Tag Archives: FBI

Learn How to Protect Against the FBI’s Top 3 Cyber Threats

Every day, we share information digitally. Business as usual, right? But what about the risks trying to undermine your business, steal your data, and clean out your company’s bank account?

In June 2017, the FBI released its annual Internet Crime Report showing $1.3 billion in annual losses due to Internet crime. The numbers are probably even higher because companies are hesitant to publicize themselves as victims of cybercrime.

Cybercrime continues to plague our Internet society, and the FBI’s Internet Crime Complaint Center (IC3) highlighted three specific crimes in their annual report: Business Email Compromise, Ransomware, and Tech Support Fraud. We’ve expanded on these cyber threats so you can educate yourself and your employees, and hopefully, avoid becoming a victim.

Business Email Compromise

Business Email Compromise scams go by various names. Call it a BEC scam, CEO fraud, or a wire-transfer scam, the goal is always the same – target organizations that routinely execute wire transfers. Why? Because human error can be easily exploited.

How the Scam Works:

The premise of the scam starts with an attacker hacking or spoofing the CEO’s email account, often while he or she is out of the office. Next, the criminal emails specific targets in the organization requesting an urgent wire transfer. Due to the authority, urgency, and consistency of the email, many times organizations fall victim and comply with the wire transfer request.

Common scenarios here target the finance department while the CEO is out of the country on business travel and unavailable to confirm the request. During tax season, attackers will target the HR department requesting personal information, like employee W-2 forms. Hackers even pose as lawyers or law firms to request fraudulent transfers.

BEC Scam Prevention Tips:

  • Scrutinize the validity of any email requesting a wire transfer. Ensure it’s consistent with other transfer requests (timing, frequency, amount, recipient, etc.). Examine the sender’s email address for any changes mimicking the legitimate email.
  • Confirm the transfer request in person or via phone call. Make sure there are dual approval protocols in place as well as a protocol for requests made by traveling executives.
  • Educate your employees, emphasizing the warning signs. Oversharing is a cyber criminal’s dream, so use caution when posting an executive’s travel schedule or other employee information on social media.


Ransomware is the most notorious type of malware these days. Cyber criminals constantly have their lines in the water baiting victims to click on a phishing email or visit a compromised website to deliver ransomware.

The goal is to encrypt your files and deny you access to critical data or systems. Ransom demands in cryptocurrency (i.e. Bitcoin) keeps attackers anonymous and under-the-radar.

Ransomware Prevention Steps:

  • Regular Patching: Many vulnerabilities leveraged in ransomware attacks are well-known flaws that have been exposed (i.e. WannaCry and NotPetya). Many attacks can be prevented through regular patching and updates.
  • Close RDP; Use VPN: Close remote desktop protocols unless they’re strictly required. If you must use RDP, either whitelist IP’s on a firewall or do not expose it to the Internet. Only allow RDP from local traffic. Setup a VPN to the firewall and enforce strong password policies.
  • Segregate you Networks: Separate your network into smaller, independent networks. This limits a ransomware infection from propagating across an entire organization by isolating networks.
  • Offline Backups: Regularly backup any files stored on your devices. Ensure your backups are not connected to the rest of your critical network.
  • Employee Training: Educate the workforce about ransomware and the associated dangers and threats. Anti-phishing training is one good approach. But overall cyber security awareness is important as ransomware is delivered through other vectors as well.

Tech Support Fraud

Tech support fraud is a type of social engineering where the criminal poses as a legitimate party offering technical support to victims. The intent of the fraudsters is to gain access to a victim’s device. From there, they can leverage their access for financial gain or engage in other malicious activity.

Many fraudulent tech support operations exist. There are several different ways the criminals will try to reel you in:

  • Fraudsters are known to cold call and attempt to convince victims to allow remote access into their devices.
  • Pop-up or locked screens are leveraged to take advantage of unsuspecting victims who a link on a compromised website.
  • Fraudulent tech support companies use search engine optimization to appear at the top of search results for tech support.
  • Fraudsters register URL domains similar to legitimate sites to take advantage of typos or errors made by victims who are typing in a web address.

Beware the Overpayment Scam

Cyber criminals are always looking for a new way to victimize you, and the overpayment scam is gaining traction. Posing as good-hearted professionals, criminals offer victims a refund for previous tech support services. Once they gain online access to a bank account, they first transfer money around between the victim’s accounts to make it appear the refund was too much. Before the victim notices anything odd, the criminals will request a wire transfer for the excess funds.

Keys to Mitigate Risk

As cybercrimes continue to increase, your organization needs to be diligent about analyzing its cyber risk. Errors happen, and raising cyber awareness among your workforce is key.

ePlace provides cyber training programs on our risk management platforms as a resource for educating employees on cyber threats, and we encourage you to implement these if you haven’t already.

