Once again, it was the human factor and skilled phishing tactics from the bad guys that was responsible for such a material loss. And, from the sound of it, policy and procedure either weren’t in place or weren’t followed.
This is a very simple tale; in fact, so simple, it sounds like all the attackers used was a single email. Reports of one of the agencies of the Puerto Rican government, the Industrial Development Company, transferred the millions on January 17th. According to news reports, a simple email purporting to be a contractor was received requesting a change to banking details for payment remittance.
The FBI’s Recovery Asset Team is now involved and is working to attempt to recover the funds.
Anytime emails are sent asking for any kind of information or changes made involving bank accounts, transactions, and transfers, organizations need to protect themselves proactively:
- Establish a policy that mandates all requests be validated using an alternative medium, such as in-person or over the phone.
- Users whose roles have them even marginally involved with money-related transactions should undergo Security Awareness Training to both understand that these types of scams occur regularly and how they can spot a suspicious email before the damage is done.