How to Mitigate Cyber Security Threats in a Fast-Paced World? Slow Down!

Dear Colleague:

While there are many important issues discussed through NAST, it’s a privilege to discuss the importance of mitigating cyber threats we may face as treasuries on a day-to-day basis.

As all treasuries are a little different, this specific example may not be applicable to all who will read it. However, it’s an excellent illustration as to why it’s critical to always be vigilant and take your time, especially with any electronic communication. If your office processes W9’s or similar documents, check out the scenario below. A special thank you to Jim Edman, Chief Information Security Officer for the South Dakota Bureau of Information and Telecommunication for providing great insight for this article.

A cybercriminal does research on a state government (aka victim). Since the emphasis is on transparency across most governments, they (governments) post contracts and invoices on the Internet. The cybercriminal researches potential vendors and state government personnel. Side note, we believe in open government, but it comes with certain risks that should always be factored.

Next the cybercriminal identifies a contract with the key players (vendor & state) and the document contains signatures on it. The cybercriminal identifies the payment cycle (in our case the 1st or 15th of every month) and the amounts that are consistently billed for. Next the cybercriminal creates a domain name similar to the vendor in question. Based on this information, the cybercriminal creates an email address to impersonate the key vendor player identified on the contract. Remember, the domain name is similar but can’t be identical to the true vendor.

The cybercriminal sends an email message to the victim (state, municipal or private sector). The message is intended to establish credibility for the impersonator and states with something like ‘we just changed banks, I need to change where our electronic funds are posted for our invoices.’ This message is sent near the invoicing date.

If the employee identifies the email address as fraudulent, the scam is over. If the employee makes a phone call or some other type of independent verification, the scam can also be stopped. If no additional checks & balances are in place, the state employee responds with a W9 or at some entities, the employee re-directs the cybercriminal to a web site where the W9 is available for download.

The cybercriminal fills out the W9 & sends it back to the employee. The employee updates the invoicing system. At this point, the cybercriminal doesn’t need to do anything else other than wait. Next, the legitimate vendor submits a legitimate invoice for payment. At which time the state (victim) processes the payment. The money is deposited into the cybercriminal’s account where it is immediately transferred out. Until the legitimate vendor makes a call asking, “Where’s my $$$?” the money will continue to be paid to the cybercriminal. This is a real-life scenario that has taken place.

While this example covers a W9, it could be most any document that deals with money in our offices. So, what are some action items that can be done to mitigate this type of scenario? First, slow down, take your time and check for the following:

1. Misspelled sender’s name
2. Mismatched sender and email address
3. Grammar or spelling mistakes
4. Suspicious links or attachments to the message
5. A web address that has a number in place of a letter such as a 0 instead of an O.

The most important steps we can take in the planning phase is to talk about threats and work with IT staff to conduct cyber security training. Training should emphasize phishing and recognition of impersonation scams. If you suspect spam, report it to your IT department for further investigation. It is also important to lead by example and create an embedded culture within the organization of cybersecurity awareness and vigilance. Everyone in the organization needs to participate in ongoing training to show that they take this issue seriously. Regardless of an employee’s position, they all have access to email and can open malicious files. No one is exempt from risk.

Don’t post invoices on the internet. And if you are required to post contracts to open government websites, please redact important information to the extent you are able. If you are dealing with account changes that affects the flow of money, require existing bank account information and supporting identification proof.

Attacks against all levels of government are real! You may recall some of these, but let them serve as a reminder:

1. 2011: The Paris G20 summit: An email containing a PDF attachment infected with malware was sent around the French Ministry of Finance. The virus infected around 150 computers with access to confidential G20 data (1).
2. 2012: US Office of Personnel Management: Two separate attacks were launched on the US Office of Personnel Management between 2012 and 2015. Hackers stole around 22 million records including social security numbers, addresses, and even fingerprint data (1).
3. 2019: Texas Local Governments Attack: Cyberattacks recently crippled nearly two dozen Texas cities have put other local governments on guard, offering the latest evidence that hackers can halt routine operations by locking up computers and public records and demanding steep ransoms (2). Government agencies that fail to keep reliable backups of their data could be forced to choose between paying ransoms or spending even more to rebuild lost systems.

I hope this article gave you some valuable information on such a critical topic. Remember to always be vigilant with online communication(s), and slow down!

Jim and I hosted a webinar for NAST last October during Cybersecurity Month. If you wish to view it for more tips, it’s archived here, along with three others in the series.

Josh Haeder
South Dakota State Treasurer

Sources:

1. The 7 Biggest Government Cyberattacks Since 2011
2. Cyberattacks on Texas Cities Put Other Governments on Guard, Kathleen Foody