CyberheistNews Vol 8 #27 [Heads-up] Employees Sue Company for W-2 Phishing Scam. Federal Court Decides Triple Damages

CyberheistNews Vol 8 #27
[Heads-up] Employees Sue Company for W-2 Phishing Scam. Federal Court Decides Triple Damages

Here is some rocket-fuel budget ammo for you. This story should give everyone pause.

Imagine my surprise when I saw a picture of myself in the blog of large North Carolina Law firm Poyner Spruill. It was all good though.

They had picked up an example of a real W-2 phishing scam we received that I had posted on our own blog. The screenshot was a good illustration of the risks of W-2 CEO Fraud.

However, the article literally raised my eyebrows. Why?

Read this and then send a link to your CEO and your legal team right away.

According to a recent federal court decision, an employee who is tricked into sharing personal information in response to a phishing email can be seen as committing an intentional disclosure under the North Carolina Identity Theft Protection Act (NCITPA).

As a result, the employer could face treble damages for the employee’s mistake, adding a new element to potential exposure for any organization.

Employees who fall for CEO fraud commit an "intentional disclosure".

Poyner Spruill's J.M Durnovich was right to highlight this development, which was also picked up by the nationwide Law360 site. The failure to train employees may quickly become more costly not only for North Carolina employers. This decision will be looked at by other courts who very well might come to the same conclusion that not taking reasonable measures (whitepaper) to defend against scams like this merits treble (punitive) damages.

Here is a short extract from the Poyner Spruill post which I strongly recommend you read in full:

Schletter Falls Victim to Phishing Scheme

"In 2016, a Schletter employee received an email that appeared to be from a supervisor. The email requested W-2 tax information for the company’s employees for an apparent verification measure. The employee obliged, sending the supposed supervisor an unencrypted file containing the 200 employees’ personal information.

"Schletter notified its employees by form letter sent about six days after discovering the incident. Without providing much detail regarding the incident, the letter offered to pay for two years’ of credit monitoring and identity theft protection services for each of the affected employees.

The employees, dissatisfied with Schletter’s offer, turned to the courts and filed a class-action lawsuit: Curry, et al. v. Schletter, Inc., No. 1:17-cv-0001-MR-DLH (WDNC).

Treble Damages Available in Employees’ Class Action

"The employees’ lawsuit contained a claim under the North Carolina Identity Theft Protection Act (“NCITPA”). The NCITPA provides that a business may not “intentionally communicate or otherwise make available to the general public an individual’s social security number.”

Importantly, if the disclosure was intentional, the business may be liable for treble damages.

"Schletter moved to dismiss the NCITPA claim by arguing its employee didn’t intend to communicate the information to the general public. The federal court rejected Schletter’s argument, finding that the e-mail response, “while solicited under false pretenses, was intentionally made.”

The court’s reasoning turned on the distinction between a breach and a disclosure:

"This was not a case of a data breach, but a case of data disclosure"

"This was not a case of a data breach, wherein a hacker infiltrated the Defendant’s computer systems and stole the Plaintiffs’ information, but rather was a case of data disclosure, wherein the Defendant intentionally responded to an email request with an unencrypted file containing highly sensitive information regarding its current and former employees.

Under that rationale, the court allowed the employees to seek treble damages from Schletter.

I have never seen more powerful ammo for budget than this

Stepping your users through new-school security awareness training has always been a no-brainer, simply because it pays back for itself in a month. However, this raises the stakes significantly.

If a court decides that not training your employees against phishing scams like this is tantamount to "intentional disclosure" resulting in punitive damages, it's time to get effective awareness training in place yesterday.

Full Story with links and what happened to Schletter at the KnowBe4 blog:
"What Exactly Are the Risks of Breached Passwords?"

First of all, the term means that a particular password is available in a data breach on the dark web–and there are billions of breached passwords out there. KnowBe4 just released a free tool that you can run and see if any of the passwords your users are using today in Active Directory, are actually out there in a data breach.

An IT Admin asked us, "So exactly what are the risks?"

