When businesses suffer account takeover (ATO), who picks up the pieces? In many cases, the cybersecurity branch of the FBI is the first to arrive on the front lines. And over the years, the FBI has had an unparalleled on-the-ground view of how fraud has evolved.
In this episode of Trust & Safety in Numbers, we chat with MK Palmore, the FBI assistant special agent in charge of cybersecurity for San Francisco. Why do businesses continue to fall prey to ATO? What could they do better? And how does the FBI help businesses guard against future attacks? Special Agent Palmore shares valuable learnings from his career.
Evan: Welcome to “Trust and Safety in Numbers,” presented by Sift Science where we chat with folks on all sides of the fraud fight. I’m Evan Ramzipoor here today with M.K. Palmore, assistant special agent in charge of the cyber branch of the FBI in San Francisco. Thank you for joining me. Today, we’ll be talking about what the FBI does to fight fraud in the context of the changing technology landscape. Specifically, we will be talking about what you’re doing to combat corporate account takeover. We’ll also talk about whether businesses should be worried about account takeover and how you can keep your data, and your customer’s data safe. Before we do that though let’s warm up with a weird fraud fact. Billing addresses located in the western part of the U.S. are more likely to be associated with fraudulent transactions than those in any other region. And which state has the most fraud in the country? Alaska. Wanna learn more about the fraudiest states in America? Check out the Sift Science blog for an in depth look. Now, onto our interview with M.K. Palmore.
So, let’s start with this. As we’ve seen a rise in online fraud, law enforcement has become a familiar invisible presence for businesses and also for consumers. Can you tell me a little bit about what corporate account takeover is and what the FBI is doing to fight it?
M.K.: Yes. So typically, what we see as it relates to what we call business e-mail compromise or corporate account takeovers are two aspects. Either we see threat actors or bad actors inserting themselves in the middle of critical negotiations, contract negotiations or financial discussions, and then delivering instructions for recipients to wire transfer funds or we see the full blown account takeover where threat actors have taken over e-mail accounts for unsuspecting corporate executives. And then subsequently taken those accounts and e-mailed folks in a fiduciary responsibility with instructions on wire transfers. And unfortunately, for as much as we continue to get the word out about this particular issue, we still see quite a bit annually in terms of executed frauds, frauds done successfully or successful attempts carried out against companies with fairly high profiles.
Evan: Have you seen more account takeover in recent years or have you seen more of a different kind of fraud? How common is this now?
M.K.: So, I would say that there was a big uptick probably during 2016 or the early part of 2016, and then it tapered off a bit at the end of 2016. And I would say that that tapering off was mostly because of an awareness campaign that I think not only the FBI, but other entities that push word out about fraud schemes were successful in getting the word out. So, I think we saw the height of the fraud takeovers as it relates to business e-mail compromises in early 2016. And although again we’ve seen a down tick or we don’t get as much in the way of calls about successful fraudulent attempts, I do know that it still goes on.
Evan: So when you conduct these investigations and you do get these calls, what are the common threats like, what are the most common ways that you’re seeing people being fooled by fraudsters?
M.K.: Well, first of all let’s take into account that threat actors are very diligent and skillful. The quality of the e-mails, if they’re inserting themselves in the midst of a negotiation or conversation, the quality of the e-mails are at their highest which means it would be very difficult for a casual observer to be able to tell that the e-mail is not coming from the source that you expected it to come from. So with that quality in mind, a common feature is, you know, for those firms or private entities that don’t have some kind of out of band communications or a formally instituted, two factor method of authenticating wire transfers, and what we see is typically the transfers will go out. They are typically time targeted to companies which means that the threat actors have some visibility on the availability of those that could validate the transfers. Typically, those folks are unavailable in meetings or just not available to communicate. They could be traveling long distances and somehow the threat actors have gathered enough information to give them insight on what that time table looks like.
The other factor that’s clearly present is a lack of awareness. So, in companies where you see successful executions of those kind of fraudulent account takeover typically, there’s been little to no awareness to the employee base as it relates to this particular problem. And I think that awareness piece is where specifically the FBI, and secret service, and other entities bring a lot to the table, and trying to make folks aware that these kinds of fraudulent schemes exist, and that they happen fairly regularly.
