This month’s fraud briefing welcomes Joshua Douglas, VP of Threat Intelligence at Mimecast. In this session, we will cover how to use technology, training and a culture of compliance as keys to lowering your risk profile. Watch the video or read the transcript for a lively discussion on these issues and tangible takeaways to enhance the security within your business and personal lives.
Full webinar transcript:
Tom Conkright: Hi everyone this is Tom Conkright with CertifID and I am excited that we have a special guest with us, Josh Douglas from Mimecast. A few housekeeping things and then we’re going to jump right into it because like every other monthly fraud briefing, we’ve got about five pounds of sand to fit into a three-pound bag.
Tom Conkright: So Josh and I are going to work through this as quickly as we can. Today we’re going to talk about some practical steps and tools that you can take to actually lower the risk profile through layers of technology and both employee and consumer awareness or customer awareness depending on what industry you’re facing.
Tom Conkright: The other thing I’m excited about is we have many different industries on the phone. So this is a grouping of not only our customers but some of the Mimecast customers as well. So welcome and I hope you find this worth the time most … because that’s the most precious thing we can take from you for the next 45 minutes.
Tom Conkright: So myself I’m the co-founder and CEO of CertifID, recovering lawyer, wire fraud victim. And we’re just on a mission at CertifID to really protect the payment ecosystem as it relates to large payments wire fraud and ACH.
Tom Conkright: Josh, so in the interests of full disclosure, Mimecast is a vendor of our companies, both Sun Title and CertifID. We’re a huge fan of their product because it actually works and we’re super-excited that Josh who is the VP of Threat Intelligence but what that really means is he is the guy that’s working between the lab teams and the tech teams and the product development teams to make sure that their solution is keeping pace and is relevant in market.
Tom Conkright: So Josh how did I do there?
Josh Douglas: You did awesome. And it’s great to be here.
Tom Conkright: Awesome. So we’re going to jump in and like I said, if you have questions, the last housekeeping thing, as I’m distracted now, the last housekeeping thing, if you have questions put those into the Go-To Webinar bar because we are going to leave ample time to go back and dive deeper into a topic that you’d like to explore further.
Tom Conkright: So here’s the agenda, it’s a packed agenda today. We’re going to talk about what’s trending like we do each month. We’re going to walk through this idea or concept of the layered approach to security and then Josh is going to dive into this concept of how do we move from just noise or chatter into actionable intelligence that we can use to lower our risk profile and make our companies and our customers more secure during the transaction process? And he’s actually going to give us a live example of a recent company profile and talk about how fraudsters are profiling and targeting organizations based on their level of cyber risk.
Tom Conkright: I’m going to share some examples of email monitoring and analysis of our organization to show you peaks and valleys of what bad actors are trying to do kind of knocking at the door. And then an action item regarding the workflow.
Tom Conkright: So while that was a mouthful, here are some current stats. So what we’ve seen, we have a lot of reports that have come out in the first quarter of this year regarding business email compromise and phishing and malware and those things. We’re going to pull out phishing because for a lot of us, and I think Josh you’ll agree, that our employees and customers and vendor partners tend to be the weakest or the most exposed link and they fall prey to phishing. And because of that we really do track these 76% of all businesses were saying, “Yeah we were part of some phishing attack.” Not just attempt. We’ve all seen attempts whether or not we recognize it. But we’re talking three quarters of the business population.
Tom Conkright: The FBI IC3 report, the internet cyber crime report came out a few weeks ago, we’re now tracking 13.7 billion in business email compromise. Remember business email compromise is a specific type of fraud that they’re tracking because it relates to the diversion of payments in the stream of commerce.
Tom Conkright: But also know this is about 15% of what’s actually happening. So only, yeah, around sorry yeah 15%. So 85% goes unreported if you look at the number another way. And then saw the stat this morning and I had to include it. 4.9 billion robocalls were made last month alone which lended itself to just under 15 per American with a phone number.
Tom Conkright: And I’ve noticed that on my cellphone is I’ll get a call and it looks like it’s coming from a local number maybe where I have an office or where I live but I’m not expecting that phone call. And not all of, some of those are just genuine market solicitations. But some of those, I think up near 40% have some type of malicious attempt.
Tom Conkright: And then the attack trends are moving a little bit as well or quite a bit. So there’s an 81% increase in financial account takeover where they’re trying to get into bank accounts or wallets or things on a digital basis. But look at this trend. 211% increase on mobile. So as this mobile phenomenon and just frankly the functionality of our mobile devices increases, they’re pivoting to that device more and more each year. 45% growth rate, overall on attacks. And then they’re always after kind of the login sequences.
Tom Conkright: So quickly some of the things that we’re tracking and that are kind of concerning. And this isn’t meant to be a 45 minutes of just, “Hey scare me to death” type thing because we’re going to talk about some practical solutions but you do need of the be aware of these. Social engineering on mobile, they’re running vishing and voice, smishing, I mean there’s all these, there’s different acronyms that describe them now. But they’re using social engineering to try to get into the mobile device deeper. Even app cloning where you think you’re on banking app or some secure communication app and it could be redirecting that traffic.
Tom Conkright: Social testing for … or testing for social engineering. This has been kind of fascinating because they’re using artificial intelligence and machine learning to run this A/B kind of testing sequence to see hit rates and response rates and open rates and click through and all these different things. And they’re doing it to really create this … this really highly tailored, pitch perfect engineering socially. To make sure that your employees are seeing the most believable version of an email for them to immediately kind of in their minds credential and then the fraudster takes them down the rabbit hole of what they ultimately want.
