The IRS issued a warning last month about an updated version of the old wire transfer phishing scam, where fake emails are sent to accounting supposedly from a company executive, requesting a wire transfer to a provided account. In the updated version cautioned by the IRS, the request is to payroll or human resources requesting a list of employees and their W-2 forms. Many have been fooled by this and other phishing related scams, exposing their companies and now their employees. Divulging employee lists and W-2 information exposes employees’ personal information that can be immediately used in identity theft and other social engineering activities.
From a people and process perspective, which is always the place to start, reviewing business processes and training employees about being cautious when clicking on links and transferring sensitive data is a first step as part of a larger security training program.
Ensuring that processes and procedures used by your organization promote secure practices is especially important. It not only reduces your exposure in general, but it will make those fake requests stand out even more, reducing the risk that somebody be fooled. Those that hire temporary personnel for the busy tax season should take extra care in training and making sure there is an easy way to do their job without exposing sensitive data. If it is difficult to do their job securely, the easy path to doing their job will win out every time over security.
From a technology point of view, anti-phishing tools to identify and block fake emails, and data loss prevention technology are essential for combatting these phishing scams. However, analysts are getting buried in false positive alerts resulting from legitimate tax related activities or employees emailing their tax information back and forth (regardless of what your acceptable use policy says). In addition to being false positives, these events pollute the view of the analyst trying to catch these phishing scams as well as the bad guys trying to actually steal from the company. Ask any security analyst and they will tell you this is their least favorite time of year.
The mission of security departments is to eliminate the noise of false positives, identify users intentionally or accidentally acting in a risky way, and identify business processes that may be exposing the organization.
Behavioral analytics (“User and Entity Behavioral Analytics, or UEBA”) can help solve all three of these challenges. UEBA analyzes a user’s activities and identifies unusual behavior relative to their own history and that of peer groups. Viewing activity through multiple lenses of individual and group behavior allows UEBA to help solve the issues that allow these phishing schemes to succeed. Combining behavioral analysis with various scenarios filters out false positives. Identifying users demonstrating repeated non-malicious violations helps identify candidates for training that can then be targeted to the types of activities and violations demonstrated by the user. Identifying those kinds of repeated non-malicious behaviors amongst a group of peers can help identify broken business processes that are requiring employees to violate policy in order to do their job.
The result of judicious application of behavioral analytics to connect the dots between user activities across different channels is an overall reduction of sensitive data leaving the organization due to phishing scams, careless users and broken business processes. Of equal importance, it can provide a prioritized list of real malicious risks for analysts to focus on and stop. Of even greater importance is that it improves the lives of security analysts, allowing them to be more efficient and effective. Happy tax season!