Another Financial Phishing Scheme
Incidents of security breaches and compromised systems are almost daily news. So much so that when we hear about a new email scam, it goes in one ear and out the in one ear and out the other. However, when a company loses over $40 million as a result of fraudulent email scheme, our ears perk up.
Ubiquiti Networks, a company headquartered in California, recently reported the loss. This company lost a total of $46.7 million a result of what is commonly known as the “Business Email Compromise” or BEC. The fraudsters posed as employees and targeted the Finance department. As for Ubiquiti, they have recovered roughly $8.1 million and have hopes to recover an additional $6.8 million. That leaves their unrecovered loss currently at $31.8 million – an enormous amount of money! Nonetheless, the company stated that there is an ongoing investigation and they hope to recover more, if not all, of the money.
A majority of the focus is on recovering the stolen money, a valid point, there are other issues closely involved with an event like this. For example, how did this effect their reputation? How much effort are they putting into recovering their reputation? Perhaps, because they are the victims in this situation, it may be difficult to see how it would negatively impact their reputation. However, it still taints, even if it is slight, their reputation. Ubiquiti claims that no other data was compromised yet, customers and vendors may question the system’s security.
Also, there is the issue of company morale. What happened to the employees who wired the money over? Do they receive security training and get taught how to identify similar fraudulent requests in the future? Or is there no future for them at Ubiquiti? Will there have to be budget cuts to deal with this unexpected expense?
Security plays an important role within a company. People value security – for a good reason. An event like this brings that the question of security to light.
Do you EFT and ACH funds to employees and vendors? Check your financial security process. Are there second party or two factor (telephone or self-directed email) confirmation steps in place?
Brian Abraham Senior Network Engineer