Finally, the FBI urges victims of computer crimes to report the incidents to IC3.gov. The IC3 unit is part of the FBI’s Cyber Operations Section and uses the reports to compile and refer cases for investigation and prosecution.

HIDDEN COBRA: North Korean Malicious Cyber Activity

The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have published a joint technical alert that identifies Internet Protocol (IP) addresses that appear to host resources infected with a malware variant used to manage North Korea’s distributed denial of service botnet infrastructure. The intent of sharing this information is to enable network defenders to identify and reduce exposure to North Korean government cyber activity.

The technical alert can be accessed here.

Threat Alert: FTP Servers Targeted for Health Information

The FBI released a threat alert highlighting cyber criminals who are targeting File Transfer Protocol (FTP) servers operating in “anonymous” mode. The purpose of the attacks is to access protected health information and personally identifiable information to blackmail or extort medical and dental facilities.

Threat Details

According to researchers at the University of Michigan – FTP: The Forgotten Cloud – over 1 million FTP servers were configured to allow anonymous access. FTP is a protocol widely used to transfer data between network hosts.

Anonymous FTP servers allow a user to authenticate using a common username – i.e. “anonymous” or “ftp” – without a password, or by using a generic password or email address. Cyber criminals are searching for FTP servers in anonymous mode that contain sensitive health and personal information. The idea is to leverage the information against business owners through blackmail or extortion.

FTP servers in anonymous mode can also be used to allow “write” access to store malicious tools or launch targeted cyber attacks.


The FBI encourages medical and dental healthcare entities to consult with their IT personnel. Request that they check networks for FTP servers running in anonymous mode.

If businesses have a legitimate use for operating a FTP server in anonymous mode, administrators should ensure sensitive health and personal information is not stored on the server.

For further advice or recommendations, reach out to our team of V-CISOs at cyberteam@eplaceinc.com.

Keystroke Logger Disguised as USB Device Charger

computer with key

The FBI is warning companies about a new keystroke logger known as KeySweeper. It looks like a regular USB device charger, but it has the keystroke hardware hidden inside. Keystroke loggers are designed to read the keystrokes from a keyboard in order to steal credentials and other sensitive information. If KeySweeper is carefully placed in an office, the bad actor could wind up with a plethora of valuable information.

Technical Details

KeySweeper is an Arduino-based device hidden in the shell of a USB phone charger. Its skill is in detecting and decrypting radio frequency signals from Microsoft wireless keyboards manufactured before 2011.

KeySweeper uses a SIM card to send data to the bad actor’s web server over cellular connection. The SIM card also allows the device to send text messages when it reads certain keywords from the keyboard.


The simple way to prevent this specific attack is to ban employees from using wireless keyboards. KeySweeper relies on the radio frequency signals to capture information, so wired keyboards are safe from this attack.

If preventing the use of wireless keyboards in impractical, make sure the keyboards used are safe from the KeySweeper attack. Microsoft Bluetooth-enabled keyboards are protected against this attack, because KeySweeper listens on a different channel than Bluetooth transmissions. Microsoft wireless keyboards produced after 2011 are also protected because they use AES encryption to safeguard keystrokes.

Policies and procedures to address usage of mobile devices and chargers can also play a part in preventing this type of attack. The FBI recommends several provisions to consider in related office policies:

  • Limiting which outlets are available for device charging,
  • Knowing whose chargers are currently being used, and
  • Immediate removal of an unknown charger from the office facility.

FBI Warning: Incidents of Ransomware on the Rise

Keyboard equipped with a red ransomware dollar button.

(This story is from a recent FBI Threat Alert. Please share with others in your organization and make sure employees are aware of the threats and consequences of ransomware.)

Hospitals, school districts, state and local governments, law enforcement agencies, small businesses, large businesses—these are just some of the entities impacted recently by ransomware, an insidious type of malware that encrypts, or locks, valuable digital files and demands a ransom to release them.

The inability to access the important data these kinds of organizations keep can be catastrophic in terms of the loss of sensitive or proprietary information, the disruption to regular operations, financial losses incurred to restore systems and files, and the potential harm to an organization’s reputation.

Ransomware has been around for a few years, but during 2015, law enforcement saw an increase in these types of cyber-attacks, particularly against organizations because the payoffs are higher. And if the first three months of this year are any indication, the number of ransomware incidents—and the ensuing damage they cause—will grow even more in 2016 if individuals and organizations don’t prepare for these attacks in advance.

In a ransomware attack, victims will open an e-mail and may click on an attachment that appears legitimate, like an invoice or an electronic fax, but which actually contains the malicious ransomware code. Or the e-mail might contain a legitimate-looking URL, but when a victim clicks on it, they are directed to a website that infects their computer with malicious software.