Tom Conkright: And again you guys know I’m an optimist. And those of you I haven’t met, I am an optimist. But at the end of the day, these are kind of the threats that we need to continue to manage. And we’ll get into some spooking examples in a second.
Tom Conkright: So what … what Josh and I right now going to do is kind of walk through at a high level this idea of a layered approach to security. So if there’s vendor partner or a consultant or somebody that comes into your office and says, “You know what? I got a silver bullet because if you do this one thing then you’re not going to have an attack, your people are not going to get tricked and you or your customers or your vendor partner ecosystem will never lose a dime.”
Tom Conkright: And I’ll just tell you that I firmly believe that is just simply not the case. What I do believe is that we all have a standing risk profile that is rather high if we’re not doing anything. If there’s no education or awareness or technology. And we can start to layer in through different segments to lower this risk profile. So the first segment would be hardware for example. And I’m not going to go through all of these in detail. But proper routers and firewalls and intrusion detection.
Tom Conkright: And then it moves to software. Software like Mimecast has one, email monitoring and updates are so critical. Because a lot of times guys they’re updating for a reason. Not because they’re giving you more free stuff for the same price. They’ve realized that there’s a hole in it that’s been exploited and they need to patch that hole over. So updates and then virus detection so that things aren’t infiltrating your system.
Tom Conkright: Josh anything you want to add on the software piece before I move on to people?
Josh Douglas: No. Well maybe one thing. I mean having sat in the role as a CSO before, I can tell you that patching goes a long way when it comes to slowing down an adversary. It somewhat seems like it’s time-consuming and tedious but the return on that is significant that it does minimize the risk and is a value add to every company and something that they should focus on a day to day basis.
Tom Conkright: No good point. And then people. So our weakest link frankly in the chain tends to be our people and our vendor partners. And what are we doing to educate and kind of get a state of the union of the vulnerability or susceptibility that they may have on clicking through emails or links or things like that that may be nefarious but they don’t look like it coming in?
Tom Conkright: And then the end state is this creating a culture of compliance and curiosity where we’re just a little more … we’re a little more, I guess questioning if you will before we just open up attachments and random emails. Processes. So taking a clinical look at your internal processes. What about payment controls and data access and identity verification? And the ever-important now incident response? That if a payment is diverted to a fraudulent account or there is a breach of the perimeter of the system, what is the protocol? What is the sequence to react as quickly as you can and methodically as you can to mitigate whatever harm may be facing the organization or the employee or the customer?
Tom Conkright: And then Josh is going to talk about this, our partners. So hey, I’m doing everything I can internally, I’m phishing, I’m educating, I’m showing examples of this and that but man it’s this doggone and you can fill in the blank, this partner I have that is small and doesn’t get it and we’ve had many instances where it seems like their emails have been compromised, they don’t do anything about it. Well guys we have to do more as organizations to protect ourselves from that threat because that is going to continue to be the strategy is if they can find an ecosystem and the partners in it, they’re going to identify, those that are the weakest link.
Tom Conkright: Josh anything to add before I roll you in on the next topic?
Josh Douglas: Yeah. I mean I love this chart especially from the aspect of the people and the processes of what you can do directly every single day because that is the last mile inside of your company. Security awareness training is an extremely important aspect when it comes to making sure that your people are engaged and they understand security.
Josh Douglas: The processes are just as important. And they may seem overly simple and common sense but I’ve seen time and time again where those processes break down because people aren’t following suit on them. And thus, there’s financial losses in the company because of it. And when you do an after action and review of an incident, often it comes down to those things. People and processes that fail in basically the security aspects.
Josh Douglas: When it comes to software and hardware, they’re doing their job, they’re not going to be the fail safe. Really the people and processes at the end of the day are supposed to make that happen. And when it comes to your partners and you think about that you’ve amplified your security game, having seen this firsthand, basically the trends will trend off of you because you become a more resilient target and basically your partners become that soft, chewy center that they want to go after because they know that they have a direct connection with you.
Josh Douglas: And I was super-excited about this whole event because when Tom and I talked, my wife actually is in the business around real estate and title closings and I’ve seen this firsthand where basically these processes fall down and partners become the weakest link and financial loss.
Tom Conkright: No and we were talking about before, Josh the broadcast started, that this is a journey, there’s no end state to this, correct? And we’re going to continue to have to educate and really challenge these layers with new technology and strategies to keep pace with the evolution on the fraud side.
Tom Conkright: So the ideal state guys is not zero. I want to mention this. It’s not zero. It’s a manageable state. And you’re like, “Boy that’s kind of a bag of hot air. What’s the deal?” It’s because there’s no 100% certainty. But to Josh’s point if you’re up here, right? You’re going to be the target. If you’re down here, in real estate terms, do you want to be the house with the front door that’s cracked open? Or the house with the chain linked fence and the lights and the rottweilers out in front? Right? So that they just move on to the next target because you have done the work, you’ve made the investment.
Tom Conkright: And I will tell you, putting my legal hat on but not giving legal advice, courts are weighing in on this issue right here. They are going to start to deconstruct from a best practice standpoint what you did or did not do or should have done frankly. That’s common knowledge within your respective industry segments that could have either prevented or mitigated the loss. And you’re going to have to stand account now if there is a diversion or there’s some type of … some type of financial or other burden or loss that somebody experiences you’re going to have to be able to document and show that these things at least at some level were in place.
Tom Conkright: So Josh I’m going to hand this over to you and just let me know when you want me to advance the slide deck.
Josh Douglas: Awesome. Thanks Tom. Yeah so I think collectively like with everything in our lives, the more noise that we have, the less likely we are to understand what things are important. And the unfortunate circumstance is that as a security vendor or a partner, we often want to throw a lot of things at you. Be it more alerts or more threat intelligence. But ultimately what that provides is a lot of confusion versus what’s the most important to go after like Tom was just laying out, like the sequence. Tom if you go to the next slide please.
