Security Awareness

How Phishing Emails Led to The Theft of $23.5 Million from the U.S. Department of Defense

Phishing is commonly used to gain access to credentials to hijack email accounts for use in business email compromise (BEC) attacks. Once credentials have been obtained, the email account can be used to send phishing emails internally, with a view to obtaining the credentials of the main target. Alternatively, by spear phishing the target account, those steps can be eliminated.

If the credentials are obtained for the CEO or CFO, emails can be crafted and sent to individuals responsible for wire transfers, requesting payments be made to an attacker-controlled account. A common alternative is to target vendors, in an attack referred to as vendor email compromise (VEC). Once access is gained to a vendor’s account, the information contained in the email accounts provides detailed information on customers that can be targeted.

When a payment is due to be made, the vendor’s email account is used to request a change to the account for the upcoming payment. When the payment is made to the attacker-controlled account, it usually takes a few days before the non-payment is identified by the vendor, by which time it may be too late to recover the fraudulently transferred funds. While BEC and VEC attacks are nowhere near as common as phishing attacks, they are the leading cause of losses to cybercrime due to the large amounts of money obtained through fraudulent wire transfers. One attack in 2018 resulted in the theft of $23.5 million dollars from the U.S. Department of Defense.

In this case, two individuals involved in the scam were identified, including a Californian man who has just pleaded guilty to six counts related to the attack. He now faces up to 107 years in jail for the scam, although these scams are commonly conducted by threat actors in overseas countries, and the perpetrators often escape justice. The scam was conducted like many others. The BEC gang targeted DoD vendors between June 2018 and September 2018 and used phishing emails to obtain credentials for email accounts. An employee at a DoD vendor that had a contract to supply Aviation JA1 Turbine fuel to troops in southeast Asia for the DoD received an email that spoofed the U.S. government and included a hyperlink to a malicious website that had been created to support the scam.

The website used for the scam had the domain dia-mil.com, which mimicked the official dla.mil website, and email accounts were set up on that domain to closely resemble official email accounts. The phishing emails directed the employee to a cloned version of the government website, login.gov, which harvested the employee’s credentials. The credentials allowed the scammer to change bank account information in the SAM (System for Award Management) database to the account credentials of the shell company set up for the scam. When the payment of $23,453,350 for the jet fuel was made, it went to the scammers rather than the vendor.

Security systems were in place to identify fraudulent changes to bank account information, but despite those measures, the payment was made. The SAM database is scanned every 24 hours and any bank account changes are flagged and checked. The scammers learned of this and made calls to the Defense Logistics Agency and provided a reason why the change was made and succeeded in getting the change manually approved, although flags were still raised as the payment was made to a company that was not an official government contractor. That allowed the transfer to be reverted. Many similar scams are not detected in time and the recovery of funds is not possible. By the time the scam is identified, the scammers’ account has been emptied or closed.

The key to preventing BEC and VEC attacks is to deal with the issue at its source to prevent phishing emails from reaching inboxes and teach employees how to identify and avoid phishing scams. TitanHQ can help in both areas through SpamTitan Email Security and the SafeTitan security awareness training and phishing simulation platform. Businesses should also implement multifactor authentication to stop stolen credentials from being used to access accounts.

Tips for Effective Security Awareness Training

Providing security awareness training to the workforce is necessary for compliance and is often a requirement for getting cybersecurity insurance, but the real purpose of security awareness training is to reduce risk and avoid costly cyberattacks and data breaches.

To get the full benefits you need an effective security awareness training program, where susceptibility to phishing attacks is reduced and your resilience to cyberattacks targeting employees is significantly improved. To help you, we offer some top tips for creating an effective security awareness training program.

Security Awareness Training Must be a Continuous Process

Security awareness training should not be seen as a checkbox item for compliance. To be effective, training needs to be an ongoing process, where the training is reinforced over time. That if unlikely to happen with a once-a-year training session. Another reason for providing ongoing training is cyber threat actors are constantly changing their tactics and regularly come up with new scams. It would be unreasonable to expect employees to be able to recognize these new threats if they have not been covered in training sessions. Through regular training, provided in bite-sized chunks, you can make your employees are made aware of the latest threats which will help them to recognize them when they are encountered.

Make Sure Your Training Content is Interesting

Different employees will respond to different training methods. A classroom-based training session may be good for some employees, but others will respond better to computer-based training, infographics, videos, and quizzes. Keep your training varied to make sure it appeals to a wide audience and try to make the training interesting and engaging to improve knowledge retention, such as using storytelling to trigger emotions and the imagination, and don’t be afraid to use humor. Cybersecurity can be a pretty dry topic for many people and if they can enjoy it, they are more likely to retain the information and apply the training on a day-to-day basis.