Once the infection is present, the malware begins encrypting files and folders on local drives, any attached drives, backup drives, and potentially other computers on the same network that the victim computer is attached.. Users and organizations are generally not aware they have been infected until they can no longer access their data or until they begin to see computer messages advising them of the attack and demands for a ransom payment in exchange for a decryption key. These messages include instructions on how to pay the ransom, usually with bitcoins because of the anonymity this virtual currency provides.

Ransomware attacks are not only proliferating, they’re becoming more sophisticated. Several years ago, ransomware was normally delivered through spam e-mails, but because e-mail systems got better at filtering out spam, cyber criminals turned to spear phishing e-mails targeting specific individuals.

And in newly identified instances of ransomware, some cyber criminals aren’t using e-mails at all. According to FBI Cyber Division Assistant Director James Trainor, “These criminals have evolved over time and now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.”

Tips for Dealing with the Ransomware Threat

Prevention Efforts

  • Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data – i.e. Share this alerts with fellow employees.
  • Patch operating system, software, and firmware on digital devices (which may be made easier through a centralized patch management system).
  • Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
  • Manage the use of privileged accounts – i.e. No users should be assigned administrative access unless absolutely needed.
  • Configure access controls, including file, directory, and network share permissions appropriately – i.e. If users only need read specific information, don’t give write-access to those files or directories.
  • Disable macro scripts from office files transmitted over e-mail.
  • Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations – i.e. Temporary folders supporting popular Internet browsers, compression/decompression programs.

Business Continuity Efforts

  • Backups, backups, backups! Back up data regularly and verify the integrity of those backups.
  • Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.

“There’s no one method or tool that will completely protect you or your organization from a ransomware attack,” said Trainor. “But contingency and remediation planning is crucial to business recovery and continuity—and these plans should be tested regularly.” In the meantime, according to Trainor, the FBI will continue working with its local, federal, international, and private sector partners to combat ransomware and other cyber threats.

Are We Opening Pandora’s iPhone?

One of the more interesting debates in the privacy and security community these days ispandoras iphone the ongoing battle between Apple and the FBI. The big question being asked is, are we opening Pandora’s iPhone by asking Tim Cook and Apple to open the backdoor to the iPhone?

The media has reported on this endlessly over the past month, and it was the hottest topic during the highly touted RSA Conference. But there are conflicting views on what the so-called battle is actually about. So without taking sides, let’s run a play-by-play of what’s happened so far.

Court Order

The part that everyone knows – the FBI is looking to gain access to the phone of Syed Farook, one of the San Bernardino shooters.

Judge Sheri Pym of the Federal District Court in Central California issued a court order asking Apple to modify the iOS of Farook’s iPhone, creating a “backdoor” for the FBI. Typically on iPhones, after 10 wrong guesses for the passcode, the phone will wipe the symmetric encryption key. This is the key between the storage and the CPU that gives access to the contents of the phone.

The court ordered Apple to assist the FBI by disabling the 10 wrong guesses lockout. Again, this is part of the software and can theoretically be changed. There is still an 80 millisecond hardware-enforced delay to slow down brute force attacks. Additionally, they are seeking an electronic method of inputting the passcode guesses. This would basically allow them to brute force their way into the phone, instead of having some intern sit there and guess (e.g. 0000, 0001, 0002, and so on).

In laymen’s terms, the FBI wants to just hook Farook’s phone up to a brute force generator at 80 milliseconds per guess without the downside of potentially having the phone wiped if they guess wrong 10 times.

iPhone Technology

Of course, we all know Apple’s response – “No!” Apple has stated that they will do everything they can to fight this.

Now that we have looked at what the FBI wants and what the court order says, let’s clear up the confusion on what the current technology of the iPhone says. People are using loosely defined terms. “Backdoor” has become kind of a catchall phrase when talking about access to encrypted devices.

An iPhone periodically checks for updates. The iPhone sends it’s unique device ID and a randomly generated nonce (one-time code) to Apple. If Apple has an update to send to the iPhone it will accept the device ID along with the nonce and bundle those with the update package. Apple then signs it with their super-secret private key and pushes that back to the phone. The phone verifies the signature is correct and that the device ID and nonce both match.

So, why does all of this matter? Well, this means that every single update is customized. And Apple does this for a reason. Apple wants to prevent an older version of iOS from being cross installed and allowing a downgrade attack. This would allow an attacker to recreate old flaws in the iOS that are widely known to exist in earlier versions, but are now fixed in current versions.

Apple has accepted the burden of not being able to mass distribute any of their iOS updates.

What Does This Mean?

So the fundamental question in the original Apple vs. FBI debate… Can Apple respond uniquely to this singular request and provide the FBI, either in their facility or remotely, with a piece of software that answers the court’s demands and is not reusable ever again, not even on the same iPhone?