Josh Douglas: And when you start to think about threat intelligence as a whole and the indicators, the compromise that you may get, really that’s post-breach threat intelligence which means that you’re already compromised or you’re in the process of being compromised and that’s probably not the state you want to be in. And what happens is even when those indicators are provided to you, you may not have the right equipment to be able to ingest them, you may not be able to go and search for them, you may not even have the staff necessarily to go through all these steps.
Josh Douglas: So what you need to start thinking about is a different approach on how you consumer threat intelligence. And there’s actually two forms of threat intel. There’s the standard threat intel where I look at an attacker’s arsenal and I try to understand what they’re going to shoot at me or how they’re going to compromise me in some approach.
Josh Douglas: But at the end of the day there’s another type of threat intelligence called counter-intel, which is even more effective which means I need to understand my risk and how an attacker views me like what Tom laid out a second ago. Which is understanding the things that they’re going after. So if we go to the next slide Tom.
Josh Douglas: Which means that that can drive actionable items. And that’s what I consider to be truly actionable threat intel. Which means that you’re going before you actually get compromised or are actually being targeted for compromise. Next slide. So we take the same mentality when we look across our entire portfolio of partners and customers that are are our heroes because they’re at the front line every single day and we looked at the attacks that are coming at them. And what we found was very interesting when we saw the number of unique attacks.
Josh Douglas: Meaning things that are coming at them that are not being caught by commodity and virus scanners, other threat intelligence that’s giving indicators of compromise, and if you click next slide Tom. What we found is is the ones that were getting targeted most were those third parties or basically soft centers that don’t have the resources necessary to defend against this. And then if you look at the other side of the spectrum on the left hand side, you start to see the whole thing transition. That’s because the attackers have started going from this mentality of target their primary target first and actually going after third parties.
Josh Douglas: Which means that you’re a link in that chain. If you’re actually a shop that either has taken somebody that has been working in operations, made them an IT person. Or maybe you’re actually in real estate as a whole and you basically are your own IT person or you’re actually kind of cobbling it together on your own, you’re a primary target for these individuals because you provide financial gain for them or even intellectual property. Next slide.
Tom Conkright: So we’re going to get into an example now Josh where you’re going to do a case study on an actual manufacturing firm. This is fascinating so I’ll let you run here.
Josh Douglas: Hey no problem Tom. Yeah so let me just fast forward I’ll explain it in a second, to the next slide. So we had a customer that we looked across manufacturing, in the previous chart we saw that it was large on the scale as being targeted. So we looked at manufacturing and said, “Well that’s interesting. They’re the biggest section here across our customer base.” What’s interesting about this? Well it jumped out to us immediately when we looked at the number of unique malware samples that were being sent. Mainly were going to a couple customers and one in particular, this customer x.
Josh Douglas: And we thought to ourselves, “Well maybe it’s the size to company because they are pretty large.” So go to the next slide. But what we found is that when we took their users on average, compared it to all the other people in that same sample set, they still were getting targeted more than anybody else on a per use basis. Which kind of made us scratch our head a little bit like, “Why is that happening?” And we started wondering, “Well could it be that there’s some other external factor that’s causing this?” So we go to the next slide.
Josh Douglas: We looked at the data itself to understand, “What are they being targeted with?” So we took the mindset of, let’s look at the first set of intel that I talked about, understanding the attacker’s arsenal. And what was unique about this is that all the samples that made it past standard AV or basically other scanners that are commodity that most anybody can buy before they were caught by Mimecast. We ran them across another threat intelligence vendor to see if they recognized these samples or were able to target them right away.
Josh Douglas: And what’s fascinating was that only 10% of them were actually found. The other 90% weren’t. So we had to go and look at all these various different metadata components and understand exactly how they were related. And what we found is that we found all these unique pieces of malware that are polymorphic. Which means that they’re changing or that actor’s actually changing them so that way they can go after these targets. Next slide.
Josh Douglas: But that doesn’t really tell you anything at the end of the day. I mean it doesn’t tell most people anything at the end of the day. So we started trying to understand what was the intent? What were they actually trying to do? This manufacturer actually has a lot of connections. Be it across government or other businesses, and what we found was interesting was that they were trying to supplant what is called a Trojan, meaning that basically they can create a backdoor they can have lateral movement, meaning that once they’re inside, they can move anywhere inside your company.
Josh Douglas: And also allow them to steal additional information like passwords, they can actually grab information around … around bank accounts, and then they can utilize that information against other targets or other businesses. So next slide.
Josh Douglas: So that was fascinating but again I don’t think it still tells you the customer, the business owner, the IT person, very much. So what we wanted to do is kind of put that counter-intel mindset on and say, “Let’s go ahead and look at it from a risk standpoint.” Why are these lean IT targets being compromised or at least being targeted to be compromised?
Josh Douglas: So we found that there’s some reasons why. So we went ahead circled, “Well what’s one of the big ones?” So next slide Tom. So one of the reasons why is that all these larger companies, let’s say if we think about real estate and we think about the banks. The banks have a lot of money. It means that they have a lot of resources too so they’ve already facilitated a lot of defenses. They’ve amplified the game. Which means it leaves everybody else on the outskirts as the third party.
Josh Douglas: So to them this is a business as much as it is an opportunity to make money because they’ve already invested time and effort in creating these pieces of malware which are their toolkits. And in the process of going to one of these big targets, you know a larger company, a financial institution, they could potentially their IP, their intellectual property.
