A growing number of local Ohio governments are becoming victims of Business Email Compromise schemes. This is a type of spear-phishing attack with the objective of re-directing money to a bad actor.
In a common version of this scam, a cybercriminal creates an email account that appears to be from one of the government’s actual suppliers. Using this email, the cybercriminal instructs the government to change payment instructions, steering the funds to a fraudulent bank account.
This page provides resources you can use to increase awareness, report a scam, and strengthen your government against cybercrime.
Steps to take if you become a victim of a cybercrime
• Report banking/payment thefts to your financial institution
• Report crime to your Local Law Enforcement
• Report to FBI Internet Crime Complaint Center(IC3)
• Report fraud to Auditor of State Reporting Fraud
• Report to Adjutant General Cybersecurity
• Report suspicious activity, threats, or tips to the Ohio Homeland Security Cybersecurity & Infrastructure
• Review insurance policies to determine if there is coverage for such losses and consider claim depending on the size of the loss and your deductible.
• Review/Revise internal policies and controls and train or re-train employees to prevent future occurrences
Sample policies and free training
Cybersecurity is everyone’s job. Professionals in Finance and Administration, Legal, Human Resources, and IT must work together to develop robust cybersecurity policies that integrate technology with people and processes.
The Center for Internet Security (CIS) is a community-driven non-profit organization, and home to MS-ISAC. CIS provides information technology and cybersecurity sample policy templates, best practices for securing IT systems, and data and technical resources for IT professionals.
Ohio DAS has incident response and cybersecurity policies that may also prove helpful.
Free cybersecurity training for managers and technical professionals, from beginner to advanced
• FedVTE is a free online, on-demand cybersecurity training system providing cybersecurity training courses for federal, state and local government personnel. It includes basic training for managers and more technical training for IT staff.
• The U.S. Department of Homeland Security Cybersecurity & Infrastructure Security Agency(CISA) also provides online and in-person, instructor-led technical training at no cost.
Free employee awareness trainings for your cybersecurity program
• ESET, a global digital security company, provides an informative 90-minute interactive training, and employees receive a certificate upon completion. The National Cybersecurity Alliance has short, fun, cybersecurity awareness videos that you can use to educate your employees.
How can I avoid becoming a victim?
NEVER make a change to a vendor or employee’s contact information or banking information without independent verification. In-person communication is always the best practice for verifying identity and contact information. Never use email to verify change requests.
• Require in-person verification for change requests for payment information where possible. It is the best practice to also use a second person verification where the vendor is not personally known by the paying agent, by having the person or department which deals with the vendor personally also verify the identity and confirm the change request.
• If distance prevents verifying identity and contact information in-person, use only an independently verified contact person and telephone number. Do not use contact information from the change request; instead, find a phone number from a validated source such as a prior invoice or a regularly updated employee or vendor contact information listing. Another source for a valid telephone number is the company’s known website.
• When using a telephone call to validate the identity of an employee or vendor contact, always ask the employee or vendor a question related to past experiences or conversations that only they would know the answer to.
• Require secondary approval (internally) for all payment requests, payment instruction changes, and changes to employee or vendor contact information. The payment change initiation and payment approval functions should be done separately.
Regular backups – Back up the data on your system regularly. If your system becomes infected, you can restore it and avoid paying any fee to release your computer or its data. You should also secure your backup either with an external drive or with a cloud backup provider.
Strong passwords – A strong password is long and uses symbols, numbers and a combination of upper and lowercase letters. Consider an easy-to-remember phrase such as ILikeMondaysInJuly! for your password. Never write them down on a sticky note and attach it to your computer or screen.
Anti-virus software – Anti-virus programs, anti-malware, and pop-up blockers can help deter cybercriminals. Ensure anti-virus and anti-malware solutions are set to automatically update and that regular scans are conducted.
Up-to-date patches – Make sure application patches for your operating system, software, and firmware are up to date.
Email safety – Do not place personal email addresses on your website. If you need an email address listed, set up a catchall account such as firstname.lastname@example.org.
Trust and verify – Only download software, especially no-charge software, from sites you know and trust. When possible, verify the integrity of the software through a digital signature downloading.
Unsolicited emails – Scrutinize links contained in emails and do not open attachments included in unsolicited emails. Hover over links to verify the destination matches the link. When in doubt, go to the website itself rather than clicking the link (e.g., go to the official UPS site and type in the tracking number rather than clicking the link in an email.)
No phishing – Use a phishing filter with your web browsers. Many web browsers have them built in or offer them as plug-ins. If your web browser doesn’t do this for you, do it yourself.
Macro scripts – Disable macro scripts from files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Office Suite applications.
"User Privileged" – Avoid using an account with Admin privileges. Always use an account with “User Privileged” access. This helps prevent some (but not all) malware from installing.
Remember – Most companies, banks, agencies, etc., do not request personal information via email.
Below are some definitions of cybercrimes and the recommendations for communities on how to avoid them.
Ransomware – Considered the biggest threat in the information security industry today. Ransomware is a malware that is installed on your computer by clicking on links in emails. Ransomware holds your computer hostage by locking your screen or encrypting your files until you pay a specified amount of money for a key that will unlock your system. It is usually infected from macros in Microsoft office documents delivered via email. From December 2015 to May 2016, half of all ransomware attacks were in the United States, according to Microsoft.
Phishing – The practice of luring unsuspecting Internet users to a fake website by using authentic-looking email with the real organization's logo. The emails are loaded with viruses that launch when opened and typically include methods to trick you into providing your passwords or other financial or personal information. These usually look like emails from a bank, and once you “log in” they have your account information and can then gain access to your account to transfer money. Usually these types of emails are sent out in the thousands.
Spear-phishing – Spear-phishing is a more targeted form of phishing. Emails are designed to appear to come from someone the recipient knows and trusts, usually a colleague, and can include a subject line or content that is specifically tailored to the victim’s work. For high dollar victims, attackers may study their social networking accounts to gain further intelligence and then choose the names of trusted people in their circle to impersonate or a topic of interest to lure the victim and gain their trust. (Don’t friend people you do not know personally on Facebook, LinkedIn etc.)
Whaling – Spear-phishing targeted to high profile targets such as executive officers or elected officials within a business or government organization.
If you fall victim to a cybercrime, the first thing to do is report the payment thefts to your financial institution. Then notify local law enforcement, which, depending on your location, might be the sheriff's office or your local police department. The next step is to report the crime to the agencies listed below. Even if they do not respond with an investigation, they will want to log the details of the crime.
- Cyber Task Forces:
- Cleveland Office
- Cincinnati Office