Evan: Interesting. Okay. So as people become more and more aware of these types of attacks and fraud fighting, technology kind of evolves and improves, we often see cybersecurity criminal enterprises evolving and improving too. The example that comes to mind is EMV chips. A lot of experts, at least partially attribute the rise in account takeover to EMV chips which were designed to stop credit card fraud. So, in what ways do you see fraudsters’ tactics evolving in response to this awareness and changing technology in today’s fraud landscape?
M.K.: So, tactical evolution is probably an accurate description. Fraudsters and bad threat actors will always evolve with what’s available to them. As I have described in other forums, cyber threat actors are experts on return on investment. So, if they realize that there has been an obstacle put in their place they will naturally evolve to a solution that makes it much easier for them to execute the frauds that they’re interested in engaging in. The other aspect of that is that most threat actors because they deal in such volume will almost always go the path of least resistance although we’re talking about a very intelligent threat actor. They’re not interested in spending a bunch of time on an exploit that they’ve had to spend either a lot of time or money on when they can simply use for example a spear phishing e-mail and achieve the same result. So, experts on return on investment and they will always choose the path of least resistance.
Evan: Definitely. So with all that in mind, what steps do you think businesses should take to stave off attacks and what steps should individuals take?
M.K.: Well, I like to continue to emphasize what I call information security fundamentals, you know, if CSO or director information security, if they’ve been empowered by a C-suite and executives and they’re able to do the jobs that they’ve been brought on to do typically, they can cover the basis on just the information security fundamentals. I mean, an effective patch management program and an effective password management or access management program, effective vulnerability testing, and then restructuring their risk based on the results of those vulnerabilities. If they’re in a position to do those things again, just the fundamentals, they find themselves in a better position than most. I think in those situations where you find chief information security officers or those in the information security apparatus not appropriately equipped or empowered to engage in their jobs, those are the times where you find folks with glaring vulnerabilities that find themselves out in the open.
The last piece of that and this is getting to be a little bit controversial because we don’t dig into it enough is the employee awareness or employee training aspect of it. And the reason I say it’s controversial is because some say that if you’re just gonna do basic training where you have employees log on to a system and go through some kind of computer-based training where there’s no interaction, then you’re kind of wasting your time. So, there has to be a deeper component to that where you’re not only evaluating their understanding of the risk that are out there on the landscape, but you’re giving them a reason to remember that those risk exist. You know, and some companies do it different, they gamify the process of teaching employee accountability as it relates to information security. I think those have achieved the best results, but some aspect of the employee awareness or employee training is absolutely important in covering the ground between the gaps that are provided between technology and the threat actors.
Evan: Absolutely. Thank you. So, let’s take a step back and talk a little bit about your career trajectory. You’ve had a really interesting career, I imagine as an FBI agent. If you had to pick the most important lesson you’ve learned during your tenure as a cyber crime fighter, what would that lesson be?
M.K.: That lesson would be don’t be afraid to dig into the books and study. I don’t come from a purely technical background, but I have been successful in getting to know at least academically a lot of the deep work associated with cyber security matters. And that’s because I approach it from a very academic standpoint in that if the material is out there, if there’s someone available to teach it to you, that’s a good starting point to begin to learn what the landscape looks like and how much you may need to then learn from a direct application standpoint. But a lot of people are afraid to dive into these fields because they fear that it’s gonna be too complex or too difficult for them to learn. And so, the biggest thing that I’ve picked up is that that is not the case. If you have the wherewithal to press through it, and you have some academic stamina, you can pick up a lot of what’s going on out there.
Evan: Excellent. Well, thank you so much for your time. I really enjoyed talking to you.
M.K.: Thank you.
Evan: Thanks again to M.K. Palmore for joining us on “Trust and Safety in Numbers.” Until next time. Stay vigilant, fraud fighters.
Your information will be used to contact you about our service and subscribe you to our direct marketing communications. You can, of course, unsubscribe at any time. Please see our Website Privacy Notice.