Vestige and McGuireWoods law firm are presenting to the SAME BOSTON POST on October 3. Topic: What to Know Before the CMMC Auditor Arrives.


Cyber Risks to Small and Medium Businesses


Cyber Risks to Small and Medium Businesses

Author photo
by Anthony Merlino

Major retailers, medical providers and large financial institutions are all too often in the headlines for cyber breaches resulting in the loss of customer data, public trust and millions of dollars.  Everyone agrees that these institutions are constantly under attack by domestic and foreign organized cybercrime rings.

When my role at Vestige expanded into Cybersecurity, I was surprised to learn that smaller financial groups such as mortgage brokers, investment advisors, title companies and small banks are facing the same cyber security risks as the Fortune 500 without the protection of highly credentialed IT engineers, investigators, multi-million-dollar security hardware and software defenses.

Loosely organized criminal enterprises in Nigeria, India and the US have joined resources to defraud consumers out of $3.3 billion, an increase of $1.5 billion from 2019. [1]

As we have experienced in our investigations, these criminal enterprises are utilizing advanced techniques and strategies to get between our clients and their banks, suppliers, technology and even their clients.  Many small businesses, even sole proprietorships are targeted and become victims to structured, researched and detailed attacks.  I was surprised to learn that cyber-crime targets are stalked with the goal of creating very detailed profiles which enables the cyber-criminals to infiltrate the defenses that are in place.

In one of my first matters, Vestige was engaged by a client who had fallen victim to a Business Email Account Compromise (BEC). Here’s a brief summary of example small business cyber security risks:

Example 1: Customer/Vendor Payment Diversion  |  Business Email Compromise (BEC)

Upon reconciling and closing the books, the financial officer discovered a $107,000 wire transfer that he did not recognize.  He contacted the bank almost 35 days after the wire transfer had taken place.  The bank provided him the place as to where the money had been wired. A short internal investigation uncovered the fact that an individual in the organization that had access to sending wire transfers had received an email from the CEO with instructions on sending the wire.  However, that email did not originate from the CEO, but instead, was from an outside attacker.

Contained within the instructions was enough information that led the financial clerk to believe that it was legitimate.
The question became…How did the attacker have legitimate information that appeared they clearly were in on the party’s email system?   The next question was – which party – the organization or the vendor?

Vestige was engaged to investigate. In reviewing artifacts contained within our client’s infrastructure, Vestige hypothesized that the attack was not within our client’s infrastructure. That hypothesis, however, needed to be verified. A comprehensive review of the client’s environment confirmed this hypothesis to be true and the client’s legal team made contact with the vendor. This triggered a forensic examination of the vendor’s systems where it was indeed verified that the outside attacker had infiltrated the organization through the vendor’s system.

As a final result, the vendor’s cyber liability insurance carrier paid the claim reimbursing our client the full amount.

With Digital Forensics we had the ability to prove where the attack happened and assign accountability.

Good Cyber Hygiene

Good cyber hygiene can help protect against some of the less sophisticated attacks, but won’t protect against the most sophisticated and determined hackers.  Criminals are known to use multiple sources of publicly available data to create the detailed victim profile. The rise of social media and the publishing of personal details has provided a source of personal information that attackers will mine to decipher passwords and security questions used in hacks.  Many victims respond to seemingly harmless Facebook posts by providing the same information used in many challenge responses, such as pet’s names and the street name of your childhood home.  Common public sources of personal information are:

  • Linked In:  Employers, field of work, colleagues and acquaintances
  • Facebook: Personal information Home address, relatives, names and potential answers to password recovery questions.
  • Twitter: Political affiliations, employers, colleges and other schools ….

Once this information is mined by hackers, it can be leveraged in several ways.

In our cases, we have had hacker’s use the following methods:

Cell phone account hijack: With your basic information, hackers have contacted cell phone carriers and taken over accounts.  Franchise stores of major carriers have either participated in the scam or unknowingly created sim cards with clients account information that makes their attack cell phone act as though it were your cell phone. Once your cell phone has been completely hijacked, you will lose access to your calls and protections from two factor authentication.

Email account hijacking:  Using information gained in the cell phone takeover, attackers will break into your email accounts and make changes to your account, blocking you from regaining control from using the automated and in most cases, only methods provided by the major email providers.  Specific changes may be made to your two factor authentication settings, recovery accounts and other methods of proving your identity.   Once they have gained access to your email account, attackers assume your identity and look for opportunities to steal by providing instructions to others using your email account to impersonate you.

