Listen to our own Deb Ferguson on 93.3 WMMR as she tells the Delaware Valley why she’s “Not Your Average Listener!”
No longer fooled by emails seeking help from friends stranded overseas or mugged in New York, scammers are looking for new ways to separate you from your money. And this time, they are thinking big—C-Suite big. The FBI estimated that from October 2013 through December 2014, companies lost a total of $1.2 billion to CEO Fraud. The FBI blames internal security measures as the number one reason for these losses.
In one instance, the director of accounting for a company in Texas wired $480,000 to an account in China because he received an email from the “CEO” directing him to do it. However, it was an individual posing as the CEO. The scammer had hacked into the company’s server and spent months learning how the company worked and the relationship between the CEO and the director of accounting. He then emailed the director of accounting and made what appeared to be a normal request in the ordinary course of its business. But for the scammer’s audacious request for $18 million to be wired to the same account a few weeks later, it might have continued unnoticed.
In another case, a magazine publisher lost $1.5 million. The accounting executive of the company sent the wire based on an email from the “CEO,” but prior to sending the second requested transfer, he asked the CEO if he had truly made the request, only to find that he did not.
Because these scams are targeted (known as spear phishing), they appear to come from trusted individuals, contain requests that appear normal, and are often not caught by spam filters because they are not mass-mailed.
In addition to standard internal control features for wire transfers that can and should be implemented, below are three practice pointers to help prevent this from happening to you and mitigating the loss if it does.
Employees need to be trained in the ways in which scammers operate. Typically these scammers will purchase a list of emails from the Dark Web and begin sending phishing emails containing malicious attachments (or links to infected websites) to hundreds of addresses. Once an unsuspecting employee opens the attachment (or clicks on the link) and the malware is installed, the scammer has access to the company’s network (at least as far as that employee’s computer can see into it). Depending on the level of access, the scammer may move on if nothing can be exploited or next if the computer has access to company data/emails/etc. Once the scammer decides to act, he may wait until the CEO/executive is away from the office, or simply alter the email address slightly to trick the non-observant receiver. For instance, email@example.com may become firstname.lastname@example.org.
Proper training to prevent these issues include instructing employees not to open email attachments from a sender the employee does not know or recognize. In addition, employees need to be instructed to look for variations in email addresses when being asked to complete tasks that are critical to the company’s business, such as releasing sensitive data, or giving access to portions of the company server reserved to departments other than the requesting party, and, most importantly, giving out the company’s money!
Many firms provide on-site and online training.
Cyber security in the corporate world has become a yeoman’s task. As it pertains to CEO fraud, there are two primary fixes. The first is to mandate company email accounts use two factor verification. If the CEO’s account is accessed from anywhere that is not a recognized, secure location, as designated by the user, a second verification method would need to be entered (either a code sent via text to the CEO’s phone or a pre-printed verification code). This prevents a scammer from logging in from Starbucks. The second is to institute an internal control to require more than one person’s authorization for money transfers or expenditures. Whether it be a wire transfer, check, debit, or other material financial transaction, the approval process should involve two individuals who are privy to the request, purpose, and related specifications.
Even the most vigilant company will still find itself a victim. Traditional insurance policies contain some coverage for fraud protection, but as recent cases have shown, (AF Global Corp. v. Federal Insurance Company) they do not include this new type of fraud. Some of the policies will only pay a claim if the fraud was the result of a traditional negotiable financial instrument having been fraudulently forged or stolen, such as check fraud. Therefore, it is important to review your policies and work with your insurance company to provide a policy that includes coverage for monetary losses incurred by an electronic breach.
If you do have such coverage, your insurance company will need to follow the evidence to learn how the fraud took place. Therefore, it is important to direct employees not to delete the emails related to the fraud. They emails can be examined forensically to help support your claim.
For more information relating to training, prevention, and investigation, contact the experts at Maragell at email@example.com.
Effective September 3, 2015, it became unlawful to conduct credit checks on nearly all potential and current employees if your business is located in the City of New York and you have more than four people on staff (including owners). As an employer, it is important to know the exceptions to this new limitation in the field of Human Resource Management.
