There are many ways cybercrime happens: ransomware, malware, insider threats, but one of the most common ways cybercrime occurs is through phishing and similar social engineering threats. It starts when an employee inadvertently clicks on a bad link, said Justin Caulfield, senior managing director, deputy treasurer, AIG, one of the experts who spoke at the AFP 2018 conference in Chicago about fraud and cybersecurity.
Eric Brelsford, a Federal Bureau of Investigation special agent focusing on cybercrime, said business email compromise (BEC), is more prevalent than ransomware or data breaches. Business email compromise, which exploits publicly known information about a company and its employees, usually targets a worker in the finance department who gets duped into thinking he or she is conducting legitimate business.
And it's only going to get worse, even as companies spend more money trying to prevent cybercrime, said Kevin Richards, managing director, global head of cyber risk consulting at Marsh Risk Consulting. In 2017, companies lost $3 trillion in cybercrime, said Richards. That is expected to reach $6 trillion in 2021, equivalent to 6 percent of global gross domestic product, he added.
“We're going to pass $100 billion [spent] on people, technology, outsourcing and consulting to solve the problem. By every financial metric it has never been worse," Richards said.
Support is key. You need to say, ‘You have my support if you're not sure.
–Justin Caulfield, senior managing director, deputy treasurer, AIG
As scary as this sounds, there are ways to try to avoid becoming a victim, but it takes constant vigilance, the experts said.
Besides the necessary information technology spend, it's also important to have employees, not just the critical IT team, understand what to do if faced with something that doesn't seem right. “You need to create a culture of awareness and support," said Caulfield.
Carmen Gay, director of global cash management at Anadarko Petroleum Corporation, said companies must foster a culture that doesn't punish employees if they might have fallen for a phishing scam, but encourages them to tell IT immediately. “Don't blame the victim. Hackers have every incentive to attack," she said.
BEC fraud is sometimes called CEO or CFO fraud because the criminals are targeting high-ranking officials to intimidate employees to do the fraudulent emailer's bidding unquestioned. But if employees know the CEO or CFO, the employee might spot a funny-looking email.
Jason Wong, vice president and treasurer of Tiffany & Co., said changing cultures helps to thwart cybercrime. One way is to encourage more interpersonal connection in the company. While it's easy to rely on email or other electronic communication, companies should try to arrange in-person gatherings with chief executive officers, chief finance officers and other high-ranking staff. Especially in big companies, people may not even know what their CEO looks like or know how he or she acts.
“When a senior person sends an email, do you have to respond in five seconds, or can you think about the email and if it's consistent with their style," Wong said. Companies need to train employees to look for what's OK in an email and what isn't. Look for errors: Is the domain different, what kind of instructions are they getting, who is the email from?
When it comes to sending payments to vendors, encourage people to wait on sending payment, even if it comes from a seemingly reputable source, if something feels off. Double check the phone number, the email address, the routing numbers or other information, even if there is pressure to act immediately. Call the payee.
“Support is key. You need to say, ‘You have my support if you're not sure,’" Caulfield said.
Put together a written plan of how the company will react to phishing emails and BEC emails and test it. Gather a cross-functional group of different departments with IT for the test. “The more you test, the more you learn and adjust," Caulfield said, since cybercriminals are always changing how they attack.
Breslford said companies can also contact the FBI field office in their area and ask to speak to a cybercrime specialist or ask for an InfraGard coordinator, an FBI specialist who works with the private sector. The specialist will give tips how to avoid being a victim and what to expect if a BEC happens.
But no matter the training you give to your employees, businesses can never buy 100 percent security.
Richards said while there is a lot of time, money and energy spent on mitigation, recently insurers have started to offer cybersecurity insurance as an option as a strategy to transfer some of the risk and help to recover some of the financial impact.
At first, insurance wasn't a proper tool since it didn't cover all the effects of a cybersecurity attack. But that's changed. “The market has moved; the products have moved. This is a viable strategy to fill in that last part of the gap (avoidance and mitigation), where I can cover the financial impact of an attack," he said.
Photo: Getty Images