Josh Douglas: So if we take a moment to think about that, “Okay well why does that matter?” And I’ll give you a use case. So I had been working an incident before where we found an attack and were watching it live stream. And in the process we made some changes, we actually waited and made some changes across the board as a block, this threat actor. And we kept watching them. They actually had another backdoor that they were using too. They started changing the malware, pulling tools off of their tool shelf and putting them in on the fly until they were able to buy those additional security mechanisms we put in place.
Josh Douglas: And that’s interesting because if you don’t take the efforts to amplify up enough, they already have something right there to be able to get right back in. They also have the opportunity to impact you directly on a daily basis. So next slide Tom.
Josh Douglas: So we kept that counter-intel mindset and went a little bit further. Wanted to know who are the targets? Why are they being targeted? And how are they being targeted? So in this case, this is out of our product, we looked at all the impersonation attempts that were coming in. It happened to be that they were using an American Express email account to try to target salespeople. So that’s interesting, maybe they were trying to send them updates on their expense sheets. Or maybe they were trying to get the manager to click on something.
Josh Douglas: They are also sending it to the the Chief Operating Officer who could have maybe been in charge of the finances there with the company as well as dealing with American Express. All very fascinating. They know their targets and they also know the kind of things that they do. Which means they’re not only going to impersonate people inside your company like your CEO or your COO. They’re also going to imitate and basically impersonate individuals that you do business on a daily basis with third party.
Josh Douglas: And Tom and I were talking about this because I mentioned my wife is in this business and I had been pulled into a security incident, through her for one of her clients. And the attack that I saw was fascinating. Because what I saw was that the realtor in this case had been compromised and basically facilitated a simulated wire transfer because they copied the entire template of the realtor. Got everything set up the way that it was supposed to be because they were already in that email account and then sent it along and the processes failed in that mechanism because it wasn’t stopped in that entire chain of events.
Josh Douglas: So we go to the next slide. So … let’s take it a step further. And let’s talk about some actionable things that you can start to do and you’ll start to see this in a moment. In this particular case, this customer had a lot of employees that had been using their email addresses in LinkedIn and Facebook. Their business email addresses. And it linked into this trick bot and it basically spread out everywhere. So it wasn’t that the company was compromised, it was the fact that there was bad behavior or at least a bad process that was put in place where a company or business activity was being extended into their personal lives.
Josh Douglas: And I know that this is often hard for smaller companies because they may only have one email address and they may use it in their personal life, they may use it in their business life, but I’d highly recommend that you think about this for a moment because what transpires is in the process of one of these companies that you can’t control, Facebook, LinkedIn, or any other social media platform out on the planet, if they get compromised and those passwords get lost and you use the same passwords and the same email addresses there, they’re going to be used against your business accounts. And you may be using Office 365 or you may be using Gmail or something like that.
Josh Douglas: Now you’ve just extended the problem of that compromise that was out of your control into your business life and now it’s your downstream customers. Next slide. So it’s all about digital fingerprints and you need to think about the things that you’re doing on a day to day basis and who you’re interacting with and how you keep some separation between those two. Next slide Tom.
Josh Douglas: So in this case, with our customer, we went back to them and gave them some recommendations. We said, “Hey look here’s some accounts that we found compromised, go ahead and force the password changes.” We also recommended if you’re super-paranoid, you can go ahead and change all the passwords so that way any of those that are getting targeted or being sent phishing emails, you can go ahead and just put them into the dumpster and go with a new process after you started training your staff.
Josh Douglas: You can also put things like, an [inaudible 00:27:22] in place, that’ll raise the bar a little bit. If you’re not using like Google’s … authenticator or Microsoft’s authenticator, that’s an option that you can go with. There’s plenty of other options out there. We also went back and said, “Hey look we’re looking at all the exposed email addresses that you have out there. You need to actually come up with a process and a follow through with your employees.” And what you need to do in that vein is start to get them engaged.
Josh Douglas: So at Mimecast we have our own security awareness product that we use and we engage with humor and micro-trainings. These sort of things are helpful, especially if you have a large staff to get them engaged. But on the other side of that, not only did we give them matching items about the things that had transpired up to that point of all these things that we were seeing but we also talked to them about the user behavior that we were seeing at their company.
Josh Douglas: And the chart on the right hand side is extremely interesting because what it shows is that orange line was the customer. And it means that their company was clicking on bad email links far more than anybody else in the Mimecast population per user and far more than even in their own industry. Which means that they had two things colliding. Basically outside forces that they couldn’t control with bad user behavior. Which means that they were getting targeted a ton and they had the opportunity to, with a lot of risk, to be able to click on things.
Josh Douglas: And Tom, I don’t know about you, if you’re seeing this sort of thing happen too, but didn’t know if you wanted to weigh in on some of that?
Tom Conkright: I want to go unplug my server from the wall. That’s all I want to do. No I’ll show you some examples. We actually thread in the first four months of email traffic and behavior. But I will echo in the same thing that that’s a bad trifecta. If you got curious people in a bad way that are clicking on everything, you’re going to get singled out of the target, the last leg on that stool is you’re going to have more instances where they’re knocking on your door. I think that’s a scary graph right there.
Josh Douglas: Yeah sorry. And I think that was the last chart Tom?
Tom Conkright: You can have the dashboard here. I’m curious if you can walk them through this.
Josh Douglas: Yeah no problem. Sorry. And now the gratuitous product discussion. So what we think about this at Mimecast as we’re moving forward in how we’re changing and our evolving thought around this is with our threat intelligence view is that what we want to provide our customers at the end of the day are actual items that they can take advantage of.
