Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hey everyone, welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, chief security and compliance architect here at input output. Very excited to have you today. So in the background, we've actually been doing kind of some mock interviews with some, some different business owners, some different experts.
We had one with Brian Barnhart of infiltration labs. We've worked with him quite a bit. He's a forensics expert.
So when things go sideways, when, when the, when the poop hits the fan, he comes in and helps helps the company identify exactly what happened and what was accessed, what wasn't accessed. It's very, very important because if you can show what wasn't accessed, he can really save you a lot of headache and the reporting and incident management. That is not the topic of today's show.
We will have one about that. I really want to dive into exactly what he does and more so the why behind it, why it's, it's really important to everybody. But this one, we talked a lot and we will talk a lot about wire fraud and some situations that have come up and where that blame falls, where the liability falls.
And I'll get into it here in just a second. Before we jump in, just as always, please make sure to jump over to apple podcasts, Google play YouTube, click that subscribe, leave us some comments. There's things you want to hear about.
Please let me know. I would really like to talk about some of the different topics that you're interested in or some of the things that you're having trouble with at your company. So again, I'm going to go ahead and get us into the soundbite from our interview with Brian.
Again, it's Brian Barnhart, Infiltration Labs. And here's the discussion. Brian, I, I want to do my damnedest to introduce you, right? And I'm not going to point fingers here, but I haven't gotten the intake form with all of your information.
So I've, I've got Brian Barnhart here with Infiltration Labs. Well, Brian, actually, why don't you tell a little bit about yourself, about Infiltration Labs? Yeah. Yeah.
Thanks for asking. I'm six foot four, Virgo, like long walks on beach, short beaches, pina coladas, yeah, naked. Yeah.
I sleep naked. I like to cuddle. Yeah.
Stuff like that. Yeah. So yeah, Infiltration Labs started in 2016, digital forensics, incident response.
Vast majority of what I do is supporting attorneys with, you know, in litigation cases and extracting and examining electronic evidence from the cloud, computers, mobiles, and then obviously the part that I really like is the incident response side, right? Which is where kind of swooping in and helping companies that have experienced some sort of a cyber incident to help them understand what happened, how it happened, and, you know, kind of getting them back on track. And we've definitely done some things together, really, really good at what you do. I think to jump into it, we were talking about the email compromise and make sure I get it right.
If my email gets compromised and I send bogus invoices or bogus payment links and such to a client and they pay that, is that on my company or is that on the client company? And I think we were seeing some things on that, right? Yeah. So, I mean, really this spawned from, I saw this question on an email list that I'm on and that was exactly the question, right? They're like, hey, you know, company X, their email apparently got compromised and they sent an updated invoice, right, with new wire instructions to one of their vendors, right, or a client or whatever it was, to somebody else. And that second party, they paid the invoice.
So now the question was, who's on the hook, right? And I think the knee jerk is, well, obviously, company A, their email was compromised and they sent a bogus invoice, right, or change wire instructions, right? They're at fault. But I think it's 2024, most, well, that's a lie. Clearly not most companies, but most companies should at this point have some sort of a second factor of authorization when it comes to anything that is sent via email or text.
You know, so I've seen a lot of, what do you call them, signatures in some emails that all wire, right, or all money transactions require a phone call to verify, right, some sort of second verification. So jumping back to who's really, who's at fault? Is it the company whose email was compromised or does the company that blindly made payment, right, or made a change to where they made payment, do they share some of the responsibility? For not picking up the phone and going, hey, you know, James, it's Brian, I just got this email from you changing the wire instructions, right, or hey, I just got this invoice from you with this link to pay. Did you send this, right? Is this legit? I just want to verify this payment information.
Yeah, and I think most companies now, they do or they should have some sort of out of band process for wires. And I've even seen and recommend to a lot of companies have some sort of very particular process and like a safe word. Okay, we're changing, we're changing the wire instructions, call the client pineapple, just to make sure it's right.
But I guess taking it from, what about if I were to snail mail, send somebody an invoice fraudulently and they paid it? You know, I send, I somehow figure out that you're working with an attorney and I send them an invoice from infiltration, air quote, infiltration lambs, they pay it. And then you call up in a few weeks and say, Hey, I never got my payment. Who's on the hook there? That is, that's a fantastic question.
The timing is uncanny too. I don't know. Did you happen to watch that? That webinar yesterday? No, black Hills info sec.
I think that's who it is. Boy, I sure hope that's the company that did it. They had a webinar yesterday on creating phishing forgeries.
