The FBI Internet Crime Complaint Center (IC3) has noted an increase in the number of Business Email Compromise (BEC) and Email Account Compromise (EAC) complaints related to the diversion of payroll funds. In this type of scheme, a company’s human resources or payroll department receives an email appearing to be from an employee requesting to update their direct deposit information for the current pay period. The new direct deposit information generally routes to a pre-paid card account.
Established in 2000, the IC3 is responsible for receiving and processing complaint of internet crimes. According to it’s 2019 Internet Crime Report, in the past years the IC3 received 1,707,618 complaints involving $ 10.2 Billion in total loss3es.
In 2018 the IC3 created a Recovery Asset Team (RAT) to streamline communications with financial institutions and assist FBI field offices with the recovery of funds for victims who made transfers to domestic account under fraudulent pretenses. In 2019 the IC3 received 1,307 incident complaints totaling losses of $384,237,651. The RAT was able to recover almost 80% $304,930,696, a recovery rate of almost 80%.
According to the IC3, there has been an increase in BEC complaints concerning the diversion of payroll funds. Complaints indicate that a company’s human resources or payroll department receives spoofed emails appearing to be from employees requesting a change to their direct deposit account. This is different from the payroll diversion scheme in which the subject gains access to an employee’s direct deposit account and alters the routing to another account.
In a typical example, HR or payroll representatives received emails appearing to be from employees requesting to update their direct deposit information for the current pay period. The new direct deposit information provided to HR or payroll representatives generally leads to a pre-paid card account.
Some companies reported receiving phishing emails prior to receiving requests for changes to direct deposit accounts. In these cases, multiple employees may receive the same email that contains a spoofed log-in page for an email host. Employees enter their usernames and passwords on the spoofed log-in page, which allows the subject to gather and use employee credentials to access the employees’ personal information. This makes the direct deposit requests appear legitimate.
The IC3 home-page contains a link to file complaints on-line, and also access consumer and industry fraud alerts.
According to an article in the NY Times, the security employee monitoring the smoke alarm panel had only been on the job for three days. When the alarm came in the employee contacted a guard in the main church area and sent them to check the alarm. The guard responded back to the security employee that there was no indication of a fire. Unfortunately, it took approximately 30 minutes before they realized that the security employee had sent the guard to the wrong building – the fire alarm sensor was located in the attic area, above the main church. To get there the guard climbed 300 narrow steps but by then the fire was beyond controlling with a fire extinguisher. At that point the guard radioed the security employee to call the fire department.
Some interesting facts contained in the article: The “ponderous response plan” underestimated the speed with which the fire would spread in the attic area; To preserve the architecture, no sprinklers or fire walls had been installed; The security employee had not been replaced at the end of his eight-hour shift so was required to work a second shift; The control panel displayed a complicated string of letters and numbers – ZDA-110-3-15-1, that was code for a specific smoke detector among more than 160 individual detectors and manual alarms in the church.
Given the type and quantity of combustible materials in the upper portions of the church, the lack of sprinklers and fire walls, and the need for a person to physically respond in order to validate the alarm, any proper risk assessment should have concluded that the threat from fire was a high probability, high consequence event. The article did not indicate if or when the response plan was ever tested. Based on the events described in the article, my assumption is that it was not.
Many of my corporate and government clients work with classified information. The areas in which this work is accomplished prohibits the introduction of electronic items such as cellphones, laptops and smart watches. The question is how to store these items until they could be picked up by their owners upon leaving these secure areas. The most frequent solution was to install first-come/first-serve wall mounted lockers with key-operated locks. For larger facilities this could take up a significant amount of real estate. There are also several drawbacks to using this type of storage system. Individuals would lose their keys. Unfortunately, most of these locker installations were not master-keyed so someone from the security department would need to take time to pull a back-up key, assuming the individual could remember which locker they had stored their item in. There was also the need to make another backup copy of the key to replace the one that was lost. An additional problem that was encountered was that assigned personnel would simply keep the locker key so they would be assured of place to lock up their device when they arrived at work.
Yesterday I met with a client who appeared to have found a more suitable solution to this storage problem. They’re using a Robocrib TX750 industrial vending machine that works with their access control cards. You simply hold your access control badge up to the proximity reader on the front of the machine to initiate the process. You will be stepped through the process via a display screen at the front of the unit. It will prompt you to select the size of the device you want to store. After a moment the door will release and the sliders will open to reveal a space to insert your phone, laptop, etc. To retrieve the device simply hold your badge up to the reader. After a few seconds the door will release, the sliders will open and you can take your device.
This DHS video provides information to assist with mitigating the evolving threat corresponding to vehicle ramming incidents with insightful technical analysis from public and private sector subject matter experts. It leverages real-world events, and provides recommendations aimed at protecting organizations as well as individuals against a potential vehicle ramming incident.
On 21 November 2019, Haitao Xiang, previously employed by Monsanto and its subsidiary, The Climate Corporation, was indicted by a federal grand jury on charges of economic espionage and theft of trade secrets. One thing that the prosecution will need to prove at trial is that Monsanto and Climate Corporation employed reasonable precautionary measures to secure their trade secrets. Just marking it as a trade secret/proprietary information doesn’t make it so.
In a similar case, the United States v. Hanjuan Jin (2012), involving the theft of trade secrets from Motorola, the judge evaluated the physical security (access controls, alarms, security cameras and on-site security guards), network and computer measures (passwords, firewalls, and logon reminders), and administrative procedures (document markings, training programs, and confidentiality agreements) employed by Motorola to protect their trade secrets and determined that they met the threshold for reasonable precautionary measures. The implication is that if Motorola and The Climate Corporation had not enacted these “precautionary measures”, it may have been difficult for them to justify the claim that the material was indeed sensitive and that it’s loss caused significant damage.