Of Whales and Phishes

Written by Peter Kennedy, Director, for The Delaware Business Times

No doubt along with millions of others, I have many happy memories of visits to the American Museum of Natural History in New York City as a child, being amazed at the iconic Blue Whale that hangs from the ceiling.  I can recall pestering my father to buy a small Alaskan Brown Bear as a reminder of a fearsome exhibit.  The Museum is a cultural icon, established in 1869 by (among others) JP Morgan and Teddy Roosevelt’s father and sporting a governing board today that includes Tina Fey and Tom Brokaw.  With a staff of many hundreds, an endowment of $650 million and a $200 million operating budget, the Museum touts itself as “one of the world’s preeminent scientific and cultural institutions”; no argument here.

In spite of its size, reputation and presumed sophistication, in its June 2015 Form 990, the Museum was required to disclose that it had lost $2.8 million to an “e-mail phishing incident”.  Details are sketchy, but the Museum did report it was satisfied that this was not an inside job.

I’m sure by now most of us have seen the e-mails which arrive on a regular basis, appearing to come from an authority figure in the organization, requiring the immediate wire transfer of funds.  These have been with us for at least two years now and, while it’s a bit creepy to think a crook has taken the time to individually research an organization and construct a fraud attempt, the novelty has largely worn off and it may have dulled our sense of caution in dealing with e-mail.

$2.8 million stolen from a large and sophisticated organization takes the idea of an e-mail scam to a whole different level. The old saying that a man with a briefcase can steal more money than a man with a gun is now obsolete;  a man (or woman) with a laptop is more dangerous still and the crooks don’t even need to dress up in a suit anymore.  While details are not available on exactly what happened, someone must have spent a great deal of time researching and concocting this scheme.  It helps drive home this point: e-mail is not a secure means of communication (as if we needed it illustrated any further following the most recent election).

As far as how an e-mail system could be compromised, that is essentially a moot point.  They are vulnerable to any number of social engineering or direct attack schemes.  If a single employee clicks on the wrong link of a website or e-mail, it may very well compromise an entire network.  A friend of mine who worked in the defense industry told me his company had found viruses on blank CDs immediately after they were removed from their packaging – that was in the 1990s.  In the 2000’s thieves parked a truck with a satellite dish near two Marshall’s stores in Florida that were beaming information to a satellite and stole data on over 45 million credit cards.   Today you can get your credit card information stolen by walking too close to the wrong person in the mall.  With ingenuity like that, you have to wonder why these people chose dishonesty over legitimate employment.  That’s just what we know about; what other unguessed capabilities have been developed?

In theory, your e-mail system could be hacked without your knowledge, the criminals could monitor and bide their time – observing what types of communication occur, looking for whatever funding requests and authorizations might float by, and concocting a very convincing looking mimicked request.  The ability of theives to create authentic-looking e-mails should not be underestimated.  For financial control purposes, you must presume that your e-mail system is compromised and build systems around that presumption.  If your control system currently allows for the disbursement of funds authorized only by e-mail correspondence, it should be revisited.