It was entertaining. It was interesting. But that was one of the things that the, the presenter discussed was when he's doing a pen test, he loves sending physical mail because it's really hard to authenticate that, right? It's, I mean, you get something in the mail.
If it looks legit, you just assume. I think the example that he used was sending a physical mail saying you're, you're in, you know, Verizon or, you know, whatever, make up some company class action, right? Visit this website or call this number, right? For your, your portion of a hundred thousand dollars or whatever it was, I'm ad-libbing a little bit here, but I thought about that. I'm like, dang, that's, that's pretty good, right? Because you do, right? Or I think most of us do, if you get something physical in the mail, my brain doesn't immediately go to, I don't want to say fraud, but it doesn't, right? Like I don't immediately go to thinking in cybersecurity terms.
Now, now I will. But yeah, to answer your question, I don't know. I don't know who's on the, I mean, I would say company.
The company is clearly not on the hook, right? Because you, there is zero that you can do, right? If, if my email is compromised and from my account, you receive an invoice and you pay it. Yes, you can trace it back and say, okay, you were hacked. You were compromised, right? I, I own part of that issue.
But if some random creates a mailer with my information on it and sends that, I can't, there's nothing I could do to thwart that, right? Like I have zero control of that. So I think all of that, in my opinion, goes on the victim. But again, I'm not an attorney.
So this conversation is totally moot and hypothetical. I want to go back to the kind of always in the cyber security mode, because that, that goes into what I wanted to talk about with the email. But I agree.
I think if you can't control, if somebody just sends, send something through mail and like guys, I, there's no way I can even protect against that. So looking at that from the email side of things, do you think it makes a difference? And I think this is where you could help come in. That it was between a spoofed email that I just used your address, but I, I spoofed it.
I didn't actually send it from, from your system. So there was no compromise. I just, I just pasted it right there on the front and like, like 99% of people, they didn't read all the headers to see that, oh, this is, this is spoofed.
And they pay it. I mean, that's, that's kind of the same thing. Just digital.
On the other hand, if it's, yeah, good. I'm sorry. No, I was going to say, if it comes directly from you though, I, I somehow compromised your systems.
Does that then become a thing of, listen, you guys were hacked. We, we paid. We're done.
You need to contact your insurance because you had a data breach. Yeah. Does that, does that throw it back over the fence depending on exactly where it's at? Well, that, that's, yeah, that's where I was going in the beginning is I, I have, I really don't know, right.
Cause I, I still, my personal is that it's a shared responsibility, right. In that, yes, my email was compromised and I sent James an invoice and you paid it. But do you share some of the responsibility in the fact that you, you didn't apply what seems to be kind of the standard today, which is pick up the phone and verify payment information.
Yes, I was hacked. I was hacked, but do you share some of the responsibility? And I honestly, from a legal perspective, I have no idea. That's just my personal opinion is it seems like it's a shared responsibility at that point, at least to some extent regarding the spoof.
Yeah. Almost like the, the blind mailer. If you received a spoofed email from infiltration labs and it never, it didn't come from my systems, it didn't flow through my systems.
Then yeah, that's, that's all on you. Right. I did, or at least it has nothing to do with me.
Right. I couldn't have controlled, which I guess is only true, right? That's kind of the point of SPF and DKIM and DMARC and whatnot is to warn, I guess, right. Or deny to help spoofed emails.
Yeah. To some extent, right. Or tell you, Hey, this, right.
It claims to come from here, but it didn't come from an authorized sender, mailer, MX, or whatever it may be. If I was being honest, I don't know that I've ever seen that actually work. Maybe it does.
Well, every, every email that I've had blocked is usually been legit. But yeah, I don't know. I've definitely had success with, with DKIM and DMARC.
But the majority of people don't even have their SPF records set up going out. True. That could be on the company that would be on your side.
Yeah. But even if you set up SPF, DKIM, DMARC, and you were monitoring the DMARC. Reports and following up on those, which that goes down the road.
Like we've talked about before, are we starting to go backwards? I just want to send a mail now to do that. I've got to set up all of these different encryption keys. And now I have to, I just have to monitor to see if other people are using it.
But on the client side, most people aren't even setting up SPF. And if they're not doing that, they're typically not setting up their exchange servers or mail systems to, to filter. It's just a, it's just a blind everything in.
