For cybercriminals, a laboratory represents a high-value target. Cybersecurity flaws in the laboratory put intellectual property at risk, along with confidential patient data, personnel data, and even billing records. Security breaches in the laboratory impact the bottom line, with damage to brand trust, penalties from regulators, and wasted research investment. Laboratory managers and IT staff must stay vigilant when it comes to cybersecurity.
As a cybersecurity professional, I’m tasked with tracking the latest threats and deploying best practices to protect Thermo Fisher assets and those of our customers. Each October, National Cybersecurity Awareness Month provides an opportunity to reflect on the current state of our cybersecurity efforts. By making our customers and business partners more aware of these threats, we become better equipped to fight cyber fraud. Today I’d like to share the latest on one of the most harmful trends in cyber fraud — Business Email Compromise (BEC).
Understanding cyber fraud and BEC
Cyber fraud is rampant today. Cyber fraud is any type of illegal activity or deception executed using computers and the Internet. The FBI’s Internet Crime Complaint Center (IC3) 2018 Internet Crime Report details over 350,000 complaints of suspected Internet crime, with reported losses in excess of $2.7 billion. The report identified Business Email Compromise (BEC)/Email Account Compromise (EAC) as one of the fastest growing trends in cyber fraud. This trend is particularly troubling for ecommerce companies.
BEC is a sophisticated scam that begins when a fraudster compromises legitimate business e-mail accounts through social engineering or computer intrusion techniques. Once access is gained, the fraudster uses this access to steal intellectual property or facilitate unauthorized transfers of funds. In 2018, the IC3 received 20,373 BEC/EAC complaints with adjusted losses of over $1.2 billion.
Best practices for protecting your company
BEC scams are constantly evolving as perpetrators become more sophisticated. With over $1.2 billion in losses reported through the IC3 last year, the stakes are high. With that in mind, here are some tips to protect your company and avoid becoming a victim:
Strengthen your authentication. Most examples of cyber fraud and BEC begin with a compromised email account, where a criminal gains access to information that facilitates the crime. Securing your accounts is a great first step in preventing cyber fraud and BEC. Laboratory data can contain valuable and sensitive information like company intellectual property or Protected Health Information (PHI). Strong passwords aren’t enough. Enable multi-factor authentication (MFA) to ensure that only you have access to your email, banking, and social media accounts. If MFA is an option for any of the services you use, enable it by using a trusted mobile device, such as your smartphone, an authenticator app, or a secure token—a small physical device that can hook onto your key ring. Additionally, consider changing your password protocol. Cybercriminals can attack with brute-force password attempts in bulk against a large group of email accounts. The National Institute for Standards and Technology (NIST) recommends using the longest password or passphrase permissible. Get creative and customize your standard password for different sites. Use password managers to generate and remember different, complex passwords for each of your accounts.
Check the details. While fraudsters have become more sophisticated in their tactics, poor grammar and spelling mistakes are still common in fraudulent communications. Cybercriminals can use stolen copies of company invoices to make their fake invoice appear realistic, so pay attention to the details. Look closely at email addresses and domain names to ensure emails are from the expected domain (e.g., thermofisher.com not thermofsher.com). Cybercriminals can create domains that look like legitimate domains. They can setup linked webmail accounts in minutes and at low cost, making this an attractive option for cybercriminals. Watch for slight changes to the domain name, use of multiple fonts, and unusual formatting as indicators of potential fraud. Be especially suspicious of an email that conveys a sense of urgency or the need for secrecy. Statements such as “this is highly confidential” and “the transaction must be completed immediately” are intended to rush the recipient to act, causing key indicators to be missed.
Be wary of changes to banking information. Sudden changes to the banking information on an invoice or purchase order from a known vendor are a red flag. Companies conducting legitimate electronic commerce will typically communicate banking changes well in advance of any invoice. If you receive an invoice or purchase order with updated banking information, without prior notice of the change, call the vendor immediately using a phone number you have on file (not the one listed on the potentially fraudulent invoice).
Stay vigilant. The cybersecurity landscape is evolving fast. Cybercriminals are constantly changing tactics. New threats are always emerging, and new tools for prevention are continually developing. Companies engaging in ecommerce must stay current. Engage your business partners and vendors. Ask what they are doing to help prevent fraud. Join a sector-based Information Sharing and Analysis Centers (ISAC) organization to learn about the latest threats and hazards that could affect your business. Practice and promote good cyber hygiene throughout your organization.
What to do if you’re victimized
If you believe you’re a victim of cyber fraud and BEC, act immediately! Notify your IT organization of any potential breaches so that they can take steps to protect laboratory data and business systems. If an unauthorized transfer of funds has occurred, contact your bank and the beneficiary bank to report the suspected fraud and request a freeze on the transaction. File a complaint with the IC3 to begin an investigation. Report the compromised email account to your company security staff, and change your account passwords.
Through constant vigilance and increased awareness, laboratory managers and IT staff can help protect their intellectual property and valuable laboratory data from the threat of cybercriminals.
Steve Outten is Director, Security Operations, Corporate Information Security (CIS) Program at Thermo Fisher Scientific.