"One question I have though is, what is the actual risk? If a malicious actor has a users' AD password, what can they do? I know that if a user clicks a malicious link or run a malicious attachment, obviously that opens up a whole can of worms, but that's not really related to the users' password being compromised. Also, at the moment our AD is not linked to the outside world so to speak, although obviously most users can access the Internet, but with restricted inbound access (no RDP or port forwarding etc.) that shouldn't be an issue.

"We will be migrating over to Office 365 and using Outlook in the cloud and I know that will then introduce a risk if passwords are known, but at the moment I'm looking for what the risk is as we stand at the moment."


We don't know if you had any matches show up when you ran the Breached Password Test (BPT) tool, but if you did find some people actively using passwords that matched there is certainly a behavior/awareness issue to take up.

Likely that's the tip of the iceberg of what bad password practices they have because if you think about it, how did the username/password combo end up out on the dark web if your AD wasn't the source? The most logical answer to that is password re-use across sites, someone used their work email and password to sign up at some site which did get compromised. And they probably still are...

Full answer continued at the KnowBe4 blog:
Word of the Week: What Is Angler Phishing?

What is Angler Phishing?

Angler phishing is the practice of masquerading as a customer service account on social media, hoping to reach a disgruntled consumer.

About 55% of such attacks last year targeted customers of financial institutions, trying to lure victims into handing over access to their personal data or account credentials.
Don’t Miss the July Live Demo: Simulated Phishing and Awareness Training

Old-school security awareness training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.

Join us on Wednesday, July 11th, 2018, at 2:00 PM (ET) for a 30-minute live product demonstration of KnowBe4’s Security Awareness Training and Simulated Phishing Platform to see the latest features and how easy it is to train and phish your users:
  • Send Simulated Phishing tests to your users during specified business hours with "Reply-To Tracking" that shows you which users fall for spoofed emails and what they answer to the bad guys.
  • Access to the world's largest library of awareness training content through our innovative Module Store.
  • Improved Vishing (voice phishing) feature supports domestic and international dialing with 10 commonly used vishing templates.
  • [NEW] Delegated Permissions now part of the Security Roles feature allows you to create custom admin roles for Target Groups in your organization.
  • Smart Groups put your phishing, training and reporting on autopilot. Best of all, it’s a powerful ad-hoc, real-time query tool to get detailed reporting, with great ROI.
Find out how 19,000+ organizations have mobilized their end-users as their last line of defense.
Register Now:
Live Webinar: Why You Should Be Using Deception: Decoys, Honeypots, and Red Herrings

Every company in the world should be utilizing some form of deception as part of their overall computer security defense. Decoys and honeypots can be high-value, low-noise, and identify threats previously thought to be undetectable.

Join Roger A. Grimes, KnowBe4's Data-Driven Defense Evangelist, and security expert with over 30-years experience, for this webinar where he will explore computer security deception. Roger is one of the world’s most prolific deployers of enterprise honeypots and author of the popular book, Honeypots for Windows (Apress).

Roger will share the two most popular ways organizations are attacked and how to use deception to defend against them. Attend this webinar and quickly come up to speed on deception and how you should be using it to protect your organization.

In this webinar, you will learn:
  • Real life stories of successful and failed deception
  • Deception vendors in the market today
  • How you can use deception to build your “human firewall”
Date/Time: Tuesday, July 17th at 2:00 PM ET. Save My Spot!

Warm Regards,
Stu Sjouwerman
Founder and CEO
KnowBe4, Inc

Quotes of the Week
"There is no instance of a nation benefiting from prolonged warfare." - Sun Tzu

"My first wish is to see this plague of mankind, war, banished from the earth."
- George Washington - 1st U.S. President (1732 - 1799)

Thanks for reading CyberheistNews
Security News
Consequences of a Telephone Number Hijacking

Another example of what it's like to be impersonated surfaced recently in the UK. Mrs. Jean Denton-Thomas of Winchester had her privacy invaded and stress levels elevated as her Voice Mail message count neared 1,500 per day, over a two-week period.

It's not that she'd suddenly found chatty neighbors drawn to her. Instead, her telephone number had been hijacked by offshore scammers.