So, okay. It was like, it seems like both parties, unless I'm misunderstanding entirely how, how the whole thing functions is it kind of requires these things be implemented on both sides. Yeah, because with the SPF and DMARC and such, you have to set it up on receiving side to say, hey, listen, if these don't match either allow it through either scrutinize it more or block it completely, you know, blanket block.
Right. And most set it up to where it's let it come through, but, you know, maybe reduce the score because I don't want to impact our marketing capability. You know, otherwise it's going to be so strict that our emails aren't getting out there.
So yeah, there's these security controls, but can I legitimately, I mean, are they really viable for, for running for running business? No. So it goes back to what we've discussed before is I get it. A lot of these things are necessary evils and whatnot, but it's from my perspective, it sure seems like it just makes doing legitimate business and communications more difficult.
And typically has very little impact on the threat actors. Am I just a naysayer today? No, it's that's, that's 100%. And what I think is crazy is when you look at the risk management side of things and talk to companies about like transferring risk, really the, the, the major way that companies do that is with insurance.
But what's interesting is when you look at how a lot of the bad actors are setting all this stuff up, like, holy hell, you all have found out ways to create like multiple layers of transferring the risk away from the people that are actually getting the money. And if you try to track it, good luck with that. If you finally hit somebody, it's not the end source.
I think that's just on a tangent that, that I find it kind of, kind of odd that the best risk managers are, are the bad actors. Yeah. You know, take, take a page out of their book, but yeah, I think it's just aggravating with.
If I just want to send email now, I've got, I've got to set up all these things. Okay. And we've got that.
Well, I should also let my clients know that, you know, Hey, Brian, here's how we do our wires or here's how we do our payments. It won't be any different than this. This is exactly how we do it.
So now do you have to file that in like a Rolodex in your head and remember that? And not just for me, but for every supplier you work with. And now do I need to reference a flow chart before I even send out a check to make sure? All right, well, let's go through the checklist to make sure that everything is correct here. You know, is it just, are we setting all this stuff up to where it's making it too easy to get defrauded? So maybe it's not, I don't know that it's necessarily that complicated, right? Like when we, if we describe it like that from like a one-time use, I get it.
But if you and I, if we kick off an engagement for the first time and we're doing wires, right. And we've, we've traded the forums back and forth and you have my wire information. If somewhere down the road, right.
If you receive an invoice from me, you already have my wire information, right? You already know how to send that payment. Where the wheels come off the wagon is there's usually some sort of a change in the wire instructions that should be the anomaly, right? That should be when the questions are raised, right? Well, let me, let me verify this, right? That's when you would open up the Rolodex and go, let me call a known good contact at the company, right? My billing contact and find out, right? Let me call James directly and go, hey, I just got a change wire instruction from you. Did you change banks? To which you'd say, nope, right? And then it's caught.
It doesn't necessarily, in my opinion, right? Maybe I'll walk this back after saying this, but I don't know that it has to be done for every single transaction. If it's the same information, does that make sense? Right? I think, I think we put it in those signatures, right? And I think that's the mantra that everybody says is, oh, you got to pick up the phone and verify every payment, assuming that it's a new payment every time, right? But if, if I already have your information on file on record, and I know where I'm sending the wire to, and like I said, maybe I'll walk this back. We'll get off this, you know, podcast and I'll go, crap, that was, that was bad information.
But I think that's, that's usually where things go south, right? I think the only caveat to that would be if, if it's a payment link, right? Where it's maybe it's something different every time it's paid via a credit card. And, you know, here's the link to click on to make the payment. Um, you know, I don't know enough about how those work to be able to really step through that.
But I would think as long as it's going to the same, right? If it's all the same information, does it, does it need to be verified? I don't know. What are your thoughts on that? I think that ties in with a lot of what I talk with companies about is let's get a good process in place. And typically people would look at it as, you know, this is more security and compliance crap that's just getting in the way.
But really it's not. If you set up a really good onboarding process, that's making it more secure to where during your onboarding process, hey, here's our payment instructions. These will not ever change.
If they do, we're going to come to your office in an actual bunny suit. So, you know, it's us, um, here's, here's our process. Here's what you can expect.
Here's how things will move forward. And yeah, that's a good compliance and kind of security structure. But it's also going, having an onboarding like that is much better for client retention, um, client management, client experience.
So it's, it's going to pay dividends on the business side. So, yeah, no, I, I, I think that's, you know, that's perfect. And getting it to a point to where, listen, we do things in a structured manner.
I've got to commit as a business owner to set my, my business up in a way that I do it in a structured way that my clients know what to expect every time. And that way, like you said, if there's a change, that should throw a red flag. You see anything ever different, you call us.
