In November it was revealed that the City of El Paso fell victim to a $3.2 million phishing scam, taxpayer money that was intended for the city’s streetcar project. It was only after a vendor called to report that they had not received a payment that the city learned there was a problem.
Further investigation revealed that the $300,000 electronic payment made to the vendor had been misdirected to a different account. Even worse, after digging a little deeper, the city uncovered an even larger misdirection of funds. A second electronic payment for $2.9 million that was made to another vendor was also misdirected to a fraudulent account. In total, cybercriminals were attempting to steal $3.2 million worth of taxpayer dollars from the City of El Paso.
A Quick Response Is The Best Response
The FBI is the official primary responder for cyber events in the United States. Once involved, the agency’s Computer Analysis Response Team will arrive on scene with a single objective: to quickly image your media in a way that will allow the FBI to identify exactly how the incident occurred.
If this happens to you:
- Do not attempt to conduct your own forensics. Once you’re infected, you’re infected. Wiping your computers will not make the problem go away. The first phone call you make should be to the FBI. Attempts to rectify the problem yourself will only complicate matters and could potentially result in even more costly repercussions.
- Notify the authorities as soon as possible. The amount of tools at law enforcement’s disposal greatly depends on how quickly you identify that an attack has occurred and how quick you are to inform the authorities.
People often think that a cyberattack is super complicated. That’s not necessarily the case. They are really no more complicated than a robbery, kidnapping or any other type of crime. Similar to any other type of investigation, the FBI will attempt to collect data that answers the following questions in a way that is forensically sound:
- How did they get in to your network?
- Once they got in, what did they do?
- Did they cover their tracks? If so, how?
- What harm was done?
According to El Paso’s Chief Financial Officer Mark Sutter, law enforcement was able to recover $292,000 from the first payment that was made to the misdirected account. Of the second payment, $1.6 million was recouped. Additional details about this specific scheme or the city’s response have not been disclosed as the investigation is still ongoing. We do know, however, that the city is still attempting to recover the remainder of the second $2.9 million payment. Regardless, it is unlikely that the city will be able to recoup the entire $3.2 million that was stolen.
Don’t Let Cybercrime Happen To You
Don’t think that just because you have anti-virus software that you are safe. While anti-virus software is nice, it has holes, vulnerabilities and blind spots. If you really want to maintain a secure network, follow these tips:
- Patch your software. When a software company issues a patch, they make that information public – which means the bad guys know where the vulnerabilities are as well. Failure to maintain the current updates can result in infiltration of your network.
- Encrypt your data. If your data is encrypted, even if it is stolen, at least you can rest assured that the criminals won’t be able to read it.
- Back up your data and keep the backup offline. Backing up your data is just good practice and an essential element of a solid disaster recovery plan. But if you keep your backup data connected to your network, it’s useless. When you do back up your data, disconnect it from the network and store it in a safe location.
- Utilize multi-factor authentication. Anytime there is a possibility of losing money, you should use multi-factor authentication or at least two different methods that must be used in order to access your system. Someone might be able to guess your password, but it’s unlikely they will be able to fake a fingerprint or access the algorithm in your RSA token. This just makes it exponentially harder for the bad guys to access your system.
I have worked with clients whose organizations were leveled by tornadoes, demolished by accidental explosions, and whose server hardware failure literally sparked catastrophe. What is clear is that, in business, you can’t afford to become complacent – tomorrow is never guaranteed.
These days, most of my career has been spent helping leaders of businesses and organizations protect themselves against a wide variety of threats in the hopes that, when danger strikes, their data is protected. In particular, I have been spending a lot of time helping protect client data from cybercriminals armed with ransomware who are looking for a chance to hijack your data to secure a quick payday. Once these hackers gain access to your network, you only have two choices: either give in to their demands or come to terms with the fact that the data is lost forever – that is, unless you have established and maintained offsite data backups as part of your disaster recover plan.
Why A Disaster Recovery Plan Is An Essential Business Tool
Hospitals, school districts, state and local governments, law enforcement agencies, small business, large businesses, nonprofits and every entity and organization in between are all on high alert after the FBI recently released a Ransomware Advisory. Ransomware, an insidious type of malware designed to encrypt, or lock, your valuable digital files, is being used more and more by criminals demanding money in exchange for the data’s release. Unfortunately, it has been very effective and many high-profile businesses have been successfully infiltrated.
“Too many organizations are paying ransoms to extortionist,” said cybersecurity attorney Chris Pierson in a recent article on bankinfosecurity.com. “Whether due to speed, mission criticality or lack of good backups and data proliferation, more companies are being forced to pay these days.”
Never before has it been more important for all entities, large and small, to have a plan in place to protect the network from unforeseen threats like ransomware, a fact that was reiterated by the FBI earlier this year.
Molly Halpern, host of the podcast FBI This Week, says that the ransomware threat is evolving as criminals are now focusing more on businesses, local governments and other organizations. These day’s data backups are essential.
I recommend clients to back up all their data to an offsite location located at least 2-3 miles away from the primary production area as part of the organization’s Disaster Recovery/Business Continuity Plan. Routine testing of the plan should also be conducted to ensure accuracy and completeness.
Of course, guaranteeing the validity of your data is easier said than done, which is why your best course of action is to completely restore your data to an alternate system. NOTE: Never restore your data over existing production data. In many instances, it is advisable to work with your network vendor or cloud provider to establish a satisfactory method of testing the validity and completeness of your data. However, depending on the sensitivity of your data or the quantity of data you manage, it may be in your best interest (not to mention the best interest of your customers, shareholders and the general public) to work with a team of disaster recovery experts.
It’s time to start thinking about what your data is worth to your organization and what would happen if you were to lose this data to a cybercriminal. I would also encourage you to download your free copy of our whitepaper, Cybercrime: The Invisible Threat That Haunts Your Business, to learn more.
You can also email Rea & Associates for answers to your questions about Ransomware, cybersecurity and how you can keep your data safe from hackers.
By Travis Strong, CISA (Wooster, OH)