Resource Downloads
Google Slides | Microsoft PowerPoint | PDF Presentation
Injection
A GLM Construction (one of your trusted vendors) reports that their finance person’s email account was compromised and believe that unauthorized emails were sent. GLM asks your team to review emails from them. Your Accounts Payable lead received an email from the vendor with updated ACH information and sent a payment of $250,000 to that account 6 days ago. That payment information does not match what is listed in your master vendor file
Discussion Prompts
- How do you determine if this is a confirmed security incident or some kind of anomaly?
- How do you identify what systems, data, people, and operational processes are potentially involved?
- What real or potential risk(s) does your organization face?
- What short term containment options do you have? Can you contain it without destroying evidence?
- What is the operational impact of the incident and your containment strategy?
Check Your Work
- Include and Involve
- Finance
- Technology
- Legal
- Contact the bank first and report the misdirect.
- Ask for stop payment.
- The sooner the bank is informed, the greater likelihood that some funds can be retrieved.
- Contact law enforcement including the FBI, Secret Service, and/or Michigan State Police Cyber Command Center (MC3) immediately.
- The sooner they are alerted the more likely that some of the funds can be retrieved.
- Review Transactions for successful and unsuccessful.
- Review your procedure for verifying ACH payments.
- Review communications with vendor.