Get Buy-in from the C-Suite

If you want to create a security culture in your organization, you will need to get buy in from the C-suite.  Any change in culture in an organization needs to start at the top. The C-Suite must be made aware of the importance of security awareness training and cybersecurity, and using data is usually the best approach. Using a security awareness training company that can provide data on the effectiveness of training at reducing risk will help. You will be able to prove the return on investment you are likely to achieve.

Conduct Phishing Simulations After Providing Training

Providing security awareness training is only one step toward developing a security culture and reducing risk. You also need to conduct tests to determine whether your training is being applied on a day-to-day basis, and the best way to test that is with phishing simulations. Conduct realistic simulations to determine whether the training has been effective. If employees fail simulations, provide extra training.

Do Not Punish Employees for Failing Phishing Simulations

Many companies operate a three strikes and you’re out policy for failing phishing simulations or penalize employees in other ways for falling for phishing emails. Around 40% of organizations take disciplinary action against employees for cybersecurity errors such as phishing simulation failures. Punishing employees for failing to identify phishing simulations often does not have the desired effect.

If you want to encourage employees to be more security-aware and create a security culture, creating a culture of fear is unlikely to help. This approach is likely to cause stress and anxiety, which can lead to the creation of a hostile working environment, and that does not help employees become more security aware. Further, when mistakes are made, employees will be much less likely to report their mistakes to the security team out of fear of negative consequences.

Conduct Real-Time Security Awareness Training

Training is likely to be most effective immediately after employees have made a mistake. By using a security awareness training solution such as SafeTitan, the only behavior-driven security training solution that delivers contextual training in real-time, you can deliver relevant training immediately and explain how a mistake was made and how similar errors can be avoided in the future. For instance, if an employee is discovered to be downloading free software from the Internet, an immediate alert can be delivered explaining why it is not allowed and the risks of installing software without approval from the IT department. If a phishing simulation is failed, employees can be alerted immediately, and it can be turned into a relevant training session.

Benchmark to Learn the Effectiveness of Security Awareness Training

Businesses conduct security awareness training to reduce susceptibility to phishing attacks and other cyber threats, but to gauge the effectiveness of the training there must be a benchmark to measure against. Conducting phishing simulations prior to providing training will allow you to measure how effective the training has been. You can use pre-training simulations to determine how many employees are falling for scams and the percentage of simulated phishing emails that are being reported. You can then reassess after providing training and can determine exactly how effective the training has been.

Security Awareness Training and Phishing Simulations are Not Enough

Providing regular security awareness training and conducting phishing simulations are important for improving resilience to cyber threats and will allow you to prove training has been provided for compliance or insurance purposes, but you also need to make sure that training has been absorbed by employees. Don’t just provide training – use quizzes to assess whether the training has been absorbed. You should also analyze the results of phishing simulations to identify any knowledge gaps that need to be addressed with future training courses. If employees are still falling for a certain type of scam, it could be your training that is the issue.

For more information about security awareness training, conducting phishing simulations, and to discover the benefits of real-time security awareness training, contact TitanHQ today for more information about SafeTitan. You can also take advantage of a free trial of the solution before deciding on a purchase.

Have You Created a Human Firewall?

It is important for security to implement an advanced spam filtering solution to block email threats such as phishing and malware, but security awareness training for the workforce is still necessary. The reason why phishing attacks are successful is that they target a weak point: employees. Humans make mistakes and are one of the biggest vulnerabilities as far as security is concerned. All it takes is for one phishing email to sneak through your defenses and land in an inbox and for the recipient to click a link in the email or open a malicious attachment for a threat actor to get the foothold they need in your network.

The easiest way to target employees is with phishing emails. The majority of phishing emails will be blocked by your spam filter, but some emails will be delivered. It doesn’t matter how advanced and effective your spam filter is, it will not block every single phishing email without also blocking an unacceptable number of genuine emails.

Phishing emails are used to achieve one of three aims: To trick individuals into disclosing credentials, to trick them into emailing sensitive data, or to trick them into installing malware. There are many tactics, techniques, and procedures (TTPs) employed in phishing attacks to make the emails realistic, convincing, and to get employees to act quickly. The emails may closely match standard business emails related to deliveries, job applications, invoices, or requests for collaboration. Spoofing is used to make the messages appear to have come from a trusted sender. Emails can spoof brands and often include the correct corporate logos, formats, and color schemes. While phishing emails include red flags that indicate all is not what it seems, busy employees may not notice those flags. Further, sophisticated, targeted phishing attacks contain very few red flags and are very difficult to identify. Even system administrators can be fooled by these attacks.

