There are many pressing issues to be addressed. Do not change your passwords in panic. Do not delete the very data or information that will lead you to the hacker, do not block your hacker out, just yet.

Headers expire within 72 hours. Cyber Insurance is inaccessible without an immediate forensic investigation. Should you inform your clients? Most likely. Should you investigate the crime before erasing its existence in haste of protecting your systems?

Incident Response Procedure

Immediate action to take where funds have been paid out as a result of a scam

  • Contact your bank and the beneficiary bank. The bank may be able to prevent fund dispersal. Evidence your verbal notification to the bank by sending a follow-up email.
  • Do not assume that the sender’s email is hacked.
  • A fraudster has many methods to access information about a company. Cybercriminals observe and intercept communication. Informing about accounts payable is particularly targeted. As and when the opportunity arises, the hacker of your computer systems can spoof your creditor’s email to trick you into redirecting payment. A spoofed email does not require hacking or even access to the email account.
    • Do not rely on the in-house technology team. Contact Forensic investigators to investigate and preserve evidence.
  • Email headers expire within 24-72 hours.
  • Failure to investigate on time can compromise your claim or defence (as the case may be) vis-a-vis the creditor or debtor. Furthermore, cyber insurance requires proof of hacking. A failure to conduct a timely investigation would compromise insurance claims.
  • contact your legal advisors. There are a number of legal issues that the risk management team should address:
    • are you required to circulate a warning to your creditors or debtors? Consider its impact on reputation.
    • can you apply for a freezing injunction or a Norwich Pharmacal order against the bank?
    • what actions are you permitted to take vis-a-vis employees and management during the investigation period?

Prevention is better than Cure

When it comes to cyberfraud, prevention is not only better than cure, prevention is the cure.

Staff Training:

Ensure that staff who pay invoices and have the authority to request and approve payments, change bank details are vigilant.

Webinars – educating on the type of scams, company’s procedures and protocols, guidelines to help identify and prevent them.

Implement a formal data security policy as part of the employee handbook to draw attention to the data that should not be shared by telephone or email. The policy should be regularly reminded to employees by way of training.

Authentication policies:

Dual authentication of any out of the blue changes to financial arrangements:

  • Verify the account to which payment is to be made by contacting the payee using the established contact details which you have on file.
  • Establish a designated point of contact with entities to whom regular payments. All invoice issues must be raised with that person.
  • It is worth being extra vigilant in case of larger payments. Prior to payment, contact the authorized personnel at the payee entity.

Safeguards and Scam Detection

  • Minor and otherwise easily overlooked variation in the logos, bank account details, telephone number, and email address.
  • The content and appearance of letters and emails. Trust your gut. If it feels suspicious it probably is.
  • Guard information on a need to know basis.
  • Strictly enforce rules on the handling of sensitive information such as unnecessary hard copies, leaving invoices unattended.
  • Once the payment of an invoice is made it is best practice to inform that payee. Send transfer details of the payment made, including the name of the beneficiary bank, transfer reference and the last four digits of the account number to which payment was made.

Perform a Root Cause Analysis

How the incident evolved? Was it a failure of:

  • technology;
  • corporate training;
  • process;
  • person?

Lesson Learned

Investigate how the problem has arisen and how your policies could be changed to prevent a similar situation in the future.