Here's, here's the number to call us. And maybe you give that client even somewhere in there, a, like a, a passphrase or a passcode, you know, Hey, call us in. So we, it will authenticate you with this.
And then that way, you know, it's us just, just to make sure no one's phone or that, you know, you're not getting redirected, but no, I, I, I think that's perfect. I, so here's, I guess before closing that out, the hamsters jumping all over the place. I think as far as liability goes, it's probably on the pay, the person making the payment.
Yeah. Unless it's directly coming from the vendors systems. And even then, I think it turns into a thing of it's probably still on the person making the payment.
However, I think that then turns into a thing of you're going to need to take me to court. And yeah, you could probably win, but is this a few thousand dollars? You're never going to get, you're going to spend more in court costs and time to get that money. And if it's a lot of money now we're in this extended, this extended battle.
You know, I'd, I'd actually like to talk to some attorneys and some businesses that have gone through something similar to see, you know, is this something that now we're just kind of writing off or going to insurance? Is that a cyber claim? Um, those, those are all good questions. So let me add, let me add another, another piece to this puzzle. So an email is compromised.
A wire is sent in the investigative process. We find out that the beneficiary name and the account number did not match, right? So I sent you an invoice with a change wire instructions, right? Hey, here's the new bank. I'm using this.
So you send it to that account number that I provided with the beneficiary name of infiltration labs on the bank side. They see this inbound wire, right? Or this outbound, whatever, I guess, whichever bank you're at. Um, they see this wire information.
They can see that the beneficiary that you listed in the account number do not match. Now, who do you think has, or do you think, so I, I obviously I'm, I'm setting the stage here. So in my opinion, I think, and I'm probably going to get in trouble for saying this.
I think some of the responsibility in instances like that falls on the bank, right? How, and I've had this, I won't say argument, but I've had this discussion with somebody and I'll, I'll be honest with you. I can't remember what their ex, it was something along the lines of that would just slow the system down so much if we were to check each one of those. And I feel like you're my, you're the bank, but I feel like that's shit that literally that should be.
So I'm, hold on. I'm going to, I shouldn't do this, especially since this is recorded, but I'm going to look and see that communication that I had. And I'm going to tell you don't give their name, but no, no, clearly not.
I would be interested what they, they would say from having a lot of experience working on the banking side, I don't know all the ins and outs of wires. I think the way it's structured is it's the responsibility of the person signing that. Yes, this information is correct because the sending bank can't verify an account number or not, not the account number and an account name or account details that's receiving banks information.
And I don't believe they typically share that or some of them do, but most, most won't. So then you could try going after the receiving bank, which I think good luck with that, even if it's a legitimate bank, but if it's really a bad actor and a lot of these are, are overseas, you're never going to get that bank to cooperate or that country to cooperate. And many times there's even the financial institution itself is set up to manage those types of payments.
So they're going to accept it and they're, they're not, they're not going to help. I think it's hog crap on the side when the, when a bank says, well, you know, it would slow the system down. We can't verify that.
So here, I don't want to read this verbatim, but here was the response. So my question was, well, I guess whatever, you know, listen, it's on a public form. So if you don't want it out there, then shouldn't have responded.
So it was a discussion about email compromises and kind of a kudos to the financial institutions for, you know, flagging things. So my, my comment, right, or my question was, I'm curious, most email compromises end with a fraudulent wire transfer. In many of these, the beneficiary name and the account number do not match.
What are the banks doing to alert on these? Am I wrong that if the receiving bank was to identify this and stop it, or at least confirm that it's legit, that many BECs would die right there? The response that I got from a banking fraud person was banks don't match beneficiary name with account name. It would result in wire backlogs in many false positives. Wires are supposed to be straight through processing.
The customer needs to do their due diligence. Every single one would be prevented if callbacks were done. So I don't think they're wrong with that last sentence, right? Every single one would be prevented with, you know, a callback.
But I also feel like aren't they, if you see this, right, so here's another, I'm jumping around a little bit, but some years back when I was in law enforcement, there were a bunch of wire frauds taking place. I don't remember all the details, but they were all going to the same account in Miramar. And they were all destined for the same account number, but a different beneficiary name.
How did the banks not, right, like, is there not some responsibility on their part, right? Why even ask for a beneficiary name, right? When somebody wants to send me a wire, I have to tell them the company name, the bank address, right, the wire. Do you know what I'm saying? Like, you have to provide this. Why is that even needed then, right? If they're not going to verify the beneficiary name, then just remove that, remove that step and say, hey, literally you can just send money to, you know, whatever with this account number.