The messages she received were responses to calls made from Denton-Thomas’s telephone number. The calls claimed to be from BT, the large British telecommunication company, informing the recipients that they had problems with their telephone and computer service that could be fixed upon payment of a fee.

Thus Mrs. Denton-Thomas was pulled into a version of the familiar help-desk scam. The sheer volume of the calls combined with the desperation expressed in the messages, many of whom appeared to be elderly victims, caused her to feel as if her life had been invaded and leaving her "quite unwell."

BT originally attributed the high volume of calls on Mrs. Denton-Thomas’ number to be the result of the digital equivalent of crossed wires. Eventually, however, the company recognized the issue to be "potential spoofing."

As a result of her ordeal, Mrs. Denton-Thomas requested that telephone companies look into better protection from nuisance calls for their customers.

There's also a lesson for organizations. Spoofing is attractive to criminals looking to evade blacklists. A stolen number can serve them as a convenient burner. If recipients of help desk scam calls are made aware of them, and can learn to shrug them off without a second thought, they'll spare the spoof victims much grief. As always, awareness training helps.
The BBC has the story:
A Little Help From Your Artificial Friends

Knowing the message inside an email can be the difference between success and failure in fighting off social engineering schemes. Ian Harris, a professor at the University of California and Marcel Carlsson, principal consultant at Lootcore have recognized the value of using natural language processing (NLP) to detect malicious content in emails.

Most of us have a streak of sympathy and decency that makes us responsive to calls for help. This is social engineering, and it's at the bottom of many a successful scam.

Carlsson and Harris turned their attention to the natural language found in an email message. A focus on the text enables security to be extended beyond simple email to texts and other forms of messaging. If coupled with a speech-to-text tool, NLP can also be useful in scanning for malicious content in phone calls and in-person conversation.

In some of its simpler forms, the NLP approach recognizes questions whose answers are typically private, the sort of information that's sensitive because it's personal, or personally identifying. Think of answers to simple security questions: your grandmother's maiden name, or the make of the first car you owned.

NLP can also be trained to recognize a command to perform some illicit operation. The NLP tool doesn't need to know the answer to a question to determine that the information being requested is private. The tool recognizes the main verb and object and then evaluates the statement.

For example, "Send money" is a verb-object pair. Verb-object pairs are compared against a list of known phishing commands or queries for private information. Like other approaches involving even simple forms of artificial intelligence, one challenge the method must overcome is training, collecting a large enough data set to teach the tool what to look for.

Carlsson and Harris have tested some 187,000 emails. They hope to eventually be able to extend their tool's efficacy to highly individualized attacks. They plan to launch their innovative approach to detecting social engineering attacks during Black Hat 2018.

This type of technical fix isn’t a silver bullet for killing social engineering. It's a promising adjunct to user training, so we can educate them into making smarter security decisions. Dark Reading has the story:
Phishing Tricks

You open your email client and are greeted with a message in your inbox, apparently from Microsoft, that your email account has "reached maximum quota limit" and you need to upgrade your account. The email appears to be authentic, and so you enter your password and just like that, you've been pwned.

Microsoft of course did not send the email, as legitimate as it may have looked to you. It's phishing for credentials. The problem is that it also looked legitimate, or at least not obviously suspect, to the security measures in Microsoft's cloud email service.

The phishing email slips through because it's an HTML email. The scammers have found that they can slip through the natural-language processing systems that screen for phishing if the insert random HTML text into the message.

Viewing the message in HTML, a user sees none of that text. The security system does, however, and is induced to regard the message as benign, and passes it through.

This "Zero Font" method, as security researchers at Avanan call it, isn't new. It's been used for years to defeat spam filters. It had been seldom seen in recent years, but it may be enjoying a kind of renaissance. Avanan has also observed phishers splitting malicious links in emails by using the URL tag, thus fooling email filters that don't handle the HTML code correctly.

Technical screens and security measures are valuable, and surely have their place. But this kind of phishing email can evade detection by them. It's unlikely, however, to get past an alert and well-informed user. Help Net Security has the story:
Phishing With XPS Attachments

Unfamiliar file formats are worth some attention. There's some ongoing phishing in which the payload is carried by an XPS file. That's XML Paper Specification, roughly speaking Microsoft's equivalent of the more widely used PDF. The phishing email is a commonplace one that looks like a routine, courteous transmission of an invoice.

