break into a company’s security systems to test its effectiveness.

“Red team testing is very important because red team testing is the only testing that emulates real life- so these are real hackers on the good side but they are trying to break your systems - and it’s only by trying to do that that you will find where the gaps are, added Mr Jackson.

“It’s extremely effective and is probably the only way to test the investments that have been made in cyber security.”

Companies can ill afford to rest on their laurels even if they have well-built cyber security systems in place, with criminals constantly seeking to innovate and find new ways to penetrate the tightest networks.

Mr Jackson pointed to a possible new trend on the horizon involving voice imitation technology, with a phone app named CandyVoice which claims to be able to replicate a user’s voice after listening to around 160 words.

“How long is it before you are able to record somebody in a meeting and put it in this app and have an exact imitation of that person’s voice and you just type in what that person’s going to say?” said Mr Jackson.

“It has fraud written all over it… this is quite scary.”