But yeah, I'm probably going down a different tangent with that. But I just, I hate when people, so I, to be honest with you, there's no love loss with me and the banks and me and the credit card brands, because I feel like they have, they're best positioned to stop a lot of fraud and they don't. And my opinion on that is because they're kind of like the casino, right? They're kind of like the house.
They don't lose, right? At the end of the day, they don't lose, right? That fraud had zero impact on the bank itself. Yeah. So they, right.
Yeah. In that wire case, I don't think it, in a legal side, I don't think it falls on the bank. Definitely not on the sending bank, because they can't validate, they can't validate the account name.
Now the receiving bank, I think, should flag stuff. I can agree with the side of things that it would gum up the system if it was a 100% match, because, okay, well, there was a dash in the name. You didn't put the dash.
They don't match, kicked it back. Is it an 80% match? That's not usually the case. My understanding is that's usually not the case.
It's usually a completely different company name. No, 100%. Yeah.
100%. I mean, that's all I'm saying there. Yeah.
No, I agree with you on that. It surprises me. If you put Inc.
instead of LLC, or vice versa, or didn't add that. I think that's not what I'm talking about. I'm saying you send the wire to one, two, three, four infiltration labs, and the beneficiary is actually John Doe.
Yeah. No, 100%. What's crazy is that working with banks, a lot of their security capabilities, I'm not saying this the right way, they don't have a lot of security capabilities.
The systems that you think they would have in place just are completely non-existent, just things they can't identify. That blows my mind. But the side of things where the banker is saying they just don't have the time, I don't think there's been a time I've ever walked in to any of one of my banks and seen those financial specialists, the people managing the bank, the people running it in there, so busy that they can't verify a few things.
Or ask me the question, did you verify this with a customer? Let's give them a quick call. Yeah. Never.
And it's also, as far as what I was talking about, most of that would be automated. It would run some automated checks, like you said, is it an 80% match, good to go. Is it completely off? Does the beneficiary not match the beneficiary at all? Well, then I think that's, then it should fly.
And I can't imagine those are that many compared to all of the other wires that now that gets forwarded up to. I think that's difficult, but not possible, to be honest. Because let's say I'm going to send you, I'm supposed to be sending you the money.
Here's the account number. Let's call up that other bank and say, hey, this account number, can you verify the account name? Who is this? No. Piss off.
That's confidential information. So the sending bank is putting the information there. They're hoping that the other side will verify and kick it back.
Most don't. They just process it. It's kind of, I think, wires are almost on kind of the Zelle side of things that, hey, once you hit send, that's it.
You need to make sure this is the right information. And I think my argument is where one, it could be improved. That would, I guess, technically be a whole different payment processing system and structure.
But at the banking level, the business bankers, financial institutions, I mean, I think just even asking the question, did you verify this with who you're paying? Is this different than what's happened before? Do you mind? Can we give them a quick call? One, I would never stop using that banker. Like, holy crap, you just saved me $150,000. Like, I'm coming to you all the time.
I think that's a different tangent. I think they, I definitely think they've got more time than what they say they do. Yeah.
I just, I still, I know you said that you don't think it's possible. I don't see how it's not possible, right? Like, I don't see how it's that difficult. I get from the sending side, right? So if I go up to the bank and, hey, I'm initiating this wire, so on and so forth, they can't verify it.
But when that bank sends it to Infiltration Labs, account 12345, and the receiving bank gets it and they go, hey, this came in for Infiltration Labs, account 12345, this is not Infiltration Labs. This is John Doe, right? Couldn't there be a pause put on that, right? Like a halt where they verify, right? Then they contact the bank, right? The sending bank, and they go, hey, you just initiated this wire. The beneficiary is a complete mismatch, right? Not a one-off, right? They forgot to put LLC or something like that, but this is a complete mismatch.
I think there's the capability to do that, but not with the wire payment system. That's actually a kind of a structured and agreed-upon system, just like EFTs are a completely different payment processing. ACH, completely different processing.
I think it could be developed to where, yes, there's a way to do that. I don't believe the wire system would be able to support that without it gumming up and needing people on the receiving side to check and verify and hold things up. So I don't think that's possible.
I also- So are wires an archaic system at this point, right? Is it an outdated process? I think it's dangerous. I think it's a really dangerous process. Yeah, from 2013 to 20- I was trying to find just a single year, but from 2020- God, I can't talk.