Businesses cannot expect every employee to be an expert at identifying phishing emails and other email threats, nor should they assume that employees have a good understanding of security practices that need to be employed. The only way to ensure employees know about security practices and how to recognize a phishing email is to provide security awareness training.

Security Awareness Training Improves Resilience to Phishing Attacks

The purpose of security awareness training is to make the workforce aware of the threats they are likely to encounter and to provide them with the tools they need to recognize and avoid those threats. Security awareness training is not a checkbox item that needs to be completed for compliance, it is one of the most important steps to take to improve your organization’s security posture and it needs to be an ongoing process. You could provide a classroom-based training session or computer-based training session once a year, but the TTPs of cyber threat actors are constantly changing, so that is not going to be sufficient. More frequent training, coupled with security reminders, newsletters, and updates on the latest threats to be wary of will ensure that security is always fresh in the mind, and it will help you to develop a security culture in your organization.

One of the most effective strategies is to augment training with phishing simulations. Phishing simulations involve sending fake but realistic phishing emails to employees to see how they respond. If you do not conduct these tests, you will not know if your training has been effective. The simulations will identify employees that require further training and the simulations will give employees practice at recognizing malicious emails. Reports from these simulations allow security teams to assess how resilient they are to phishing attacks and other email threats and will allow them to take action and focus their efforts to make immediate improvements.

SafeTitan Security Awareness Training & Phishing Simulations

TitanHQ can now help businesses create a human firewall through SafeTitan Security Awareness Training. SafeTitan is the only behavior-driven security awareness platform that delivers training in real-time and will greatly improve resilience to social engineering and advanced phishing attacks.

If you want to improve your resilience to cyberattacks, prevent more data breaches, and avoid the costs and reputation damage caused by those incidents, you need to be training your workforce and running phishing simulations. Get in touch with TitanHQ today for more information and get started creating your human firewall.

TitanHQ Completes Acquisition of Cyber Risk Aware

TitanHQ, the leading cybersecurity SaaS business, today announced its acquisition of Cyber Risk Aware. Established in 2016, Cyber Risk Aware is a global leader in security awareness and mitigation of human cyber risk, providing assistance to companies to train the workforce on how to protect the company network.

Cyber Risk Aware delivers real-time cyber security awareness training to staff in response to actual staff network behavior. This intuitive and real-time security awareness training reduces the likelihood users will be impacted by the latest threats such as ransomware, BEC attacks, and data breaches, whilst also enabling organizations to meet compliance obligations. Leading global businesses that trust Cyber Risk Aware include Standard Charter, Glen Dimplex, and Invesco.

The acquisition will further bolster TitanHQ’s already extensive cybersecurity offering. The combination of intelligent security awareness training with phishing simulations and TitanHQ’s advanced email protection and DNS security solutions creates a powerful, multi-layered cybersecurity platform that secures end users from compromise. This is the go-to cybersecurity platform for IT Managed Service Providers and internal IT teams.

“This is a fantastic addition to the TitanHQ team and solution portfolio. It allows us to add a human protection layer to our MSP Security platform, with a fantastic feature-rich solution as demonstrated by the high caliber customers using it. Stephen and his team have built a great company over the years, and we are delighted to have them join the exciting TitanHQ journey.” said TitanHQ CEO Ronan Kavanagh.

The solution is available to both new and existing customers and MSP partners at TitanHQ.com and has been re-branded as SafeTitan, Security Awareness Training. Cyber Risk Aware existing clients are unaffected and will benefit from improvements in the platform in terms of phishing simulation content and an exciting, innovative product roadmap.

Stephen Burke, CEO of Cyber Risk Aware, commented: “I am incredibly proud that Cyber Risk Aware has been acquired by TitanHQ, cybersecurity business that I have greatly admired for a long time. Today’s announcement is fantastic news for both our clients and partners. We will jointly bring together a platform of innovative security solutions that address the #1 threat vector used by bad actors that cause 99% of security breaches, “End User Compromise”. When I first started Cyber Risk Aware, my aim was to be the global security awareness leader in delivering the right message, to the right user at the right time. Now as part of TitanHQ, I am more excited than ever about the unique value proposition we bring to market”.

For more information on TitanHQ’s new Security Awareness Solution, visit www.TitanHQ.com/SafeTitan