Personally Identifiable Information (PII) & Personal Healthcare Information (PHI)
A phishing email targeting a healthcare company transmitted a link taking recipients to an official-looking website and directing them to enter their credentials. Based on similar incidents occurring on the Office 365 platform, the company was directed to work with a privacy counsel and forensic firm whose investigation revealed that approximately 20 users’ inboxes were compromised in the attack.
It could not be determined whether the attacker had downloaded the entirety of each mailbox. To determine whether there was an obligation to notify patients, the 20 inboxes needed to be programmatically searched for PII (Personally Identifiable Information) and PHI (Personal Healthcare Information). The search revealed upwards of 350,000 unsearchable documents, which then required manual review by a vendor. The programmatic and manual review of documents, forensic costs and legal fees alone cost just under $800,000. The cost of notification, call center and credit monitoring was an additional $150,000.
CEO Fraud / Wire Funds Transfer Fraud
A Texas manufacturing firm, Ameriforge Group Inc. (dba AFGlobal), filed a claim with a division of Chubb Insurance in May 2014 for a $480,000 loss following an email scam that impersonated the firm’s CEO and manipulated the company’s accountant to wire the funds to a bank in China.
A phony message from “the CEO” to the accounting director, Glen Wurm, allegedly read. “This is a strictly confidential financial operation, to which takes priority over other tasks. Have you already been contacted by Steven Shapiro (attorney from KPMG)? This is very sensitive, so please only communicate with me through this email, in order for us not to infringe SEC regulations. Please do no speak with anyone by email or phone regarding this. Regards, Gean Stalcup.”
Roughly 30 minutes later, Mr. Wurm said he was contacted via phone and email by Mr. Shapiro stating that $480,000 in due diligence fees associated with the China acquisition was needed. AFGlobal claims a Mr. Shapiro followed up via email with wiring instructions.
Mr. Wurm wired the funds to Agricultural Bank of China and said he received no further correspondence from the imposter until May 27, 2014, when the imposter acknowledged receipt of the $480,000 and asked Wurm to wire an additional $18 million. Wurm said he became suspicious after that request, and alerted the officers of the company. “The imposter seemed to know the normal procedures of the company and also that Gean Stalcup (CEO) had a long-standing, very personal and familiar relationship with Mr. Wurm — sufficient enough that Mr. Wurm would not question a request from the CEO.”
By the time AFGlobal attempted to recover the $480,000 wire from its bank, the money wired 6 days earlier was already gone, with the imposters emptying and closing the recipient account.
In a letter sent by Chubb to the AFGlobal, the insurance firm said it was denying the claim because the scam, known alternatively as “Business Email Compromise” (BEC) and CEO Fraud, did not involve the forgery of a financial instrument as required by the policy.
AFGlobal is not alone in being victimized by this recent cyber scam. Medidata Solutions Inc., a research technology company, lost $4.8 million after a company employee, also contacted by a fake CEO and fake attorney, instructed him to wire money to a Chinese bank.
BEC or CEO Fraud schemes are an increasingly common and costly form of cyber crime. According to the FBI, thieves stole nearly $750 million in such scams from more than 7,000 victim companies in the U.S. between October 2013 and August 2015.
CEO fraud begins when thieves phish an executive and gain access to that individual’s inbox, or email employees from a look-alike domain name that is one or two letters off from the target company’s true domain name. For example, criminals might register the legitimate domain, “example.com,” as “example.co” or “examp1e.com” (substituting “L” for “1”) and send messages from that domain. The cyber criminals will forge the sender’s email address displayed to the recipient, so that the email appears to be coming from example.com. In all cases, however, the “reply-to” address is the spoofed domain (e.g. examp1e.com), ensuring that any replies are sent to the fraudster.
The criminal genius of a BEC attack is its ability to sidestep basic security strategies used by banks and their customers to minimize risks associated with account takeovers. In traditional phishing scams, the attackers interact with the victim’s bank directly, but in the BEC scam the crooks trick the victim into doing that for them.
The FBI urges businesses to adopt two step or two-factor authentication for email, where available, and/or to establish secondary communication channels, such as telephone calls, to verify large transactions. Martin Licciardo, Special Agent, FBI Washington believes, “The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone. Don’t rely on email alone.” Businesses are also advised to limit the information published about employee activities on web sites and social media.