Manufacturing and Distribution Companies: Don’t Be a Sitting Duck for Cybercriminals
The latest cybercrimes are so sophisticated that they can make unwitting aiders and abettors of you and your employees. It’s not just money and sensitive personal information that are being stolen from right under victims’ noses, it’s also precious intellectual property. Every business is a target — that means yours, too — and your first line of defense is to acknowledge that fact.
Elevated risk for manufacturers and distributors
I often tell my clients that there are two types of M&D companies: those that have been hacked and those that will be. In CLA’s annual industry survey, 32 percent of respondents reported an information security incident, which is up from last year. We have every reason to believe that figure will be even higher in another 12 months.
No industry is safe, but manufacturers and distributors are especially attractive to fraudsters. One reason that manufacturers are such hot targets is their heavy investment in proprietary research and development — intellectual property is at the heart of a company’s value, and protecting it is critical to the financial future of the owners and the employees, families, and communities that depend on the health and sustainability of the company. The ferocity of global competition favors innovators, and some international players that can’t generate marketable ideas are stealing them to stay in the game. Such theft can bring a company and those who rely on it to their knees.
Manufacturers and distributors also have privileged relationships with suppliers, customers, and strategic partners, and those associations are attractive to criminals who see them as gateways to bigger and more lucrative targets. And with so many in the industry participating in the global supply chain, big sums of money are often exchanged via wire transfer or ACH transactions across borders.
I could terrify you all day long with stories of online bank account raids and information thefts that have crippled or closed businesses — but there’s good news, too: Most of these attacks are preventable.
Preventing wire transfer scams
How the scams work
Wire transfer scams are common these days, and they work best when they trick your employees into unwittingly participating in the fraud.
In one type of the scam, an email that appears to come from a high-ranking executive in the company (e.g., CEO) is sent to the CFO or an employee in the finance or accounts payable department with wire transfer capabilities, requesting urgent payment of an invoice. Everything about the email appears legitimate: the address, the sender’s signature, and the supporting attachments with amounts due and payable — but it in fact is sent from the scammer posing as the company executive. The employee processes the payment without giving it a second thought, unknowingly depositing the institution’s money into a fraudulent account. Usually he or she is eager to accommodate the “urgent” request from a ranking leader and responds dutifully and quickly.
In another method, a scammer impersonates a vendor who an employee directly transacts with on a regular basis. The imposter-vendor and the employee exchange niceties via email, possibly discussing personal details specific to that employee, then the “vendor” requests payment of an invoice attached to the email. The sham vendor often says the payment is overdue and that the employee needs to process it right away to avoid late fees or disruptions in service. Not wanting to disappoint after such an engaging and friendly conversation, the employee complies.
How the scam originates: quietly penetrating email systems
In most of these scenarios, the victim’s email has previously been hacked or compromised unbeknownst to the company. The fraudsters spend a great deal of time studying their victims, learning how they communicate, identifying who performs what functions, and eventually precisely targeting the employees with the ability to perform the wire transfer. They are so well prepared and in possession of so many personal details that it can be difficult to detect the fraud.
What you can do to protect your company
Manufacturers and distributors can implement several best practices to avoid becoming the victim in these scams:
- Communicate to employees about wire transfer scams and call on them for heightened awareness.
- Be on the lookout for “urgent” requests for payment or sudden changes in business processes, such as a vendor requesting payment outside of the normal protocols.
- Ensure that wire transfer procedures, especially those over a certain dollar amount and/or those to foreign banks or suppliers, require vendor call-back protocols.
- Engage a specialist to perform periodic vulnerability or penetration tests to determine if your system is susceptible to attacks and validate that controls are functioning as intended.
- Train employees to be skeptical of a request for payment, and instruct them to ask another individual with your company’s finance team to verify its legitimacy.
- Consider cyber liability insurance, understand policy definitions and exceptions, and ensure adequate coverage to keep your organization afloat in the aftermath of an attack.
The FBI also asks that any known compromise, regardless of dollar amount, be reported immediately by filing a complaint to IC3, a joint partnership between the FBI and the National White Collar Crime Center.
Preventing intellectual property and sensitive information theft
How online information theft works
Organized crime groups based primarily in Russia, Eastern Europe, and China are stealing and selling information such as intellectual property, payroll data (name, address, social security number, driver’s license number, bank account number), customer credit card details — whatever they can get their hands on. These are old-school but sophisticated hacks where your information systems are surreptitiously penetrated and freely accessed. Typically, the theft is initiated by tricking an employee into clicking on a legitimate-looking link that actually downloads malicious software and allows the hacker unfettered access to your network.
The way they go about this trickery is evolving into targeted con artistry. These days, hackers are creating fake social media personae, complete with connections and networks that all look authentic and even prestigious. A hacker may stalk an individual in your company to get a feel for his or her role and function, professional and personal interests, and other habits. With all this personal information at the hacker’s disposal, he uses his online character to make a connection with your employee. Then he sends a beautifully crafted email that precisely appeals to that employee, who is lured into clicking on the malicious link. Just like that, he has free reign over your bank accounts, intellectual property, customer data, and other sensitive information. And you won’t know it until the damage has been done.
What you can do to protect your company
- Instill skepticism in your people of every single online connection and transaction.
- Educate employees on the risks related to the latest con-artist types of attacks and what to be on the lookout for.
- Keep current on technical defensive measures such as firewalls, intrusion detection systems, and spam filters.
- Keep up-to-date on the anti-virus software on each device, and complete regular scans to keep them clean.
- Keep all network servers and PC workstations current with the latest security updates and patches.
- Encrypt sensitive data, such as intellectual property and personal financial information.
- Make regular backups of key data and systems and store them in a secure, off-site location.
How we can help
CLA’s manufacturing and distribution practitioners join forces with our firm’s information security specialists to develop best practices for wire-transfer policies and procedures. Our IT security consultants are trained and equipped with the most advanced software and tools to perform assessments on your system, root out vulnerabilities, and shore up security.