What is actually prohibited? According to the New York Commission on Human Rights (“NYCHR”), the governing body for this Ordinance, an employer cannot obtain a consumer credit report and use it in the hiring process unless the position falls within a specific list of exceptions. According to the NYCHR, a consumer credit report refers to a credit score, credit accounts, bankruptcies, judgments, or liens whether obtained from a third party source or from the prospective employee directly.
While the Ordinance is being promoted by the City as the most stringent of its kind in the U.S., it does have its exceptions. The onus is upon the employer to document the exception used to obtain a credit check. The exceptions include:
It is important to consult an attorney or HR Specialist when making hiring decisions to determine whether or not you are complying with this, and other local, state and federal laws. Before you do so, here are few practice points to get you started:
The NYCHR has issued an official Guidance about the application of the Ordinance (see http://www.nyc.gov/html/cchr/html/coverage/credit-history-legalguidance.shtml) and it is expected it will continue to update the public on this topic via its FAQ page (see http://www.nyc.gov/html/cchr/html/coverage/credit-history-faqs.shtml)
As printed in the New Jersey Law Journal Cyber Security Supplement (March 9, 2015):
When it comes to data breach activity, companies should be examining the Internet activity of their own employees—it is more than just Facebook and ESPN News. In two of our most recent cases, based on the Internet history alone, we discovered one employee was logging into the webmail accounts of the CEO and CFO (and using the financial information contained therein to negotiate a bigger raise for himself), and another, an IT administrator, had copied thousands of files to a thumb drive before he resigned and then ran Google searches on how to destroy key operating system files on his company laptop to hide the activity.
In both cases, the employees thought they had hidden their tracks by deleting their recent browsing history. But because a computer’s operating system maintains the URL addresses of the websites visited in separate files, and other operating system files record images of those sites, through the use of forensic tools, these disparate files were extracted, combined, displayed visually, and the story of their activity revealed. One ended with the employee being terminated, the other with the IT administrator haled into federal court after he surfaced at a competing firm.
While most forensic experts identify the information as the computer’s “Internet history” it is much more than just a compendium of web addresses. Because a number of Windows Explorer system files act in the same fashion as the Internet browser system files, when the “history” is extracted, information such as what files were viewed on a thumb drive or where the user went on the company server can often be determined. This user activity is betrayed by the formation of link files, which are created when a user inserts a USB device into the computer and opens a document from it or uses Windows Explorer to navigate to a location on the server. If an employee is suspected of stealing a customer list or other confidential or proprietary information, but the USB device is not available for inspection, the Internet history might seal his/her fate.
The history will also provide evidence of online document storage sites like Dropbox and Google Drive, and data backup sites such as Carbonite and Mozy. Whenever company file access activity on the employee’s computer matches that of visits to these categories of websites, it is best practice for counsel to issue preservation letters and/or subpoenas to prevent the information from becoming lost.
More sophisticated forensic software can also rebuild cached images of webpages and webmail messages just as the user saw them. Because webmail does not reside on the local hard drive, the only evidence that an employee was communicating with others about potentially unlawful activity or sending company documents to a personal email account might come from an examination of email fragments recovered from the Internet history.
Practice Point: The immediate preservation of a suspect computer should be the top priority for any in-house counsel, litigation counsel, Human Resources Professional or IT administrator. Electronic evidence is ephemeral and can be destroyed through the normal use of the computer. Permitting even the weekly updates by Microsoft to be installed can destroy essential evidence needed to prove a case. In short, to maximize the amount of available evidence in cases like those described above, the computer should be turned off and secured in a location where it cannot be accessed until a forensic bit-by-bit mirror image of its hard drive is created. If the subject of the investigation is suspected of downloading or actively running malware in an effort to harm the company (such as Cryptowall or other ransomware), the computer should be left running, but its power cord or battery removed (to keep its RAM intact for analysis).
Maragell Corporate Investigations was honored for a second year in a row by our peers in the legal community with a New Jersey Law Journal Best of 2014 medal for Best Computer Forensics Expert. On behalf of our entire staff, thank you to all our law firm clients who voted for us and who, year after year, allow us to help them become the smartest attorneys in the room when it comes to electronic-based evidence.
