Lessons from Cybersecurity for the CI professional

As we continue our 30-year celebration, I am reminded of how much cross-pollination there is between Competitive Intelligence skill sets and other analytical tools. Recently, that cross-pollination was highlighted in an application that while familiar to any Primary CI professional, has a very different purpose.

I was attending a session on cybersecurity, which is a concern for all industries. For most companies, it is about hacking into IT systems and stealing information. Of course, this is not only illegal in most places; it is also unethical in the CI industry. However, cyber-hacking is also used for fraud.

For most small to mid-sized businesses, and even some large ones, fraud is a bigger risk than hacking into the IT system. In part this is because most IT systems have been hardened, but it is also because fraud is less likely to be reported, is harder to detect until after the funds are gone, and uses effective social networking.

In the past, fraud was mostly check based (someone forging a check or issuing a check for personal gain), but it is now shifting to wire based. According to cybersecurity analysts at Bank of America (not a client or sponsor of Fletcher/CSI), over $5.3 billion has been paid by e-mail compromise since 2003, and between June 2015 and June 2017, over $4.5 Billion was paid. Note, these do not include Ransomware, which is a different beast altogether.

So much for how prevalent wire fraud is. The real issue is how it relates back to CI. The connection is social engineering, a common elicitation tool for CI information collection. Again, the application for fraud is very different from CI. As with any social engineering tool, the first step is to identify the key executives. In the case of fraud, that executive may be in the AP department, but can also be any senior executive who has spending authority. Once that executive is identified, a lower level contact in the AP –  the person who actually executes wire transfers, is also identified.

Where it gets interesting is how the fraudster executes on the fraud. Often, they will spoof the senior executive’s email, sometimes using the executive’s real email in the title and a return address that is close, but missing a letter (substituting an “i” for an “l” or putting a “r” next to a “n” to make it look like a “m”). Other tricks abound, but apparently, over 70% of all attackers use this technique. It is not one any CI professional would use, and from a BOA global payments fraud executive, 65% of IT security professionals surveyed don’t feel fully equipped to defend against these attacks.

The attack itself deviates quite a bit from primary CI elicitation tools. Often, the fraudster will send the AP contact a note requesting that a payment be made to a third-party as part of an urgent action, which can be anything from releasing a shipment to completing an acquisition. Since the request appears to come from a known senior leader and is urgent, the AP person will process without full verification. If the wire is sent to a foreign address, the funds are gone for good.

These attacks work by relying on the social engineering and a lack of appropriate controls. In the world of CI, identifying the key decision makers at a competitor is a core function. Engaging that decision maker in an open conversation is what the primary CI professional does. Often that may include some sense of urgency. However, the professional and ethical primary CI professional will always identify who they are and the company they work for. They will also stop any respondent from disclosing confidential information.

The same tools used to stop social engineered fraudsters apply to stopping a primary CI probe. Start by asking questions to determine if the request is legitimate (when we conduct win/loss interviews, many decision makers ask who the report is for and will contact their sales person before participating). Then, verify that the person seeking information is who they say they are with a web search (we always use our full names, the company name so a web search will find us).

-Erik Glitman, CEO, Fletcher/CSI