Could you help thieves steal millions of dollars from your own employer without even knowing it?
It’s the latest twist in a hacking scheme that has the feds concerned. So concerned, the Department of Justice allowed NBC6 cameras to document their top cyber security expert training dozens of local companies on how to stop this potentially devastating scheme.
The training took place in a conference room at the law office of Holland and Knight. The room was full of the top executives of South Florida’s most important companies. All of them were there to hear Michael Stawasz, the head of the cyber security unit for the Department of Justice’s criminal division talk about how to prevent employees from causing financial disaster at their own companies.
“The insider threat remains the biggest threat,” says Stawasz who explains that “you have to give certain people access to the system so they can use it for legitimate purposes. If they then misuse that access, they can do a lot of damage to your organization.”
We’re talking thousands, even millions of dollars in damage.
While bad employees can intentionally use their access to steal, a growing concern today are cyber hackers targeting honest employees via emails that impersonate colleagues or a boss in the company.
“It's very, very common to see phishing attacks that are very, very effective,” says Silka Gonzalez, President of Enterprise Risk Management and one of the organizers of the cyber security event.
These cyber experts showed us how easy it is for hackers to create e-mails that look identical to what you would receive from co-workers.
“Sometimes it becomes really difficult to identify whether it’s a fake email or not,” says Animesh Srivasdava, a cyber security consultant for Enterprise Risk Management.
Hackers then request money transfers and unsuspecting employees comply. By the time the scheme is discovered, the money is usually gone and the culprits are tough to find.
Silka Gonzalez says hackers are everywhere.
“They can be coming from China, from Brazil, from Russia, they might be here in Florida,” she says, adding “the last one we saw was coming from Hialeah.”
To avoid being a victim, cyber experts recommend employees:
- Confirm transfers by phone or in person before making them
- Never leave computers on at the end of your day
- Use hard-to-decipher passwords
- Don’t enter unsecure sites
- Question suspicious emails, even ones that come from colleagues if something doesn’t seem right
Gonzalez says “you need to think about different things you see in the email.” You should pay attention to things like grammar and the style of writing.
“Is the style similar to the style of the person that usually sends you that kind of request,” asks Gonzalez.
Experts say this scheme has been painful for a growing number of corporations. But for smaller companies, that are a top target for hackers, the scam can be financially catastrophic.