Source: KeyBank CyberSecurity

January 2024
While cybercrimes against a business are typically executed by outside actors, missteps and mistakes by people within your organization often open the door for those hackers.
During KeyBank’s annual cybersecurity webinar event, Michael Gerfin, a supervisory special agent for the FBI overseeing the Cleveland Division’s Criminal Cyber Squad, offered investigative insights on three federal cases that stemmed from insider threats — both accidental and malicious.
In case you missed the webinar, you can view a full replay of “The Next Big Breach Has a Badge” below:

The following are three cases mentioned during the exclusive event and key lessons each organization can take away to help protect their financial operations and critical data.

Case 1: Malicious insider offers network access for $600 Bitcoin

The most dangerous type of insider is someone who wants to hurt your company intentionally. Gerfin recently investigated a case in which a former “disgruntled employee” for an Atlanta-based managed service provider (MSP) went onto a dark web forum and offered up access to the MSP’s network and about 20 of its clients. All he asked for was $600 in Bitcoin. The information eventually was sold to an FBI source for $450 in Bitcoin. The FBI confirmed the provided credentials and financial accounts used to accept payment belonged to this former employee and charged him with accessing a computer without authorization to obtain information from a protected computer.

Key takeaway: Routinely audit administrator access to critical networks

“He had administrative credentials which gave him access to sensitive areas and after being dismissed from his employment. He was let go. His access was maintained. That’s a problem,” Gerfin stressed. “There needs to be some type of auditing when an employee departs to make sure that security controls are in place and you’re not allowing that individual to maintain access.”

Both the former employer and its clients were spared from further damage, but Gerfin said valuable information in the wrong hands can lead to financial loss, reputational damage, data compromise, and even legal action.

“When you have an individual who has privileged access to any system, you always have a risk of fraud. There has to be some level of trust,” he said. “If you have a trusted insider that loses their credentials, whether intentionally or unintended, there can be many repercussions.”

Read more: Four steps you can take today to help protect your data & financial operations

Case 2: TrickBot malware and Conti ransomware conspiracies

TrickBot malware primarily is spread by spear phishing campaigns using tailored emails with malicious code in attachments. If enabled by the recipient clicking a fraudulent link or downloading an attachment, the code executes malware that steals sensitive information and supports ransomware variants, including Conti.

Conti was used to attack more critical infrastructure victims than any other ransomware variant in 2021, costing hospitals, schools, and other businesses tens of millions of dollars in losses.

In September 2023, nine Russian nationals were indicted on several charges relating to these attacks.

Gerfin said investigating this case was particularly difficult because the actors were using sophisticated techniques within a country that doesn’t cooperate with U.S. law enforcement. That’s when the FBI leans on partnerships with outside organizations.

“(Cybercriminals are) able to change their tactics, techniques, and procedures very quickly. So, even identifying a single variant like TrickBot and relating a similar attack to that same variant can be difficult,” Gerfin said. “Where we succeed is the partnerships that we develop with the private sector and other government entities like CISA (Cybersecurity and Infrastructure Security Agency). And we have established very strong relationships with foreign partners, as well.

“So, a lot of what we do is interacting with foreign law enforcement to try to get eyes on either infrastructure that’s being used or foreign accounts to try to locate these individuals. In this case, through many years of an investigation, we were able to identify these individuals and ultimately two arrests did result from those indictments.”

Key takeaway: Be suspicious of attachments and links

Gerfin pointed out ransomware attacks have evolved in recent years from a tactic that focused on a higher number of victims and lower ransom amounts, to a strategy of targeting higher-profile victims and demanding higher payments.

Hackers are also more creative in their social engineering strategies used in phishing emails.

“Phishing and social engineering credential theft have always been there. But I think the uptick in the sophistication of social engineering has made it harder for people to not click, for people to not go to a site and enter their credentials,” Gerfin said. “If you’re getting an email or a text or something that says the Nigerian prince left you all this money, well, people laugh at that now, right? We’re not going to click that.

“But if I tell you that your Amazon shipment has been canceled or I give you something a little more personal that touches on something that you’re currently doing, you might be a little more likely to click on something that you’re not supposed to.”

Case 3: Business email compromise (BEC) scams target university construction projects

From late 2016 to mid-2018, a number of scammers were alleged to have defrauded three U.S. universities out of more than $5 million by pretending to be companies working on large-scale construction projects.

These actors allegedly registered domain names that looked like legitimate companies, sent emails to those university clients, and deceived them into sending wire payments to bank accounts they controlled, according to information from the U.S. Department of Justice.

Ultimately, three Nigerian nationals were arrested and extradited to the U.S. to face charges of wire fraud, money laundering, and identity theft.

Key takeaway: Simple scams can still hurt organizations in a big way

Gerfin pointed out this type of scam isn’t overly technical but can still have serious consequences for companies whose insiders fail to recognize bogus domain names.

“(The cybercriminals) had enough information to create a narrative that they would interact with over email,” Gerfin said. “And once you get that bona fides and, ‘OK, this person knows what they’re talking about,’ they then get them to transfer $1.9 million in one single instance of funds to a fraudulent account.”

Spencer Wood, a cybersecurity advisor at CISA, said company insiders can fall victim to BEC scams simply because they’re burned out or too busy to verify the validity of a payment transfer request.

“Sometimes just having overworked employees or people who are tired and exhausted … people make mistakes,” Wood said about insiders who are susceptible to email scams the request funds or included malicious links. “Sometimes something’s a little bit odd. So, just take a minute, take a deep breath, call that individual and say, ‘Did you actually send me this attachment, or did you send me this link?’”

Learn more about the FBI and the fight against cybercrime

To learn more about the FBI’s efforts to fight cybercrime, including tips and information about current crime trends, or to file a report of online or internet-enabled crime with the Internet Crime Complaint Center (IC3), visit

If you or your organization experience a network intrusion, data breach, or ransomware attack, the FBI recommends you contact your nearest FBI field office or report it at At KeyBank, we’re committed to helping your business grow and stay safe with ongoing education opportunities, including our annual cybersecurity webinar, which can keep you ahead of the curve on trending fraud and cyber topics.

KeyBank also offers a suite of products and solutions dedicated to helping fight check and electronic payment fraud. For any questions about KeyBank’s efforts and products to help you protect your business, please contact your payments advisor or visit