By Daniel L. Farris
A recent report about Ubiquiti Networks Inc. serves to reinforce the importance of training and non-technical controls in the fight against cybercriminals. On August 6th, Ubiquiti Networks, a California-based high-end wireless network products and video surveillance equipment company, reported a $46.7 million loss to the Securities and Exchange Commission. The loss was caused by fraudulent wire transfers to cybercriminals employing social engineering methods to dupe employees in Ubiquiti’s finance department.
Social engineering scams of this sort are on the rise. In January, the FBI warned businesses of the increasing use of phishing campaigns, business email fraud, and spoofing techniques by cybercriminals. Most commonly, the scam works like this: cybercriminals will compromise or spoof an executive’s email account, sending a wire transfer request to the target company’s finance department. An unsuspecting employee will see the legitimate company email address, believe the request to be valid, and will initiate the wire transfer as instructed – generally to the cybercriminal’s account, often in Asia. In other variants, cybercriminals will compromise a vendor and send new banking instructions to the target company on “behalf of” the vendor.
News of the Ubiquiti Networks scam underscores the need for effective enterprise-wide privacy and data security initiatives. Increasingly, cybercriminals are leveraging the cyberskills gap to exploit employees and/or the weaknesses in company policies, rather than sophisticated hacks or technological vulnerabilities in edge security. Training employees to identify the risks, question every request, and to take ownership of privacy and data security as part of their day-to-day duties is key.
For assistance in drafting, implementing, or refining your own Privacy, Information Security, or Data Management Policies, please contact the author or a Polsinelli Privacy and Data Security team member.