Hackers try, and fail, to scam ICTA

Online scammers did their research on the Information and Communications Technology Authority, grabbing public information about the organization’s managing director and chief financial officer in an attempt to get the regulator to wire almost $40,000 to a bank account.

The scam started with a simple email, purportedly from ICTA Managing Director Alee Fa’amoe: “Troy, did you receive the email I sent to you regarding our investment with Mutual Investment group?”

The technology authority’s CFO Troy Claxton sent a quick reply, saying he did not remember about the transfer. And the scammer, pretending to be Mr. Fa’amoe, wrote back, “Troy, I sent you bank account details to process and wire $39,150. I will be meeting with the investors shortly and I need the wire transfer slip. Let me know if you have the account details.”

ICTA shared the scam emails with the Cayman Compass this week, documenting the incident from March 14.

In an email explaining the incident, Mr. Fa’amoe said, “Such a scam isn’t dependent upon sophisticated technology, systems, or special hacking software, malware, or ransomware. Just a simple email where the sender pretends to be someone in a position of authority.”

Malware is destructive, malicious software that hackers will install on a victim’s computer. Ransomware is part of a new trend in which hackers steal data or shut down a computer system and only give control back to the victim once a ransom is paid.

Last month, Hollywood Presbyterian Medical Center in California, in a highly publicized ransomware case, paid about US$17,000 (as 40 bitcoins) to restore its medical records system after a hacker took the computer system hostage.

“They spoofed my name using a fake email address and sent wire transfer instructions to our CFO. Luckily, he realized the request was unusual and called me to verify the transaction,” the ICTA managing director said.

Mr. Fa’amoe noted, “There are daily incidents of email scams, phishing attacks, and other cybersecurity incidents in Cayman.”

The best thing to do when someone gets a request for bank information or a wire transfer, he said, is to pick up the phone.

The scams can be very simple, he said. “Likewise, the prevention and detection of such a scam doesn’t rely upon complex systems or software, just the vigilant eye of employees.

“So too, it reminds us all that there are people out there who wake up and work all day every day to defraud people and companies. Our occasional and brief thoughts about how to protect ourselves against such a dedicated foe can leave us vulnerable if we are not constantly watchful,” he said.

ICTA’s Jose Hernandez, who is investigating the incident, told the Compass that the email has been tracked back to a server in Canada. “We are currently pursuing this matter with the hosting registry for the source and will be seeking to have action taken against them for the abuse committed,” he said in an email.

He added that ICTA is in touch with another registry in the United Kingdom “that has also confirmed similar abuses by the same source and who are also seeking action against them.”

A press release from ICTA’s Cybersecurity Incident Response Team warning about scams, sent out shortly after the attempt at ICTA, notes, “A common theme in the CEO/CFO scheme is that the actors wait until the CEO/CFO is on official travel before sending wire transfer instructions, making it more likely that the individual would use email for official business and therefore harder to verify the transaction as fraudulent.”

ICTA warns, “Actors can compromise the legitimate business email accounts through social engineering or malware. They conduct reconnaissance to review the business’ legitimate email communications and travel schedules.”

The ICTA cybersecurity team suggests that people confirm payments with vendors over the phone and require two people to approve wire transfers.

“The key to reducing the risk from this type of cyberfraud is to understand the criminals’ techniques and deploy effective financial transaction/payment risk mitigation processes,” the cybersecurity team explains in the statement.