The XPS attachment, if clicked and rendered, will display a message intended to induce a further login that purports to be an extra layer of security for the recipient's benefit. The message displayed above the "Open File" button and under the SharePoint logos says, "This is a secure attached file open with your email login credentials."

If you do so, you'll open what appears to be a SharePoint-like login page. And when you proceed to login, the spammers have your credentials. The scammers will then go on to use those credentials in other spam looking for other payoffs.

It's worth talking to your employees about file types they may be unfamiliar with. And interactive training can help make them smart, skeptical users of email, unlikely to fall for the social engineering that tries to pass itself off as legitimate by using familiar logos and brands.

The SANS Institute's Internet Storm Center has the story:
Here Is a Way to Get Audits Done in Half the Time and Half the Cost!

Our customers have been telling us about their compliance headaches. Here are their major challenges, any of this ring true for you?
  • Are you dealing with the problem of managing (multiple) compliance requirements, but careless end-users cause all kinds of problems?
  • Need to satisfy auditors that all controls are in place, but you have a lack of time and management support?
  • Have to produce all the evidence regularly, but the duplication of effort and keeping track of everything in a spreadsheet or word processor is a pain?
  • Are regular audits for PCI, HIPAA, SOX or any other regulation taking up too much of your time?
Here’s a way to manage this problem.

KnowBe4 Compliance Manager (KCM) simplifies the complexity of getting compliant and eases your burden of staying compliant year round; effectively reducing the time and money you need to satisfy all of the requirements necessary to meet compliance goals.

See how you can get audits done in half the time at half the cost.

Check out KCM and request a demo:
What KnowBe4 Customers Say

"Apologies for my latish reply, It’s been in the back of my head to reply to you, as your contact & enquiry is naturally much appreciated. As for the training & phishing service, we’re pretty much a happy camper with that one.

I actually wanted to also let you know that the platform already helped us to mitigate & control a rather bad incident where three C-Exec accounts got compromised through spear-phishing. It was the active reporting of the spear-phish emails via the KnowBe4 “Phish Alert Button” functionality by other C-Execs, that basically initiated our incident response.

The hackers succeeded to spear-phish the O365 credentials of those C-Execs and put unauthorized inbound email forward rules in place. Thanks to the quick notification, the time of compromise was limited to only 40 minutes or so."
- N.A., Manager, Cybersecurity

"Stu, Thanks for checking in with us. We’ve been impressed with the knowledge and helpful attitudes of the people that we have worked with so far from your organization. We like the user friendly customization capabilities of the phishing program and the magnitude of relevant training materials available for use for our employee newsletter.

We are a small group, and we noticed a positive change in cyber security awareness in our people immediately after announcing that we would be initiating the program- before we started any campaigns or training. We have completed our baseline test and have run one training module and have another one in progress.

We are off to a good start! I also appreciate the educational webinars and current news events that are communicated to us from KnowBe4. Thanks."
- H.M., Director, System Planning
The 10 Interesting News Items This Week
    1. Research: 46 Percent of Unauthorized Cryptocurrency Mining Circumvents Antivirus Software:

    2. Worse than Equifax: Personal records of 340M people leaked online:

    3. Cybercriminals Target Hospitals with SamSam Ransomware Attacks:

    4. Coin Miner Malware Spikes 629% in 'Telling' Q1:

    5. Global Ransomware Damage Costs Predicted to Exceed $8 Billion in 2018:

    6. Why Do VPNs Need to Be GDPR Compliant?:

    7. Cyber boffins drill into World Cup cyber honeypot used to cyber lure Israeli soldiers:

    8. Weak Admin Password Enabled Gentoo GitHub Breach:

    9. New Malware Variant Hits With Ransomware OR Cryptomining:

    10. Why Are There So Many Robocalls? Here’s What You Can Do About Them:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff
FOLLOW US ON: Twitter | LinkedIn | YouTube
Copyright © 2014-2018 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Domain Spoof Test Contest

Get the latest about social engineering

Subscribe to CyberheistNews