Spoofing attacks are another form of cybersecurity attacks and are commonly are used to trick the client into making a wire transfer to the attackers, instead of their anticipated and expected legitimate recipient.

In a spoofing attack, the recipient of the spoofed email is the victim.  The recipient of the spoofed email doesn’t know they are being tricked, with the attacker typically using a difficult to discern, minute difference in email address pretending to be from a known colleague or business associate.  Some of these spoofed email address alterations are hard to detect, such as using two of the letter v with no spaces between them to make it appear as the letter w to ward off suspicion.

Email Account owners typically won’t know they have been spoofed.  They will unknowingly fall victim to a phishing link, email password guesses or a hackers purchase of their password from the dark web. The hacker’s goal is to keep the email account holder in the dark as long as possible, while forwarding notifications from their theft targets to trash, taking all available measures to keep you from discovering that your account has been hacked delaying your need to begin the task of recovering your account.

Forwarding Rules changed: Once hackers gain access to the email account, they will sift through data for passwords, banking information.  Once they locate the valuable information, they will use your email providers forwarding capabilities to automatically route messages from known banking contacts so that confirmations and notices of from the bank aren’t delivered to the inbox. Typical rule changes will delete emails, export them, or send notifications directly to trash.  The hacker can then proceed to break into the asset accounts and make changes with notifications of those changes diverted from the victimized account holder.

Example 2: Cell Phone Compromise

Our client called us with a very dire circumstance.  His cell phone no longer worked, he was unable to get into his email and his wire transfers to and from his customers were missing along with his ability to log into his bank accounts to check the status.  Any single one of these problems can equal a very bad day, but imagine them all hitting simultaneously?

We begin each matter with a senior level consultation to discuss the matter and determine a pattern of attack.  The importance of cell phones to business and everyday life mandated that we begin there.  We contacted the cellular carrier and determined that one of their franchised branch offices created a sim card for our client’s account upon request.  The hackers were able to provide answers to the security challenge questions and the unsuspecting employees of the cellular provider’s franchise created the sim cards which enabled the hackers to gain access to the cell phones and consequently, their email accounts.

In this matter, the hacker targeted a title company in a large real estate transaction.  The hacker used a specific tactic called social engineering to impersonate a bank website and convinced the title company it was business as usual in a transfer of several million dollars. This type of hack is known as the “man in the middle” scam.

This attack started with a cleverly disguised spoofed email sent to our client.  The sending email address appeared to be a known legitimate source to our client. The email referenced an upcoming transaction and a need to execute a common task to further the transaction.

Our client clicked the message link that sent them to a website that appeared identical to the bank website they were anticipating.  The site they were sent to was actually a false front page to the bank they were expecting to be transferred to by the link.  The hackers had created a lookalike front page to the website the client anticipated visiting.

The false bank website Instructed our client to type in their credentials multiple times. Each attempted login failed even if they were accurate for the real bank website. While the client was entering the credentials, the hacker recorded them and entered our clients actual bank website.  Upon entering the correct credentials, the hacker was then challenged with the legitimate two factor authentication to enter our clients account.

After our client made several attempts, the fake bank website shows a popup notice, to call a phone number, and provide the two factor authorization code to access the account.  Unfortunately for the client, the phone number they called was the hackers pretending to be the bank.  Upon receipt of the accurate two factor code directly from the client, they were able to enter the account and transfer the assets.

Policies & Procedures Are Key

These and many other types of scams and hacks are preventable with good policies and cyber hygiene.  Policies and procedures must be created and strictly followed to successfully prevent cyber theft.  Fraud though hacking scams is a lucrative and growing enterprise that is highly profitable and doesn’t require a significant investment on the part of the criminal.  Tragically, many have lost significant sums and some have lost their life savings.  If you need assistance with developing policies or hardening your cyber defenses, Vestige can consult and develop improvements to protect your company and clients.  If you feel that something is not valid with a cyber-transaction, or you have become a victim of cyber fraud, please call on Vestige to investigate. The sooner you CONTACT VESTIGE, the better chance we have at recovery.


 By Anthony Merlino, BA, CCE, CCO, CCPA, RP

  Follow Vestige on Linkedin