KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Thank you. First of all, just want to say thank you for having me on to talk about this, this topic.
It's, it's an important topic and it's a topic that's near to my heart. Just to set the stage. I work for a company called ABEX. We are the second largest telematic provider in Europe, meaning we have a lot of customers. We have a lot of customer data. So information security is, is key for us. Probably none of, you know what AAX is, but we, we do tracking of plants tools. We vehicles, we do driving behavior, fleet management, and have a large open API with a lot of integrations towards, towards custom applications in the industry.
So that's, that's AACS, but that's not what we are going to talk about today. We are talking about social engineering and just at, just at the stage, I'm going to talk a bit about business, email compromise, all of you know, that that is something that is rising, has been on the rise for a long time. It's absolutely a global phenomena. It targets us all size of organizations, both small, like ours and large last year, 24,000 known cases in the us three over three years, 26 billion us dollars paid out to criminals. It's an estimate, probably huge amount.
That's never reported more and more organized criminals professionals, global footprint. They have more professional operations than many other legit companies, and they do this because it's a high payout and relatively low risk for them to do this. So do to, to, to understand a bit more about what human factors we see in the business, email compromise, I'm going to quickly take you through the timeline of an actual business email compromise in our organization.
Some time ago, we experienced this and after we have, I quickly gone through the timeline, we can look at some of the human factors used here. So as with most social engineering attacks and business email compromised in particular, it started with a completely random phishing email sent out to a lot of people in our organization. We have a lot of technical security in place, but obviously some slip through. And when that happens, we have good routines for what we should do.
And our service desk sent out a warning about the fishing attempt just a couple of minutes after, but as you all know, male, you get a lot of it. You don't read all of them. So unfortunately, one of our senior directors, they went ahead and gave away their credentials. And then this was the start of the whole chain of events. And what I'm going to talk about now is what we have discovered during the inve investigation phase afterwards. So less than 20 minutes after the fishing was sent out, we saw that we had an unknown login to this senior director's email account.
We were on the office 365 platform. We at the time had not activated multifactor authentication. So with the credentials, it was easy to get access to this account. They had access to email one drive SharePoint, the whole shebang, and that's of course critical for us for the criminal it's it's information heaven.
And they, they, they used less than a day to investigate his account, to find information. And we found out that on the second day, they registered the fake domain with the domain name that is almost similar without an one single letter equal to one of our partners, an outsourcing partner that we used. So they had the fake domain created and now they started to investigate more. They used five, six days almost a week, just monitoring activity in the account. They looked at what kind of emails we were sending between ourselves and our supplier. They looked at how the wording of emails were.
They looked at which persons in the organizations that had contact with each other and really did a, probably a good information gathering to set up a play a scheme towards both us and our supplier. So after being in the email account and obviously other office parts, they found out that now the timing was right to set up a scam, a scheme. They were now put in the middle of the conversation between our outsourcing partner and ourself. They had a fake domain, so they could send emails looking to be from us, or no, sorry, from our partner to us.
And at the same time, they had access to our senior director's email account. So they could easily also send emails to our partner, appearing to be from him. And now they introduced a fake invoice and set up a story. And the key here is that they set up actually two slightly different stories towards our partner. They said that we unfortunately had paid the, the original invoice from the wrong account. So they wanted the payment to be reversed. And then the other way around, they had introduced a new fake invoice with a new account number to be paid. So they were playing both sides.
They were playing you us and our partner, of course, when this happens, it triggers checks in both our organization and our outsourcing partners organization. It involves finance departments in both sides, but the criminal were in the middle. So they had no problem at all to, to fake communication between both parties. And after a couple of weeks, we were convinced that we should reverse the payment. And now the criminals started to stress this.
They, they continuously checked. Are you, have you gotten the, the reversal done? Are you ready to pay the new invoice?
And they, they were asking a couple of times a day and you will see later that this is a key human factor that they used. So when the payment was reversed, we paid to the wrong account. And at this time, actually this scheme was a success for them almost because luckily a bank noticed some anomalous and they asked us to confirm this. And then we were able to freeze the payment before it got in the hands of the criminals. And it was a time consuming thing, but we were also able to get it reversed in back to us after a long time. So we were lucky and I'm going to stress this. We were lucky.
