Facebook & Google suffer $100m two-year scam

Sunday 30th April 2017
ScamJam: courtesy https://www.forbes.com/sites/adamhartung/2015/04/30/long-term-investors-should-prefer-facebook-to-google/#19abc6927555

Quite amazingly the veteran organisations of Facebook and Google were victims of a $100M phishing scam. According to the USA Justice Department, the crooks forged email addresses, invoices, and corporate stamps, in order to impersonate a large Asian-based manufacturer with whom the technology firms regularly did business, so tricking the companies into paying for computer supplies.

No-one is immune to phishing says Fortune !!  IT security experts from AlienVault, ESET, Tripwire and Comparitech comment.
Javvad Malik, (right) Security Advocate at AlienVault: “CEO /CFO fraud, is where a CFO being sent a phishing email purporting to be from the CEO demanding they immediately transfer some money to a third party. The concept of this heist is identical, albeit at a much higher level, with a lot more foundational work being put in place beforehand.

Therefore, it is not unexpected that many of the mitigation strategies would be similar in nature, these would include, better third party identification and verification process, more stringent payment authorisations, and not just relying on email as an authority to process.”

Mark James, (left) IT Security Specialist at ESET:  “It’s a fact in today’s digital world that there is always someone trying to scam you. We fight it, we delete it, we even highlight it and use it to teach others what to look out for but there is one thing humans are good at and that’s adapting. Most spam or phishing attacks end up a failure, but that’s the nature of these types of attacks they don’t all have to succeed. For us to be safe we have to detect or block 100% of those attempts but they only need to get one right. If someone puts their mind to doing something there is a good chance they will succeed, whether that’s education, business or foul deeds. The good thing about the latter is most of the time people get caught.

This particular plan involved forging email addresses, invoices, and corporate stamps in order to trick some big companies into believing they are dealing with the “right” company and handing over thousands, it just goes to prove that all companies large and small can be scammed.” difficulty identifying a well-crafted phishing email. However, the bigger problem across the board is user awareness. Organizations should implement training programs that help their users understand aspects of spam, phishing, and malware. A little bit of training can go a long way in this area.”

Paul Norris, (right) senior engineer at Tripwire:“Phishing has long been a valuable technique for cyber criminals because both trained humans and detection software have difficulty identifying a well-crafted phishing email. However, the bigger problem across the board is user awareness. Organizations should implement training programs that help their users understand aspects of spam, phishing, and malware. A little bit of training can go a long way in this area.”

Lee Munson, (left) Security Researcher at Comparitech: "Phishing or, more appropriately in this case ‘CEO Fraud’, poses a huge problem to organisations of all sizes. While technical controls have a small part to play in reducing the likelihood of such an attack being successful, it is staff awareness training that is key here. That a non-technical business could be attacked in this way is, perhaps, forgivable but the same cannot be said for firms operating in the tech sector.

If the companies behind the $100 million loss are indeed Facebook and Google, it would be a surprise as, even if their teams are not completely alert to this sort of ruse, they should have a security department that can generate awareness around this type of financial fraud.Thus, while current disclosure laws may not require victims, in this case, to come clean about what happened - from a financial point of view - I certainly believe there is a public interest angle.

Investors in technology firms have a right to know that the business is managing its systems and people in an effective way that minimises risks that can have a significant impact - and CEO Fraud is relatively easy to identify and avoid - especially in this case, where the scam was allowed to continue unchecked over a two-year period."

.

Custom Search

Scotland, Computer News in Scotland, Technology News in Scotland, Computing in Scotland, Web news in Scotland computers, Internet, Communications, advances in communications, communications in Scotland, Energy, Scottish energy, Materials, Biomedicine, Biomedicine in Scotland, articles in Biomedicine, Scottish business, business news in Scotland.

Website : beachshore