CNBC reported some pretty stunning breaking news. I cannot come up with a better case for new-school security awareness training for employees in accounting and HR.
A lawsuit filed on Friday September 16, 2016 by Tillage Commodities Fund alleges that $6 billion SS&C Technologies Holdings, a financial services software firm, showed an egregious lack of diligence and care, when they fell for a CEO fraud scam that ultimately led to hackers in China looting $5.9 million.
Tillage claims that SS&C didn't follow their own policies, which enabled the theft, but to add insult to injury, staffers actually helped the criminals by fixing transfer orders that had initially failed. The documents were posted online by the law firm representing Tillage in the case. Above is the stock price on Monday, before the news hit. We will see if/how this changes the next few days.
In the lawsuit, lawyers for Tillage say staff at SS&C failed to "exercise even a modicum of care and responsibility in connection with known and obvious cybersecurity threats."
For example, according to the suit, "the email requesting the largest wire transfer during the lifetime of this scheme ($3 million) states nothing more… than: 'How was your weekend? Let's round business up today.'" The suit states that one staffer "directed the release of Tillage's funds oftentimes merely minutes after receiving the fraudulent wire requests."
The scheme was amateurish, the lawsuit says, including the use of an email account that spelled Tillage with three 'Ls' instead of two – something that should've been spotted. Further, the emails contained "awkward syntax and grammatical errors – which were wholly inconsistent with prior Tillage communications – and which were entirely unclear in substance."
All these red flags should have been caught by employees if they were trained to follow policy and keep a sharp eye out for possible CEO Fraud.
The lawsuit is seeking a whopping 10 million in damages, and of course other punitive damages and legal fees.
The upshot? If everything asserted in the lawsuit is correct, procedures and policies a must-have, but employees need to be trained to follow them as well. Otherwise, they're just pieces of paper with words and boxes to check when it comes to compliance.
We all know that your users are the weak link in your IT security, and one of the very successful tactics the bad guys use is spoofed email addresses. When an email seems to come from a person they know, or has authority, the chance they fall for an attack increases dramatically.
No-Charge Domain Spoof Test
Can hackers spoof an email address of your own domain?
Are you aware that one of the first things hackers try is to see if they can spoof the email address of your CEO? If they are able to commit "CEO Fraud", penetrating your network is like taking candy from a baby.
Would you like to know if hackers can spoof your domain? KnowBe4 can help you find out if this is the case with our complimentary Domain Spoof Test. It's quick, easy and often a shocking discovery. Find out now if your email server is configured correctly, 82% are not!
Don't like to click on redirected buttons? Cut & Paste this link in your browser: