Welcome to the FPPad RIA Cybersecurity Exchange! Here are the top cybersecurity threats we’re monitoring using the feedback from thousands of financial professionals. This resource is made possible in part because of the support of our sponsor above.
March 2016 Top Cybersecurity Threats
#1 Threat: Locky Ransomware (2 reports in 2016)
The Threat: You receive an email that contains Word document attachments with malicious macros. The email message claims that an invoice is attached and requires your attention. Opening the Word document will show scrambled text with a prompt saying that macros should be enabled to unscramble the text. Once macros are enabled by the user, a malicious file is downloaded from the Internet and installed to the local machine and encryption of files begins.
Your Tactics: This is a classic phishing email attack, and your employees should be trained to never open email attachments from unknown sources. Second, never enable macros in a Word document from an unknown source.
Thank you to Steven Ryder at True North Networks for the heads up on Locky ransomware.
#2 Threat: Inbound “Customer Support” Phone Calls
The Threat: You receive an incoming phone call from “customer support” of Microsoft, Dell, Lenovo, etc. claiming that your computer has been sending security messages about malware being installed on your computer. The “customer service” agent asks you to open a log file on your computer, which is a real file and actually does contain error messages, but the messages are benign. However, the “customer service” agent says this is confirmation that malware is on your computer, and you immediately need to download and install a “patch” to rid your computer of malware. The “patch” is actually malware and is designed to look like a legitimate patch from Microsoft, Dell, Lenovo, etc.
Your Tactics: Hang up! Do not follow the instructions of an inbound phone call from “customer service” claiming to be from a software or computer manufacturer. Hang up and call your provider’s 1-800 number you can find on their company website or company label on your computer. Do not be compelled to install software “patches” unless you are specifically instructed to do so by your own IT administrator or your internal security officer.
#3 Threat: Client Spoofing
The Threat: Attackers are gaining access to client email accounts (through keylogging malware or social engineering) and are sending withdrawal requests to advisers. Generally, spoofed emails first ask about account balances at various institutions (to check for amounts available), soon followed by a withdrawal request for an emergency, unanticipated cash need, with the withdrawal amount within the client’s portfolio balance. Spoofed messages claim the client’s inability to take phone calls or other authentication means.
Your Tactics: Always authenticate client withdrawals, especially those initiated via email. Insist on speaking with the client using a phone number already on file. Better yet, use Skype, Facetime et. al. to visually confirm the client’s identity. Do not use brand new phone numbers, as they might be spoofed. Consider asking clients a challenge question that you previously established and recorded in your CRM. Consider sending a confirmation code via SMS to the client’s mobile number on file and ask for the client to authenticate their identity using the code. Wherever possible, use a second factor of authentication other than email to identify your client (See http://fppad.com/2014/03/28/supports-two-factor-authentication-find-awesome-chart/)
#4 Threat: Suspicious USB Flash Drives
The Threat: You see a USB flash drive somewhere near your business. The USB drive is either not labeled, or it is labeled with “Personal and Confidential” or with the name of your business, so you are curious what is on the USB drive so you can identify to whom the drive belongs.
Your Tactics: Do not plug the USB flash drive into any computer. The USB flash drive may be infected with malware that will silently install itself when you insert the USB drive into a computer. Once installed inside your firewall, the malware can gather confidential information about your business and transmit the information to attackers over the Internet.
SEC OCIE’s 2015 Cybersecurity Examination Initiative
What happens when you get audited by the SEC? In its September 2015 update, the OCIE offers an extensive list of the types of documentation they’re requesting when auditing a firm for cybersecurity preparedness.
View the OCIE Risk Alert at https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf
Here are several basic spot checks you can perform periodically in your firm to if any computers have been compromised by an attacker. This list is not all inclusive, and if you have some tips to share, please contact me.
- Buy reputable antivirus software, let it perform routine scans, and keep the antivirus definitions up to date (and Windows includes its own Defender software)
- If you start your antivirus software, but then it immediately shuts down, your computer is likely infected.
- Check your web browser for third-party plugins or search bars that have been added, either by mistake or knowingly by someone in your office. Remove anything that isn’t supposed to be in the web browser.
- Your Google/Bing/etc. searches should stay on those sites. If you get redirected to some third party search tool, your browser is compromised.
- Monitor the programs that automatically start when you first log in to your computer. If you see a program or executable that isn’t familiar, Google its name and see if it is a legitimate program (part of the operating system) or if it is reported as malware.
- Have a security professional monitor your outbound network traffic. If any computers are sending information to overseas IP addresses, a security expert can detect that and trace the traffic back to the computer that is sending it from your office.
Want to know what the top risks are to your business and how to put appropriate controls in place? Refer to the Top 20 Critical Security Controls from the SANS Institute.
If you believe you have become a victim of a cybersecurity attack, consider reporting details of the attack to the following organizations:
- Your Chief Compliance Officer and Security Officer
- Your custodian, broker-dealer firm, and/or FINRA
- The SEC regional office for your area
- Local law enforcement
- Internet Crime Complaint Center (IC3)
- Financial Crimes Enforcement Network (FinCEN)
- Financial Services Information Sharing and Analysis Center (FS-ISAC)
- When appropriate, clients who may be affected by the cybersecurity attack
- Lastly, this website so other advisers can identify attacks
Do you have a cybersecurity tip to contribute? Are you seeing new attacks on your business? Tell us using the form below (name and email are optional, but credible tips are preferred)