In her bestselling book Willful Blindness, Margaret Heffernan asks the question ‘why do we ignore the obvious at our peril’. 

There isn’t a single reason, but throughout the book, Heffernan offers a myriad of reasons for this behavior. In one instance, Heffernan references the work of Harvard legal scholar Cass Sunstein. In 2005 Sunstein and some Harvard colleagues conducted a social experiment on decision making. They found that bringing together people who broadly think alike created a dynamic that is natural but not neutral. They called it the ‘group polarization effect’, today because of the popularity of social media we are all familiar with the concept of the echo chamber. Rather than challenging each other, views can become more extreme which is fine but only when we are on the right path. 

Working cooperatively is typically a benefit for our communities, companies, and countries however it can be a detriment when we’re on the wrong path, for example, if there is a blind spot in our approach. Failing to recognize this blind spot can become a significant problem. 

Take for example the global financial crisis from 2008 to 2012. The more one learns about this, the crazier it seems. It is a story about warnings being issued by multiple agencies, including energized and determined law enforcement officials in the Federal Bureau of Investigation (FBI). But these credible warnings went unheeded and led directly to a global financial crisis that was long and deep. 

Simply put, it was a tale of willful blindness. But Houston, we have another problem.  The same law enforcement agency that warned in advance of the dangers of systemic mortgage fraud has also been issuing warnings about significant cyber threats since at least 2015. The problem for our society is that only a very few firms have listened to this warning. 

The Financial Crisis: a story of a crisis foretold 

In 2004, the FBI, having access to information otherwise unavailable to the private sector, determined that the level of mortgage fraud was so systemic, so prevalent, so wide-ranging that it represented a significant threat to the US economy, with the potential to have a wider impact globally. 

As lending rates dropped to 5% from 2002 to 2004, Chris Swecker, then Assistant Director working in the FBI’s white-collar crimes division, observed the increase in ‘’fly-by-night’ mortgage brokers, crooked appraisers, and attorneys, a high level of house flipping, and other fraud.’ Swecker and his team calculated that the problem was significant. 

The FBI held a major press conference in 2004 and gave testimony on the rise of Suspicious Activity Reports (SARs), the various types of cases, the decreasing underwriting standards, and the threat of systemic fraud. When questioned about data demonstrating the level of mortgage fraud, Swecker recommended looking at SAR referrals, undercover investigations, and referrals to law enforcement downstream from the banks. 

The FBI was so concerned they continued to raise awareness. They convened more press conferences and in some instances, they undertook them jointly with other credible agencies who had evidence of mortgage fraud. All of this was taking place in 2004. 

Credible warnings were coming from credible agencies about a significant problem. The response to the warnings was met with inaction. In other words, mortgage fraud - the critical factor in the financial crisis - was foreseeable and largely avoidable. Fast forward to September 2008. 

The inevitable collapse 

In 2008, Lehman Brothers and Bear Stearns collapsed and the financial crisis kicked off in spectacular style. It’s not so much that the markets took a nosedive as it fell off a cliff. But this Wile E. Coyote moment was not inevitable. 

Image source: Financial Times 

The writing was on the wall (and had been for at least four years). Despite the best efforts of the FBI and other agencies, this message was ignored. For whatever reason, the people who were tasked with protecting the banks and managing the risks failed to exercise reasonable care.

FBI warnings should be pivotal to how firms look to protect themselves

You may well ask, why are we revisiting the financial crisis now? My points are these: 

  1. The FBI has form for getting things right. 
  2. The FBI are trusted, independent experts. 
  3. When the FBI highlights a problem, the data they’re relying on is good. 

Finally, and perhaps most importantly is this: the FBI has no skin in the game. They have nothing to sell to you. They cannot lie and they don’t issue warnings to prompt anyone to buy anything. They are not FUD (fear, uncertainty & doubt) merchants. 