Josh Douglas: Understanding your risk score compared to everybody in your industry against … against your overall user base. Making sure you understand which users inside are the most risky as well as some of the things that you can do collectively like turning on security features maybe you’re not using. So if you’re a TTP user today and let’s say you’re using Attachment Protect or URL Protect or Impersonation Protect. Making sure you have some of those things turned on collectively.
Josh Douglas: I mentioned third parties for instance. So Impersonation Protect if you haven’t loaded in third parties that you work with, that gives you an opportunity to look for phishing emails that are coming in and impacting you. We want to be able to provide you things that help you before you get to the point of post-breach threat intelligence and what you need to be out of the noise. So next slide Tom.
Tom Conkright: That’s your last one. We’re going to move into the graphs so. So I will echo this and I’ll give some examples of how we’ve optimized the Mimecast product suite in our organizations but here’s an example of some of the reporting that you can do. So one of the main components that we use with Mimecast is this idea of email monitoring. And we’ve worked with their team to optimize it. So let me speak to these guys, let me speak to the real estate industry on the call for a second.
Tom Conkright: We taught on these keywords that you can pick up on that should be red flags. The word “kindly” the lower case “I” to signal someone on a possessive, like describing that person. Any change or update followed by wiring instructions. So all these sequences, we’ve actually loaded in. And so think about how granular this is. If an email comes in with a space followed by a lower case “I” and a space, it automatically gets flagged, it doesn’t go to our employee segment before IT reviews it.
Tom Conkright: So we can get that granular to show that, “Hey we can pull some traits out from what they’re doing.” So this is a live report, so I co-own Sun Title along with my partner Lawrence and just in the first four months of this year we had roughly 1,093,000 emails that went through the system. Almost to the number, 10% of those were rejected and flagged for either being malicious or potentially fraudulent.
Tom Conkright: But what’s interesting is they know our industry. Okay? So you think about [inaudible 00:32:31] Tuesdays and kind of Funding Fridays and Thursdays leading up to that. Look at these spikes at the beginning of the week. So look at your Tuesday, Tuesday, Tuesday. Here’s a weekend where … Josh you and I were talking about this, they may be running different testing or depending on the country that’s coming at you, they’re trying to make sure the email lands, or they’re just working the weekends. I mean look at this Thursday spike here. So just know guys I don’t believe anything is coincidental I think they’re refining and honing their craft relative to the industry that they’re focused on, right?
Tom Conkright: And as you go through even … if you look at the timing, those hours between two o’clock and five o’clock Eastern have more velocity than the mornings do of those Tuesdays and Thursdays. Because what do they want to hit? They want to hit the employee that’s just getting hammered that day, not because of anything I … everything’s out of their control, it’s just one of those sideways days and they just want them to not notice or slip up, click on the email, or rely on something that they shouldn’t.
Tom Conkright: So let me just dissect last month because the market’s getting busier, right? I think we got pretty compelling evidence here, look at that. Thursday, Thursday spike, and then we don’t have until the month end here. But you can see, and then they’re running, even [inaudible 00:33:56] Tuesdays and Mondays end up being a little bit higher. So just know that. I think this is pretty good evidence.
Tom Conkright: And here we’re running still just under 10% on a flag rate. Now if you don’t have a system like Mimecast, all of these.. so that was an additional 110,000 emails that our people would have had to not only spend the time combing through, but would have had to have get every one of them right. Because you know what I didn’t get last month? I didn’t get a message from our IT group saying, “Hey we got a bunch of really good emails relating to closing disclosures and settlement statements and funding that didn’t go through and it started to screw up some deals.” Not one.
Tom Conkright: So all of these are bad and what Mimecast does because of the consortium kind of intelligence that it has, is that it starts to log that, they start to see patterns and they add additional layers and insights to filters before we’re even seeing it meaning, “Hey Amazon or Microsoft or some other big company is starting to see this trend.” It would flag that trend from that source or however they do that wizardry that you do Josh it’s amazing.
Josh Douglas: I like to call it community defense. So we love that aspect of the fact that we have a SaaS-based platform that can pull all of this together comparatively to anybody else in the industry to be able to give you that type of result.
Tom Conkright: Yes. And it’s not expensive. So there’s my plug there. So how are they coming in? Let’s use some examples of just how they’re coming in because like you say Josh mentioned, it’s starting with really well-crafted phishing and they’re piggybacking on brands of trust. And guess what? You’re a brand of trust within your little microcosm in the markets that you serve. Especially as to your customers and vendor partners.
Tom Conkright: So while these are some of the most well-known brands across the country, they’re doing more of a micro-attack to say, “Hey I just have to get into this transaction ecosystem that might only include eight people.” I.e the real estate transaction. And I only have to be right once to compromise an account, Josh to your wife’s example and then someone’s going to believe that because the information was coming from an account.
Tom Conkright: So how did they get account access? We … this is the old, remember the Nigerian prince that lost his uncle and then if you would just accept $10 million over the weekend he’d leave you a million if you could just kind of wash it through the US. This is where phishing started going back into the early 2000s, people still fall for this even today. But it’s next level right now.
Tom Conkright: So just know it’s coming in forms of not only corporate but also personal phishing scams because they’re targeting your people. If they can get to the personal side, then they’re going to migrate to, Josh mentioned they’re going to migrate over into the corporate system. So here’ sone from the IT desk basically saying, “Hey we’ve got a problem, I need your user credentials to complete some update.”
Tom Conkright: Next one is anything electronic document-related. That’s a real challenge that we have right now. Especially in the real estate space because we share surveys and HOA dues and … frankly purchase agreements. Almost every MLS has adopted one form of electronic delivery system for those documents. So I’m not saying we can avoid those but we have to be very suspicious as we open those.
