It’s not unusual for businesses to have $1 million a week lost to cybercrime in the jurisdiction of the FBI’s Sacramento Field Office, and that is just the amount of money that gets reported, said Crosby Brackett, interim acting special agent in charge of the Sacramento FBI Field Office.
But if the target of cybercrime reports the intrusion fast enough, the FBI can sometimes stop the illegal transfer and claw the money back, Nathaniel Le, FBI supervisory special agent, said Tuesday at an FBI Cybersecurity Executive Summit at the offices of Quest Technology Management in Roseville.
“Companies don’t like to disclose that they were hacked,” Le said. But reporting a hack is one of the ways the FBI can see trends in the methods being used in cybercrime.
It's also potentially a way to get the money back.
Cybercrime is as disastrous to a company as a fire or flood, yet many companies don’t have an emergency incident response plan in place, Le said.
“You don’t want to have to make this decision when you are in the hot seat,” he said.
A lot of companies don’t want to report a breach, hack or ransom attack because they don’t want to let their customers know they had a problem, Le said.
The FBI is now amplifying its message to businesses that reporting cybercrime to the FBI is kept confidential. The FBI treats victims like victims, and it doesn’t release their private information.
For all the notoriety of ransomware attacks, the most prevalent hacks are from compromising business email accounts. In those attacks, the hacker gets between the business and the vendor, and redirects a money transfer.
“Sometimes, one incident can take you out of business because you become insolvent,” Le said. “That’s not to say the sky is falling. That’s just what’s out there. We want to make it harder for them.”
The FBI wants to collect evidence in the hack and discover how they got in because then it can use that intelligence to block that method in the future, Le said.
And time is of the essence. The bureau can only claw money back for about 48 hours, or 72 at most. After a transfer is complete, the money is gone.
Businesses often realize they’ve sent money to the wrong place in hours, but they don’t report it for days, Brackett said. The bureau is reaching out to businesses to let them know what to do in case of a breach, and that is to report it quickly.
The FBI presented a similar cybersecurity forum in March, and it plans to host more of them in the future, said spokeswoman Gina Swankie.
“Just assume you are going to get compromised. That’s what I tell people,” said Tim Burke, CEO of Quest Technology Management. “How are you going to deal with it? What do you have in place?”
Quest offers outsourced technology management, support and cybersecurity. A growing part of its business is cybercrime incidence response, Burke said.
He suggests that businesses have a locked and encrypted backup of data, so that if the open side of the system gets breached, you only lose a day or week, rather than having to rebuild the entire system from scratch.
Many businesses ignore cyberthreats assuming “there is no reason I’d be a target,” he said. But much of the cybercrime technology is highly automated, he said. “It’s just constantly pushing on doors. Eventually it finds an open door. It’s random.”
He added that email is a major vector in cybercrime, and suggests ongoing education to tell employees what to look for in phishing and spear phishing emails. Phishing seeks to get personal identifying information. Spear phishing is the same thing, but it appears to come from a trusted source.
Burke said he tests his clients’ employees by sending them bogus emails to see if they fall for it, which can be just clicking on a link or attachment. Sometimes about 80% fall for it.
Under federal law, information the FBI collects in cybercrime investigations cannot be used for regulatory purposes, and proprietary information and financial information remains protected and confidential, said Laura Mruk, chief division counsel with the FBI in Sacramento. She added that evidence is also exempted from Freedom of Information Act rules of disclosure.
“The FBI is law enforcement, not regulators. We seek intrusion details,” Mruk said, adding that it also wants to prosecute the perpetrators of cybercrime.
A benefit for businesses that do get hacked is that the FBI can bring in special agents, computer scientists and its Cyber Action Team to help ensure it doesn’t happen again.
“We are looking at the intrusion and how it happened,” she said.
People who discover their business got hacked should contact the FBI as soon as possible, or they can report the cybercrime to the Internet Crime Compliance Center, known as IC3, which has the web address of IC3.gov.