Imagine you have the opportunity to sit down with your future hacker. The person that is going to steal your company’s money, drain assets, steal consumer data, and quite possibly put your company out of business. There you sit, in a coffee shop, staring into the sweatshirt hooded eyes of the person that has inflicted weeks, if not months, of pain on you and your company.
We all know what you want to ask. You sputter, “Why me? Why my company?” The retort is astounding, “Because you made it easy. You were easier than the other company that had simple security measures in place.”
The hacker then spits out a series of acronyms that hit you like blows to the face: 2FA, FTF, and others you couldn't catch.
You quickly respond, “Had I known, I would go back in time and prevent this from happening!” But the thing is — now you know. You’ve been told. I’m telling you this because I’ve sat in that seat, in a coffee shop, talking to ex-hackers, asking the same questions you will ask yourself one day. Each question was the same, each response the same. Companies make it easy.
I’m here to save you the trouble. Let’s talk about what you just heard and what those acronyms mean. Those six little letters: 2FA and FTF.
The first acronym is your friend: 2FA. It is something you should welcome with open arms that won’t delay your day-to-day activities. Those three little letters stand for Two-factor Authentication. It has many other names, but all mean the same: Dual-factor Authentication, Multi-factor Authentication, OTP (One-Time Password) and TOTP (Time-based One-time Password algorithm).
It is one way to help protect your email account or any critical system from remote access by your friend the hacker. This is all done through an additional authentication method other than your password. Username and password is a standard authentication technique but, unfortunately, easy to steal. 2FA and MFA add a second factor, like a randomly-generated code from a smartphone app, in order to gain access.
When you apply 2FA to your email or critical system, it will prompt you to provide a code from an additional method (also called a “factor”). The additional factor can be a software “token” located on your smartphone or a simple 6-digit passcode sent to your cell phone or desk phone. This code will then allow you to enter into your system safely. It’s so simple, and with most email providers, this service is free.
There are two great things 2FA does. It acts as a gatekeeper and an alarm. As a gatekeeper: The authentication code prevents bad actors from entering your system. While the hacker may have your password, they don’t have your cell phone or landline, and therefore can’t receive the token or passcode needed to log in. As an alarm: The authentication code will alert you if someone has your password. If you did not request the pin but receive one on your phone, you know a hacker has your password, which you’ll need to reset. I care about your company’s future, so here is an article on how to enable 2FA.
What is the other acronym that the hacker mentioned? FTF or funds transfer fraud. The easiest way to monetize a crime against your company. This is when a hacker breaks into your email system and waits. They watch. What are they waiting for? They are waiting for a pending transaction. When they see the email with a request for funds, they launch their attack, and you will not know until it's too late.
Let’s give you an example. Your hooded hacker sent you a phishing email months ago or used a stale password and has been sitting in your email system for a month, just sitting and watching. The hacker finally sees a legitimate request for funds to be paid. The hacker inserts themselves into the conversation pretending to be the other side and tells you via a spoofed email that the banking information has changed and you need to pay to a new bank account. You comply and set up the wire transfer and wire the money to the fraudster's account. A week later, you receive a call from the correct vendor asking for the money. You realize the fraud, but the funds are long gone. And what is worse, the attacks are not always this sophisticated. But sophisticated or not, the results are the same — your company loses money.
The easiest solution for most companies is also free. Have a “dual control” process that includes the following:
Call the last known phone for the person requesting the wire transfer to verify the request or the updated request. Note: Use a known-good phone number. Not the one in the email. A no-tech solution to a high-tech problem.
Before you need to have this conversation in real life, heed my warning. Turn on 2FA and seek approval for any new or updated payment requests. You have time to prevent the next email intrusion, funds transfer loss, or ransomware event.
Download the 2021 Coalition Cybersecurity Guide for more great tips from our in-house security experts to help protect your business.