Tom Conkright: Banking so here’s, “Hey all bad things happen unless you confirm your account because you’re not going to have access to your money.” And just, you got to unpack these but you have to unpack and have changes. I call it that the smallest nuances and emails matter right now. The capitalization or lack thereof, the sentence structure, the timing, to Josh’s point, the timing of the communication.
Tom Conkright: We train our people, do you normally get a closing disclosure on a Sunday morning from that lender? Or does that real estate normally communicate with you at three in the morning saying that, “We just signed this purchase agreement. I’d like you to start the title order.” You have to think about that.
Josh Douglas: And Tom if I may –
Tom Conkright: Which was the number? Yeah no go ahead please.
Josh Douglas: Yeah on those, I mean given that all of your work lives on this phone I’m sure, revolve around mobile devices too. We often see that the top subject line inside of a mobile device, the name, and it’s very easily masqueraded on mobile devices today for somebody to become somebody else. Just quick, make sure that that … that username matches up with the email address as well on your mobile device if it’s coming at an odd time because mobile devices, having done my own research on this, mobile devices are accounting for at least 50 plus percent of the clicks that are happening on malicious links and it means in our fast-paced world sometimes we have to slow down just a little bit to validate.
Tom Conkright: No that’s so true. Good point. This was the number one phishing lure from last year and it was just a generic invoice. So this is industry agnostic. It doesn’t matter if you’re in manufacturing, you’re in IT, you’re in healthcare, you’re in finance, whoever’s on the call. This is coming into someone maybe in your production group or your finance group or accounting or whatever it happens to be. And … I mean, Josh you’ve forgotten more than I’ll ever know about this but just by even hovering over long enough they may be able to gain insights and then drop a little something into your system that is not good.
Tom Conkright: And clicking on it could mean things even worse as that attachment opens up and it starts crawling around into different areas of the platform. Josh anything to add on just attachment links?
Josh Douglas: Yeah I think you’re pretty spot on on that. I mean it goes back to the tracking aspect too. And not to add more scariness to it but often what they’ll do if you have auto-images turned on in your email client that you automatically download pictures. They’ll use that to track on whether or not you opened up the email. And will continue to keep trying to send you stuff.
Josh Douglas: So like … at my own house and my wife and I talk about it, like if she doesn’t know the sender, it’s not an expectation, just delete it. If it’s important they’ll call you. The phone actually is a savior. We still have this great communication device that we can use as it goes beyond email as well so.
Tom Conkright: No that’s so true. Deactivation notice, but this is coming from some arrow state, this is that kind of hover over state that you can do not only on the desktop but also on mobile. But they’re also coming through the social platform. So here’s an example we just wanted to call out from somebody’s LinkedIn account where Wells Fargo is asking them to take some action relative to their account. Right? That is not going to happen.
Tom Conkright: It’s just simply a nominal, you have to think, “Have they ever responded like that or communicated like that in the past?” And the answer would be “No.” So main takeaways, again the layered approach can just reduce, just from a probability standpoint, the instances that you may face as an organization because it’s the slow caribou theory. They target the people that are the most exposed that are the easiest to pick off.
Tom Conkright: And to Josh’s point, this is not only a conversation internally, it’s really a conversation with the entire ecosystem. We had a lender that Brent, was it three times? I’ve got my IT manager in the studio here as well. Three times their system was compromised and we received fraudulent CD and wiring instructions that were either sent to us or sent to a buyer for cash to close. And finally had to stop doing business with that lender because they just couldn’t get it together. There was too much risk. And look, I don’t like to close the door on revenue opportunities but at the end of the day you just can’t do that.
Tom Conkright: So we have to have those hard conversations. Time does matter. I think to Josh’s point, timing is one of the best lines of defense, I’m going to get into that in a couple of minutes. And then using technology guys. Technology at scale creates so many efficiencies and also creates the risk reduction that you just can’t train enough around from a statistical standpoint to have the security layer and the performance that these well-honed technologies … and those are always moving and adapting in real time.
Tom Conkright: Just an investment we have to make. So I want to talk to you about risk reduction in the workflow. I’m going to use this as … I’m going to use this as a real estate-centric discussion. But for those of you in other industries, I’d like you to use this as more of an example of how we could unpack the workflow of a normal transaction and especially as payments and information flows, so you could see the parallels.
Tom Conkright: So let’s take the buyer’s side of a real estate transaction where this is residential and there’s a mortgage lender involved, okay? And you can see that on average we have, I’m going to peg it at about a 35 day transaction cycle. There’s two hot spots that you have to recognize in the real estate transaction. First is I list Josh’s house as a real estate agent and I have to … I have to activate that listing on the MLS. Right? I have to do that pursuant to my board rules.
Tom Conkright: Well when I do that it syndicates everywhere around the country. Around the world frankly. It goes to Trulia and Zillow and it’s everywhere, right? So the whole world knows that Josh is selling his house and I’m the superstar agent that got hired to do that. So two days later or two minutes later, depending on what part of the country you’re in, Josh accepts an offer and we have a buy sell accepted and now I have to go in and I have to move the active status to a pending or an active under contract, depending on the state.
Tom Conkright: Guys that click, that switch becomes the deal board or the beacon that the fraudsters are tracking in the real estate industry. Because it actively shows that we went from an active and now we are currently under contract and it starts to give the runway and the visibility to the ecosystem or the transaction partners they need to infiltrate.
Tom Conkright: And then as we approach closing, the ever-important … so you can think about this in other industries, leading up to closing or the full fulfillment of the contract or the swapping of the payment, right? And in real estate that’s closing schedule to full disbursement, the three to five day period.
