On May 21, 2014, the accounting director at AFGlobal Corp. in Texas read an email from his CEO asking him to work with the attorney for an outside auditor in “a strictly confidential financial operation.” The attorney soon contacted the accounting director and said that $480,000 was needed for due diligence costs pursuant to a pending acquisition of a Chinese company. The attorney sent an email with the wiring instructions, which the
About a week later, the attorney requested $18 million, at which point, the
accounting director became suspicious and told his supervisors.
It is probably no surprise that the “attorney” was an imposter and the email was
not from the CEO.
Risk managers schooled on the threat of social engineering would also
guess that the imposter knew a great deal about the company’s processes and
TH REAT from
By Anne Freedman
Employees are the most vulnerable point for
any organization’s computer network, but
many organizations fail to pay enough
attention to the risk.
He in fact knew that the accounting director had a “long-standing, very
personal and familiar relationship” with the CEO, according to a lawsuit filed by
AFGlobal seeking to force its insurance company to repay it for its losses.
“We are now way past the old style of people trying to crack codes to get in
through firewalls. The hacking community realized that the weak point in any
defense system is the people element,” said Roger Miles, who teaches risk-related
psychology at Cambridge University and the UK Defence Academy.
“Ordinary employees simply do not have insight into the risk coming at
them. The hackers are pretty smart at understanding that,” said Miles, who also
researches and consults on risk perception, regulatory design and governance.
“Given the option between the effort of hacking code or getting the average
employee in the organization to hand you the key, they clearly see a better return
on time spent,” he said.
The risk is staggering.
The Experian Data Breach Resolution and Ponemon Institute found that
about 80 percent of all data breaches began with employee activity. Verizon’s