From 2013 to 2022, BEC attacks caused an estimated 50.8 billion, let's just say 51 billion in losses worldwide for the FBI. That's a lot of money, right? I mean, even you go, oh, well, it's, you know, small potatoes, right? If it was a few million, but 50 billion is not small potatoes by any stretch. I can't imagine that that number doesn't bubble to the surface a need to revamp the process, right? If it's- At least- I think I read something that BECs account for more in monetary loss than ransomware.
Because it's those really big hits with the wires. Yeah. So I can't imagine how is this not something that needs to be readjusted or fixed if it's an ongoing issue.
I don't know if that's totally outside of my sphere of influence, but we were talking about it. No, I think there's a lot of moving parts there that trying to get those together would be really tough. So we've got to overhaul the payment system.
So it's not going to be wires. Maybe it's like wires 2.0 payment system. And we've got to set all of these different systems up.
Now, every participating bank, if they're going to use that payment system, has to set up their systems to be able to support that, which now they're changing internally, which that's difficult to do at an organization. And you've got all these moving pieces that need to come together for that to finally work its way out. And I think by the time that would really get adopted, it would be another conversation we're having here that, God, you know, wires 2.0 is an archaic system.
You know, look how easy people are getting around it. I think that's one of those things to where perhaps on the, I think on business side, that just needs to be, listen, you know, we used to just kind of give the wire information and that's how it was done. Maybe now what we need to do is when somebody's doing a wire over a certain amount, we're calling with them, you know, our process is that when you're at your bank, you call us, we verify.
Or maybe it's a, you know, it's a thing of, hey, we're going to send you a $5 test. Well, you couldn't do that through wire because it's expensive as hell. But yeah, I think it's got to change.
I think ultimately, it's funny though, as you're saying that ultimately it comes back to the main point that we made. If you just pick up the phone and verify, right? Like we're jumping to, right, at the bank and calling and verifying and at the end of the day, that could all be solved if somebody just picked up the phone themselves, right? It doesn't even have to be the bank, right? Just somebody, right? If the client picked up the phone and called and said, hey, I just want to confirm, right? You just emailed me this wire information. I hate when people ask me for, you know, I don't take wires often, but it pains me.
I told you some years back, James, they were hiring me because they had an email compromise a few days before Christmas. Two wires were sent out. One was like 300,000.
Yeah, you know where this is going. One was 300,000. One was a little over 400,000.
So now they're hiring me to investigate the email, right? Because what it was is the controller, she received an email from the CEO. So of course she was freaking out. But anyhow, you know where this goes.
They emailed me, didn't pick up the phone and call me, emailed me with the form, right? Like, hey, send us your wire information. I'm like, you're kidding, right? Like there's, like in what world, like it's not even funny, right? Like, how do you not see the fail in this? You sent me an email. So I picked up the phone and I called her.
I'm like, this is exactly how we ended up. This is why you're hiring me. And she's like, my gosh, you're so right.
I'm like, okay. But it turned out it was his email that was compromised, which made her feel better, right? Because I mean, yeah, there probably should have been a phone call, but at the end of the day, employees are going to do whatever they're trained to do. And it was, the communication was exactly as it usually was.
It was a reply to an ongoing email thread that they had. He simply said, oh, hey, by the way, I need you to get this sent out before Christmas. You know, we owe these two vendors money.
Get these out ASAP. Okay. I'm going to do a real hard stop here just because me and Brian actually talk about quite a few different things and it's, they're topics that I definitely want to have on the show.
We're going to have him back and talk about some of those things we brought up that I'm cutting, but about the emails, how to manage the reporting in an incident and just generally some other considerations and really good topics. But I think from today, the biggest thing is like we were talking about, you want to make sure that you have a defined wire transfer process in place. And I think what we'll do is collaborate some with Brian and put together a template.
Hey, here's some things to consider. Here's some things to put into place to protect you and your clients. Because honestly, it sucks both ways.
And it's not a good situation to be in. At best, you get your money and you erode trust and confidence with the client, which just again, overall, it, it sucks. So we'll get that put together and talk about that in an upcoming episode.
That is all the time that I think we've got for today. So I will thank you again for listening to cash in the cyber sheets. Please, please, please click that subscribe button.
Send us some comments. Let us know what you like. Let us know what you want to hear about how we can help you and be sure to tune in next week.
Looking forward to talking to you here again soon.