Tom Conkright: So here are some layered examples that you can use. Mimecast sits at a high level kind of listening and monitoring and protecting as much as possible from even hitting the deck of the organization in the first place. Okay? So that spans the entire process.
Tom Conkright: Then especially in real estate if you read the court opinions and what’s evolving around the country, you have to have a notice in front of the buyer as quickly as possible. So we’ve now heard instances where within the first three or four days of a purchase agreement being accepted, not title order starting, purchase agreement being accepted, the buyer is communicated by what they think is the title company but it’s actually a fraudster. The fraudster has some amazing language in an email and they’re either earnest money deposit or entire cash to close them out gets wired before the end of the first week.
Tom Conkright: And we are simply not prepared as an industry for anything close to that right now. And we’ve heard now four instances in the last five weeks of this taking place from different parts of the country. We’re not even thinking about these transfers until typically the third or fourth week. Then a refreshed alert because there’s a lot going on here. There’s due diligence, there’s inspections. There’s lenders coming over to get a blood sample to make sure I can repay this loan. There’s just a ton going on, especially for first time home buyers.
Tom Conkright: We have to refresh it when cooler heads are kind of checked in and there’s a lot of that we’re on a smoother glide path to closing to say, “Hey we’re approaching this time when you’re going to wire in funds or transmit funds. Be aware of this.” We help our customers do that. And then our product verifies identity in real time and allows for the secure exchange of that payment information and we actually will stand behind each wire that’s certified up to a million dollars. So again, not moving it to completely mitigated but taking it from a high risk to more of a manageable stake.
Tom Conkright: To the organizational owners on the phone I’ll say this, we talked about earlier we’re going to have to account for what you did, didn’t do, should have done if somebody in a transaction loses funds. The idea if you unpack the decisions and the opinions and the theories of cases around the country, there are common denominators. Secure email, encrypted email is a common denominator, okay? The other is proper and timely notices to all people that this is an issue, what to watch out for, how to report it, and what you’re doing to prevent it.
Tom Conkright: And it’s simply from everything I’ve read and there are multiple, has been simply a lack of communication or transparency early in the process even though we all know it, right? NAR puts out the bulletin and ALTA and the American Bar Association the mortgage bankers, everyone knows about it but what are we doing to communicate that down at a ground level to the people that are actually targets. Because your customers are the target of a lot of these frauds. Josh anything you want to add here?
Josh Douglas: You explained it perfectly Tom. That was awesome.
Tom Conkright: Okay. And it’s industry agnostic guys. I was on the phone with a partner in a law firm, manufacturing customer wires to a supplier, this was Tuesday of this week and supplier didn’t get the funds. Supplier saying, “I’m not shipping the goods.” And the company saying, “Well I sent pursuant to the wiring instructions or the payment details that you gave me in the invoice.” And it happens to be that the supplier’s email was compromised and now we’re in this tug of war of who’s ultimately responsible and you don’t want to get there.
Tom Conkright: The seller side, so I know there’s a little nuance on buyer side and seller side in real estate. There’s still that same hot spot because there’s so mch information we can find online. But again, Mimecast sitting over and kind of listening and protecting the information that should not hit our people and our customers in the first place. But then a fraud alert and then where CertifID can be used to identify individuals and payment credentials before funds move.
Tom Conkright: All right we’re going to get to questions and we have several. So our next set of fraud briefings look like this. We’re going to go through some heavy stats in June. I’m going to unpack, this one’s going to be fascinating, it’s a ton of work but I’m getting through it. What happened in the courts last year and what’s trending around the liability if there is a payment loss? And … it’s been very interesting between the federal and the state courts of what’s taking place.
Tom Conkright: We’ll have a guest speaker in in September for E&O and cyber insurance. I can tell you something guys, that industry is pivoting in real time around these losses because they completely and they couldn’t have estimated it right? Completely underestimating of social engineering in business email compromise. So I could to another hour on that. I’ll leave it at that.
Tom Conkright: And then you notice we’re going to skip the month of July because everybody’s going to be at the lake anyway? And then data security and best practices, we’re going to drill into some of those things and then November we’re going to set up for some really actionable and strategic items. So a lot of times we have that we’re planning in December and early January, we want to help you plant some seeds or categories of things that we should be thinking about taking on based on what we’ve seen in 2019 and things are trending in real time as well.
Tom Conkright: So first question is what is the ultimate reason for a robocall and what are they trying to accomplish? So I’m sitting at my dinner table about nine months ago. And if you’re trying to reach me on my home number it’s never going to happen because I’ve never touched that phone in three years. But we still have one and that’s a debate I have ongoing in my household. So my wife is … we’re finishing dinner and she says, “Hey do we owe the IRS money?” I’m like, “I don’t think so. Wrote them a big cheque.” She’s like, “Well we got this message on the machine and and you should listen to it because I think you need to call them because they’re saying that litigation is going to start if you don’t respond to this message.”
Tom Conkright: So I listen to it and it’s just like, weird [inaudible 00:51:24] voice that sounds like they’re talking out of a storage trunk. But anyway, what they’re trying to do in that scam and the IRS put out many bulletins on this. This is a robocall. This is a robo scam. It’s a phishing using voicemail and they’re trying to get me to reply to a number and the first thing that they would ask me I guarantee is, “Hey to confirm your identity please put in your social security number because after all we’re the IRS.” We’re God, right? And you can trust us.
Tom Conkright: So that’s one example. But that’s typically what they’re after. They’re after some type of user credential or behavior. Josh do you know of some other specific examples that are trending?
