“Hallo. I am royal person from nation country outside your own. I am trouble having and would wish to transfer in the amount of $2.1 million to your bank account. Once escaping from my picklement, you can keep half as reward for being world hero.” For most of us, poorly worded e-mail scams from the early days of “You’ve got mail” produced a laugh but not much more—typically not our health information or Social Security/Social Insurance numbers. But as David Asselstine points out in “Cyber-Risk: A Breach May Be Inevitable” in the March/April issue of Plans & Trusts magazine, benefit plan professionals and organizations today need to navigate an expanding and improving set of cyber-risks—including phishing, spear phishing, ransomware and business e-mail compromise—and be ready with cybersecurity strategies.
Hackers are now masters in human manipulation, Asselstine asserts, and benefit plans are vulnerable. “With the aid of the Internet, their elegant schemes are only a quarter of a second away from every desktop, laptop and smartphone in the world,” he writes. “If that wasn’t scary enough, today’s hacker may have the financial backing of sophisticated criminal organizations and adversarial foreign governments.”
Below are four common cyber-risks, followed by strategies organizations can take to try to protect themselves.
1. Gone Phishing
In addition to using more sophisticated technology, scammers today use social engineering that takes advantage of human emotions to infiltrate sensitive data.
Phishing uses e-mails to cast a wide net and prey on human emotions such as curiosity, fear and urgency. Around the holidays, for example, employees may receive phishing e-mails that claim to be from a package delivery service and say that a package cannot be delivered without the user confirming some personal information.
Spear phishing involves a specific target in mind—one, as Asselstine points out, that could be an employee of a health and welfare or pension fund. For example, a worker could receive a fake security message asserting that his or her e-mail account has been the target of an attack and encouraging the employee to change the e-mail password. Many spear-phishing e-mails look legitimate, and employees could be tricked into handing over a new password that allows an outside threat to access the e-mail account moving forward.
2. A King’s Ransomware
Ransomware involves a malicious link or attachment within a phishing e-mail. Once someone clicks on the malware file, a virus is released that will search the computer network and find data to encrypt. Then the data is held for ransom. “Once data has been encrypted, the cybercriminal will offer up the encryption key for a price,” Asselstine writes. “Interestingly, in 20% of the cases where the ransom is paid, the encryption key doesn’t work.”
3. The Wrong Kind of Compromise
Business e-mail compromise (BEC) targets specific businesses or individuals who wire money. These attacks may involve intelligence-gathering tactics aimed at lower level employees in an effort to eventually reach an executive. Asselstine notes that a common scenario involves a spoof e-mail (or an actual compromise of a work e-mail) from a chief executive officer instructing a chief financial officer to wire funds to an account that is controlled by cybercriminals. The e-mail and wiring instructions often appear to be authentic. The U.S. Federal Bureau of Investigation (FBI) classified BEC as a unique crime type in 2017 and reported that losses reached $5.3 billion in the United States between October 2013 and December 2016.
4. Cyberdefense and Cybersecurity Training Gaps
Cybersecurity is no longer a matter just for the information technology (IT) department, Asselstine writes. It must involve employees at all levels. A separate but linked strategy for cyberfraud (the social engineering component) and cybersecurity (the IT infrastructure component) should be centrally managed with defined objectives and overarching principles.
Organizations should consider two-factor authentication for all changes to third-party payment instructions. Organizations also should utilize training and education so that all members of the workforce understand and recognize common cyberthreats.
Furthermore, IT should incorporate multiple layers of defense to contain breaches. They can be physical, electronic or procedural.
“Keep in mind that the keys to the IT kingdom, and therefore the IT crown jewels, are in the hands of every employee,” Asselstine writes. “As a result, the effectiveness of a social engineering defense strategy will only be as strong as the weakest link.”
Robbie Hartman, CEBS
Editor, Publications for the International Foundation