Given this pedigree, wouldn’t it be an obvious choice for firms to check and see what the FBI is saying about a range of issues, and use this as key information to secure their organizations? Wouldn’t it be more obvious still to check to see what the FBI’s major strategic priorities are that might then inform their business decisions?  

I selected three from a total of nine strategic objectives that relate to cybercrimes in particular. They are: 

  • Protect the United States against cyber-based attacks and high-technology crimes.
  • Combat significant cybercriminal activity.
  • Combat transnational criminal enterprises.

The FBI is tasked with protecting the US as a strategic priority.  So what has the FBI been warning the business community about that meets these objectives? To answer that we need to turn to the Internet Crime Report, issued by the FBI’s internet crime complaint center, IC3. 

The FBI IC3 Internet Crime Report: 2015 until now

The Internet Crime Report 2021 published in late March offers nothing new substantively and no surprises. Business Email Compromise (BEC) remains the most significant cyber threat by victim loss, and the starting point for the majority of attacks. Stylistically, the FBI has removed its Hot Topic section but the story remains the same: BEC is a threat and it needs to be addressed.  

Image(s) source: FBI IC3

Business Email Compromise: a hot topic since 2015

There we have it, the FBI has been warning since at least as early as 2015 that Business Email Compromise (BEC) is the most significant cyber threat to businesses. This little nugget isn’t hidden in a lengthy document,  with the FBI consistently warning about it in a short easy-to-read section called ‘Hot Topic’.

Businesses need to act now 

The FBI is tasked with protecting the U.S. and U.S. business interests, and they’ve warned that BEC is the most significant cyber threat facing businesses. This is important to take into account because we know that:

  1. Bad actors in Russia use BEC as the starting point in 90% of their targeted cyber attacks. It’s their all-time, hands-down favorite way to deploy ransomware.
  2. We know that the bad actors in Russia that enjoy the support of Putin’s regime, in turn, support Putin. We know that the total ransom paid in 2020 amounts to at least $700 million and in 2021 about $600 million dollars. 
  3. Putin’s friends, the Conti Group, skipped away with the highest ransom, amounting to $180 million, followed by another group close to Putin, Evil Corp, who received $85 million. 

Businesses typically have four options when considering how to address risks on the horizon. 

  1. Avoid it: this is not possible, because no firm can unplug from the internet.
  2. Transfer it: good luck finding an insurance firm prepared to tolerate the risk. 
  3. Accept it: as economic sanctions bite, it’s in all likelihood now illegal to pay the demand. 
  4. Manage it: this is the only reasonable position a firm can take. 

How can firms manage the problem of Business Email Compromise?

Again, the answer to this question can be found in the guidance provided by trusted, independent experts:

  1. National Institute of Standards and Technology (NIST), see Trustworthy Email, 
  2. National Cyber Security Centre (NCSC), 
  3. Minimum Cyber Security Standards
  4. US Dept of Homeland Security 
  5. US Dept of Defense - CMMC - Implement email forgery protections

These agencies listed above provide a wealth of useful information. I’m not making the case that businesses only look to these agencies, but I am absolutely making the case that all businesses globally would do well to include these agencies' insights as a priority. 

Not only should businesses implement their recommendations in-house, but by running a due diligence exercise on your supply chain, you can mandate recommendations to protect your business. Essentially, further protecting your firm but at no additional cost, other than sending out a mandate which in the grand scheme of things, is immaterial. 

This is not a novel approach - making your firm robust and then requiring those who you contract with to conform to best practices is tried and tested. The US Department of Defense understands that its supply chain is of critical importance to its security. 

To this end, they have produced their Cyber Security Maturity Model Certification. It is a useful guide, and if your business relies on it, then directors have done a bit more than exercise reasonable care, skill, and diligence. This is belts and braces stuff. 

Whatever you do from today, you can no longer ignore the problem of Business Email Compromise.

To learn more about how Red Sift can help protect your organization and brand from BEC, get in touch with the team below.