Josh Douglas: Yeah they’re a number and I mean the technology behind it’s getting better. I mean you can almost not even tell that it’s a real person on the other side sometimes. You actually hear some of that occurring in the political phone calls that you get nowadays with that technology but it’s an opportunistic attack. Kind of like what you’re saying. They’ll send it out to a broad number of people and try to gain a little bit of information so that way they can run with it.
Josh Douglas: And I’ve seen that instance you’re talking about. I’ve also seen another instance where they pretend to be tech support and actually say that they’re calling in so that way they can get access to either your bank account or your system. So there’s a number of mechanisms to do that. Sometimes it’s a live person that’s actually they’re in a call center and basically the robo caller calls you and then there’s a live person or it’s a robo caller where it’s actually fully automated. But it is that opportunistic attack.
Tom Conkright: No I couldn’t agree more. So again guys, they’re also using US postal service. So I’ve heard instances where they are sending wiring information with the logo of the company, with the credentials of the deal, because they logged into somebody’s email account after it’s been compromised and basically said, “Look here’s a number if you don’t believe us.” But here’s the attached wiring instructions, we’re looking forward to your closing don’t trust anything else. And when you call to confirm, you’re calling somebody that to Josh’s point is speaking just in the dialect of even a specific part of the country.
Tom Conkright: So if you’re calling the northeast, they’re going to have that northeastern accent versus the south versus I don’t know what the Midwest is here. But I hear we have one. But that’s interesting. So another question, Josh, this is to you, are there particular countries or regions where fraudulent emails are originating more versus less?
Josh Douglas: I mean there are some trends geographically but as the attacks become more targeted it’s not really going to matter. Because they’ll utilize servers here in the US, they’ll use them in Russia. I mean Russia, China, those places where there isn’t much control over the impacts of the attack or even the ability to prosecute the attacker. They’ll originate out of there but they’ll actually make it look like it’s coming from the US.
Josh Douglas: So you can’t trust the fact that it’s coming from a particular country that that’s going to be a stock app.
Tom Conkright: We just recently put out a bulletin to our customers, whether it was yesterday or the day before. We’ve picked up 13 active countries in our system where they were trying to either impersonate or respond to identity verification and wiring credentials. So it’s very active, it’s all over. I’m going to take this first one and I’ll let you respond Josh because I have a strong opinion on this.
Josh Douglas: Okay.
Tom Conkright: What would you say to those who say that two FA, two factor authentication or multi-factor authentication is too cumbersome?
Tom Conkright: Here’s what I would say. Let me explain to you what’s cumbersome. You lose a couple hundred thousand dollars, you have to sue civilly to get it back. You’re called by the Department of Justice to testify live in front of a Nigerian syndicate and you’re wasting hundreds and hundreds of your time, energy, and stress off your life, through a process that you didn’t cause that you were drug into. So there’s 30 seconds on our fraud experience.
Tom Conkright: What I would to say to those is if it’s too cumbersome to download an app that allows them to streamline multi-factor authentication. Or it’s too inconvenient that if they’re in the … at the soccer field to put in a four six digit code before they get into Facebook then the alternative I would argue is just a matter of time and they’re going to experience the contra and that’s what happens when accounts are taken over.
Tom Conkright: And if you’re named in litigation … I got a call from a real estate agent last fall that said, “Hey I need a good lawyer.” She was asking for a referral, we don’t do this, but she was saying, “I’m being sued because my account was taken over and a buyer lost 270 some thousand dollars on a real estate closing here in West Michigan.” So that to me real friction.
Tom Conkright: And you know what guys? This is industry standard. So I don’t see it as a this or that. I see it as you have to do it and if you don’t you’re going to get absolutely hammered if somebody loses funds and you don’t.
Tom Conkright: And I know for the title industry on the phone they’ll say, “Hey the real estate community is, they’re kind of running more fast and loose.” And they’re either not aware of it or they’re just kind of turning a blind eye because they don’t touch the money. Look at the Bain case in Kansas, we wrote a white paper on it. And start to do a lunch and learn segment on what that case meant to the realtor and the broker involved.
Tom Conkright: Josh sorry I was long winded on that one but … that was a softball.
Josh Douglas: No I love it. And what I would say is that cumbersome or not, technology has come a long way and it’s a lot easier to use nowadays. There was multiple options, but on top of that, and kind of to your point, Tom, is not only the downside of what happens after but you’re actually starting to see some of this traverse into requirements from various different larger companies. So having been a CSO of a larger company that was one of the things that we used to ask on our evaluation of third parties. Are you using two factor authentication? Are you doing these sort of things?
Josh Douglas: And you’re actually starting to see them come in in regulations as well or even a criteria for certification. So in particular dealing with public companies, the SSA team requires you to have that particular functionality if you’re dealing with a public company.
Tom Conkright: Well and I would say this and guys I’d love for you to connect and follow up with us on how our respective servicing and offerings can come alongside on some of those risk profiles. I do believe that the companies that make the investments in the things that we’re talking about today, stand to gain substantially as we move forward and try to navigate these waters.
Tom Conkright: I think we can turn cybersecurity and that investment into a branding opportunity where you can distinguish yourself in market because of the things that you can point to that you’re doing. Especially to your point Josh with the publicly traded banks and other institutions where this is not going to be optional anymore and you’re just going to get booted off a list because you can’t meet the vendor attestation and requirements that they’re requiring.
Tom Conkright: So Josh anything else to add? Otherwise I’ll wrap up.
Josh Douglas: This is great Tom. Thanks for having me.
Tom Conkright: No thank you. And thanks Josh, awesome content. I hope everyone on the phone thought this was well wroth the time. Sorry we went about ten minutes over. Everyone will receive a link to the live broadcast after it queues up so probably a few hours from now. And I hope to see you on the next month’s webinar. Until then have a great day and stay safe. Take care.