Business 37: How To Lose A Million Dollars In A Minute. Or Not.

  • 投稿カテゴリー:Business


Warm up

—- * * FOR NEW STUDENTS ** ————————————— ————

  1. What industry do you work in and what is your role?
  2. What are your responses in your role / position?
  3. Can you describe to the function of your workplace / company?
  4. How many departments, how many offices. National or International?
  5. What is the Minimum requirements for employment ie Education or Experience?
  6. How many opportunities are there to ‘move up the ladder’?
  7. What is the process for changing job roles ie Interview? Test?

————————————————– —— ——————————————– ——- —

General discussion about your workweek:

  1. Current projects? Deadlines? Opportunities?
  2. Anything of interest happening?

————————————————– —— ——————————————– ——–


1. Business email compromise is a generic sounding name for a type of cyberattack that can devastate your business.It’s so serious that losses to date are estimated to be in the billions. no real technology solution to BEC, as it’s known in the law enforcement community..

“We’ve released a  public service announcement  about business email compromise,” said FBI supervisory  Special Agent  Jill Mansfield . Mansfield said that the estimated losses globally are more than $ 26 Billion. And she said, there are new twists in this rapidly changing means of scamming businesses.

2. Chances are you’ve heard about BEC, but perhaps not under that name.One type of BEC is what’s called  CEO  fraud, in which a  company official  with the ability to direct the transfer of funds from the company  bank  account , does so on the orders contained in an email. Generally, the email appears to come from the  company CEO, and uses a rationale that the company is about to make a  large acquisition  or other large purchase, and that a large amount of money is to be wired to a bank account, the details of which are included in the email.

Once the money is transferred to the other bank, it’s nearly impossible to get back, because it’s then transferred again through a series of several accounts, making it difficult to trace.while the FBI can sometimes assist in getting the money back, it’s by no means a sure thing.

3. Meanwhile, the attackers have added new twists, which Mansfield said is payroll diversion. “Company payroll departments are being contacted,” she said. “They receive an email requesting that their direct deposit be changed. ”But of course the email is really from a spoofed employee account.

“Some companies have reported that employees have received phishing emails before the criminal sends email,” Mansfield said. Those phishing emails come to employee email addresses that are either available on the company website,  social media  or on the  dark web . While those phishing emails may also have other purposes such as getting login credentials , at least part of the reason they’re sent is to confirm that the person is still employed and getting email.

4. A similar attack involves vendors and suppliers. According to Mansfield, these attacks consist of an email to the company’s accounting department informing them of new  banking  information for direct payments. details are for the attackers, as you might expect, and payment for goods or services gets directed to them.Depends on the vendor this can amount to significant amount of money before the diversion is found.

Taking action to prevent these attacks requires you to make changes in how you protect your company information, how your payment procedures work and how you train your employees.A great deal also depends on how security aware your employees are.

5. “It ultimately needs to start with a security culture.It needs to be driven by the C-level in the organization, but the best is that the board and the CEO are buying in on the security concept, ”said  Stu Sjouwerman , CEO of Knowbe4, a security training firm.

Sjouwerman said that it helps to get started by determining the level of training by your employees, then determining how much they know about security and finally how motivated they are to take action.He said that his company provides a  free phishing test  to see whether your employees are aware of the right way to respond to attacks.

Once you’re satisfied that your employees have a working knowledge of phishing and social engineering, it’s time to move on to the next steps.At the top of the list of next steps is a change to your procedures when it comes to money transfers of any type.

6. First, require out-of-band confirmations of any email request to send money or to change information about payments of any type.Out-of-band means that the confirmation needs to take place through some means other than however the request came in.Normally this might mean a voice phone call to whoever requested the change, using a number that’s already in your HR records, not the number that came with the email.

But because some types of fraud also use the phone, it’s important that you initiate the call from numbers you already have.Don’t just return a phone call to the number that may have been involved in a request.You may also want to develop a code word for what might be considered major requests to prevent a confirmation call going to a hacked phone system.

Second, create a companion policy that ensures employees that they will never be punished for following the above procedure, even if it slows down a money transfer that you’re in a hurry to see happen.

7. Note that those confirmation calls need to be made to employees changing their banking details, or to suppliers changing their payment information.These payments amount to thousands of dollars, and not protecting yourself can result in your company losing the money.And don’t count on your  insurance  company covering it for you.

“There is  case law  that requires an organization to provide protection against threats at a reasonable level,” Sjouwerman said. “If you don’t have them in place you can be sued, or your insurance company can refuse to cover damages because you have failed to provide a reasonable level of protection. ”

There’s more to preventing BEC than just having the right policies. However, you must also control what information is available to the outside world so that it can’t be used against you.This means you need to protect your employee contact information. t give out the employee phone book, don’t put contact information in your website or third-party sites such as LinkedIn .For  staff that need to be reached from the outside, provide a  web form  that can be used to provide a means of contact. And don’t post employee phone numbers in public.

8. And of course you still need to protect your network from being hacked, if only to prevent the bad guys from getting the information they want directly.After all, those bad guys probably love your email as much as you do, because it provides them everything they need to conduct a BEC attack.

If you find out that you’ve already been hit with a BEC attack, Mansfield said you should call your back as soon as possible.She also said that it’s important to file a complaint with the FBI’s internet crime folks so they can follow up, and maybe help get your money back.



1. What training have you received in identifying a scam email? Do you have a specialist team? Monthly updates or meetings?

2. Have you ever received an email such as the ones described above, what did it say, what happened?  

3. What stories have you heard about scams? Could be famous or people you know. Catfish / Phishing / Indian call centres etc



  1. generic -general / common / not specific
  2. lacking imagination or individuality; predictable and unoriginal.
  3. devastate  destroy or ruin 
  4. cause (someone) severe and overwhelming shock or grief. Shattered
  5. twists unexpected change or result
  6. misrepresent the meaning of (words).
  7. rationale  a set of reasons or a logical basis for a course of action or belief.
  8. acquisition  a purchase of one company by another.
  9. sure thing guarantee / assurance
  10. spoofed  hoax or trick (someone). Fake
  11. imitate (something) while exaggerating its characteristic features for comic effect.
  12. credentials  a document proving a person’s identity or qualifications.
  13. diversion  something intended to distract attention from something more important.
  14. C-level CEO, CFO etc
  15. buying in on  investing in 
  16. initiate  cause (a process or action) to begin
  17. code word  a word used for secrecy 
  18. Note  pay attention.