When the finance chief of a London hedge fund got an urgent phone call about possible fraud on a Friday afternoon just as he was preparing to leave work, he honestly thought he was doing the right thing by giving the caller the information requested. Wouldn’t any decent CFO want to stop fraud if it was in his power to do so? That way, he could rest easy for the weekend, knowing he had saved the company from damage. Imagine the feeling in the pit of his stomach when he turned on his computer Monday morning to find that 742,668 pounds ($1.2 million) was missing!
That’s what happened to Thomas Meston of Fortelus Capital Management LLP in December of 2013. He received a phone call from someone claiming to be from Coutts, the London-based hedge fund’s bank, and the caller warned him there may have been fraudulent activity on the account. Meston was reluctant, but agreed to use the bank’s smart card security system to generate codes for the caller to cancel 15 suspicious payments.
Instead the caller used the codes to divert funds into other accounts. Meston lost his job and, to add insult to injury, is being sued by the fund for breach of duty to protect its assets.
It’s a sad case of firms too often seeing cyber security as a technical issue and not recognizing the risk of employees being targeted, as supported by a report from the Bank of England last week that called cyber crime a growing threat to financial stability.
And such “Friday afternoon scams” are not uncommon. Zurich Insurance Group Ltd warned in May that law firms also were targeted by fraudsters impersonating bank staff that asked for access to accounts, often late on a Friday.
“People are always the weakest link,” said Jason Ferdinand, a director at Coventry University who runs the U.K.’s first cyber security MBA course. Employees “often assume that they do not have to think about security because a machine or software is doing it for them.”
In my business as a speaker on Cyber Security, Corporate Fraud and Identity Theft, the initial phone call from clients often revolves around wanting someone who can protect the company. My response is, “Then let me train the people”. If I can train them to pay attention to what I call the “Hogwash” response, I know that is the greatest line of defense between the company and fraudsters.
So, again I ask, what is the weakest link in your cyber security plan? Answer—any human being who works for your company! It just depends on who wants to do the right thing and happens to answer the phone or get that email asking for a quick decision under pressure. If you’re looking for entertaining training that targets the human factor, we’re here to help!
John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.