We got the pay money back and didn't lose any money on this. So this was a very short, without any technical detail timeline for a business, email compromise. And then obviously there are a lot of human factors in play here. The first one, they talked a bit about, they are professionals. They have a lot of scripts ready for different scams. They can run. And when they find the right situation, they adapt the scripts to, to fit the organizations they are working with or trying to scam.
And the, this, this proves that they are highly pro professional. This is not like the common script kid trying to, to, to earn a few bucks. This is the, the organizations actually living of doing scams like this, and with the business email compromise. And in this position, they were placed in the middle of the conversation. They could monitor all communication between us and the outsourcing partner and as well, they could introduce new communication whenever they needed. They could hide an email coming into the, to the account they had access to.
They could send fake emails from the, from the newly created domain. And they, they were, they could easily take control over the whole thing. So if things were starting to go away, they didn't want to, they could hide an email, send out something new and, and that way they, they lure us and our partner as well. And stress here is, and the urgency is something they use because as an employee, for example, in the finance department, your focus is to do your job. Your focus is to complete the task at hand, for example, to pay the invoice at the right time, right amount to the right account.
And when, when, when the, the criminals starting to, to introduce stress, you get more and more focused on actually completing the task, completely forgetting to ask the, the right questions and then playing other emotions as well. The, the, the, you, you're proud of what you do. You will do it right. You will do it quickly.
And, and of course, when you have a senior management level involved, you, you will not ask maybe all the questions you should. And also then confirmation bias kicks in. You have a lot of information in this case, but you have already decided what you're going to do. You have decided that, okay, this is the right thing to do.
So you, you start to just look at the information that confirms what you've already decided and completely ignores everything else that that probably should ring a bell. So that is the five key human factors here. And hopefully there are some learning points as well. The most obvious one is technical security. I think most of us have it in place already, but, but if you don't have multifactor authentication, activated, wherever, you can turn it on at once, your employees will fall victim to fishing and order social engineering time. After time, you can't prevent it.
The technical security will never make it 100% secure, but it will raise the bar. It will make it harder for the criminal to get into your account. The next thing is something that I think all companies have a lot of policies and many enforce them. Not all maybe, but when you come into situations like this, for example, where vendor or partner asks to change an account number to, to get the invoice paid to you need to have policies. They need to be 100% strict and clear. What should you do when this situation arises? You should do an out band verification.
You need to pick up the phone, call the company, talk with someone you actually know in the other company to, to get them to confirm that we are changing our bank information. It doesn't help just to get an email and, and accept that as the, as a reality, you need to get it confirmed some other way. And remember your employees will for victim for social engineering.
It's not, if it's when, and then it's easy to think that, oh, my employees is always the weakest link. And in some cases they could be, but they all could also be your human firewall. When things slip past the, the technical checks and balances, you need to have some human firewalls, someone asking questions, someone checking someone thinking twice before they do something. And now we are getting into the end and probably into what I find most fascinating. And I think also what can give the most value to your organization? You need to think about security culture.
What are people thinking about in your organization, measure security culture on a regular basis. There are a lot of tools out there that can do this for you and combine it with doing fishing assessments. You need to see how your organization responds to fishing attempts. You can't just assume that they're good or bad. You need to test it. And when you have a good overview of your secure culture and have done fishing assessments, you can do targeted training. Because if you, if you just do like the mandatory compliance once a year training, that gives you very little.
But if you target training towards specific groups in your organization, you will get much more value out of the training and it doesn't need to be three hour long course. It can be five minutes videos just to, to raise the bar and also be sure to adjust the wording in how you train developers needs different message than a salesperson.
The, the keys or, or the learning points are the same, but how you present is completely different. And then lastly, and I think this is, if, if you're just going to take away one thing from this talk, it is that you need to have a company culture that is open, encouraged, and encouraging both learning and sharing, sharing of business, email compromise. Like I have been doing briefly now and, and how to learn from this situation.
How could your company be better if the only focus is on who did wrong, finding who to blame and, and especially trying to keep this undercovers, yes, it's a bit embarrassing that you have been victim to a business, email compromise or another social engineering attack, but, but you're not going to learn anything from it if you don't talk about it. So I think to summarize this is the absolutely most important in my point of view, have an open culture share, share, and learn from it instead of being embarrassed and pointing fingers. And with that, I'm going to open up for some questions.