Despite pressure from business leaders and private detectives, the latest version of the New Jersey Senate Budget and Appropriations Committee’s “Opportunity to Compete Act” [SENATE, No. 2124] continues to impose restrictions upon New Jersey employers when advertising for, and interviewing, prospective employees as it applies to criminal records.
According to the Committee, it determined that “[r]emoving obstacles to employment for people with criminal records provides economic and social opportunities to a large group of people living in New Jersey, increasing the productivity, health and safety of New Jersey communities.” It also asserted “[c]riminal background checks by employers have increased dramatically in recent years, with estimates of 90 percent of large employers in the United States now conducting background checks as part of the hiring process…. and that [b]arriers to employment based on criminal records stand to affect an estimated 65 million adults in the United States with criminal records.”
Concerned by employment advertisements in New Jersey that include language regarding criminal records that either explicitly preclude or strongly dissuade people from applying, the Committee advanced its bill to the entire Senate to tackle these obstacles to employment.
If passed, the bill will preclude an employer (of 15 or more people) from requiring a job applicant to complete any employment application that makes any inquiries regarding the applicant’s criminal record during the “initial employment application” process. It will also preclude the employer from making any oral or written inquiry regarding an applicant’s criminal record during the initial employment application process. The term “initial employment application” means the period from advertisement through completion of initial interview.
If an applicant discloses any information regarding the applicant’s criminal record, by voluntary oral or written disclosure, during the initial employment application process, the employer may make inquiries regarding the applicant’s criminal record during the initial employment application process.
Notwithstanding the foregoing, employers should be aware that if the employment is for a position where a criminal history record background check is required by law, rule or regulation, or where an arrest or conviction by the person for one or more crimes or offenses would or may preclude the person from holding such employment as required by any law, rule or regulation, or where any law, rule, or regulation restricts an employer’s ability to engage in specified business activities based on the criminal records of its employees, the restrictions of the bill do not apply.
This last exception is key for many of our clients. For our non-regulated clients that send employees into regulated entities like banks, hospitals, and mortgage lenders, their contracts routinely contain clauses that require all employees to be screened and failure to produce proof of a background check can void the contract.
Hence, when advertising for a position, consider all job assignments the candidate may be obligated to fulfill. If a potential assignment is in a regulated industry where a background check will be needed, the bill’s restrictions on advertising and interviewing may not apply.
Maragell recently exhibited at the NJ State Bar Association Annual Meeting and Convention at the Borgata.
500+ guests stopped by to learn more about our computer forensic and investigative services, 160 entered the Treasure Chest prize giveaway for a chance to win a $100 gift certificate to the PI Gear online shopping mall, and 129 entered our fishbowl drawing for a chance to win an iPad mini and a free employee background check.
Congratulations to our winners:
Treasure Chest Prize–PI Gear Gift Certificate: Jonathan of NJ
1st Prize–$150 Background Check Certificate: Stephanie of Woodbridge, NJ
Grand Prize–iPad Mini: Doris of Freehold, NJ
We thank all our guests for taking the time to meet us and look forward to fulfilling their investigative needs.
Jeffrey Brenner, Esq., NJLPI, was quoted in the Philadelphia Inquirer Business section on January 8, 2014 regarding J.P. Morgan’s settlement with the government over its dealings with Bernard Madoff. Brenner, who investigated Madoff’s auditors in 2006, described how basic due diligence techniques revealed major red flags about Madoff’s operations, and how the same techniques can help today’s investors avoid becoming a victim. Read the article here: http://www.philly.com/philly/business/20140108_Due_diligence_crucial_in_investment_endeavors.html
Maragell Corporate Investigations’ Managing Principal Jeffrey Brenner, Esq., NJLPI, recently gave a presentation titled “You Found My Internet History? Tales from the Hard Drive” at the 21st Annual All-Day Fraud Training Conference hosted by the Philadelphia Area Chapter of the Association of Certified Fraud Examiners.
The presentation focused on six cases in which the early preservation and forensic analysis of electronic evidence changed the outcome of the litigation.