The answer is yes. They can do just that. That’s currently the way the technology works: it’s sound. It gives Apple the ability to open this single phone.

Apple’s Response

Apple has filed a formal response to the FBI request. One section beautifully states their position on the matter. Again in laymen’s terms:

Apple recognizes the struggle between the needs of law enforcement and the privacy interests of the public. They think the FBI has taken the wrong direction by bringing the matter into a public forum. Apple acknowledges the FBI’s request to make a brute force attack easier and calls the solution a backdoor to the iPhone. A backdoor would mean that criminals and foreign agents would have a way to access other iPhones.

Apple takes opposition to the government stance that this is a one-time-deal and points to many other cases looking for phones to be unlocked. Further, Apple says this is just the beginning and floodgates would open. They point to the government potentially overstepping other privacy boundaries as well by turning on the microphone or activating the video camera on iPhones.

Where We Stand Now

The reality is that the iPhone in question probably doesn’t have any valuable information. It was Farook’s business phone that his employer, the county, provided him. He destroyed his personal phone; that’s gone. And the iPhone the FBI wants to access wasn’t backed up in the 6 weeks prior to the incident.

The FBI actually went against Apple’s recommendation and requested that the county reset the iCloud password. Without a reset iCloud password, the phone would have backed up to iCloud on a trusted Wi-Fi network when plugged in.

Given what the court order is asking and what Apple’s technology is capable of, this one request sounds doable at face value. But the larger battle is really over the precedent this case creates.

Other law enforcement agencies are lined up, eagerly waiting for an FBI victory, so they can access other Apple devices in their investigations. Then, the question presents itself about foreign governments requesting access as well. Apple sells iPhones in China, and must adhere to Chinese law. What happens if the Chinese government sees what’s happening and sends a truck load of phones to Cupertino, California for Apple to unlock?

The FBI picked the perfect case to fight. When the government throws the word ‘terrorism’ around, it packs a punch like the right arm of Mike Tyson. However, Apple is working diligently to make sure that future versions of iOS don’t run into this problem.

Apple’s position is that a backdoor in future encryption technologies would cripple U.S. businesses like Apple and Google and compromise the privacy protections and security of consumers. The people who really want full encryption solutions will still be able to get it. There are hundreds of encryption solutions outside of the U.S., and they are free. Bad guys with something to hide will still use full encryption.

And that is Apple’s point and why they are fighting. We need to buckle up because this will be an up and down rollercoaster until the very end… which may be in the Supreme Court.

Would You Pay a Ransom to Get Your Information Back?

According to FBI and other law enforcement agency sources, ransomware attacks are now one of the most popular cyber-attacks and will continue to threaten individuals, as well as small and large organizations. At ePlace, we’ve reported on ransomware recently here and here. Ransomware attacks have become popular for several reasons:

  • Attack tools are available for free through Windows or open source projects.
  • Bitcoins are an easy method for ransom payments and provide anonymity, making it difficult for law enforcement to trace the sender and receiver.
  • The sheer public lack of security awareness.

Ransomware Attack

A recent ransomware attack on Hollywood Presbyterian Medical Center was discovered when staff members noticed issues trying to access the hospital’s computer network. An investigation by the IT department revealed the ransomware attack and the hospital notified law enforcement.

The attack caused computers at the hospital to be down for more than a week. The impact of the attack broadly affected critical functions like CT scans, documentation, lab work, and pharmacy needs. With computers offline, staff had to rely on the technology of our ancestors and get work done using fax machines and telephones.

Initial reports said the attackers were demanding 9,000 bitcoin in exchange for the decryption key – a mere $3.6 million. But the hospital resolved the situation by sending the attackers 40 bitcoin, or $17,000.

The hospital’s CEO stated, “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”

Ransomware Overview

Ransomware uses strong encryption software to encrypt a victim’s files and hold them hostage. Once the victims comply with the attacker’s demands – usually a payment of bitcoin – the keys are sent to the victim to unlock and decrypt the files. Most ransomware in 2015 was spread through a few different channels:

  • Fake updates for Adobe and Java products
  • Downloads from infected websites
  • Malware in phishing emails

Attackers don’t want to be one-trick ponies though. New schemes are attempting to infect whole networks with malware. Clever attackers are using persistent access to scour the network and locate network backups and delete them – squashing any chance the victim has of recovering the data.

Defend Against Attacks

There is no silver bullet solution for protecting against Ransomware. However, the following steps can reduce your chance of being infected.

Top IT Best Practices:

  • Use Anti-Virus and ensure that the software is up-to-date.
  • Ensure Windows users have EMET enabled to sandbox applications.
  • Use regular backups and ensure backup copies are stored in a separate and secure location (not on the local area network).
  • Limit access to different areas on the network to the minimum necessary. It could help control the spread of malware.

Top User Best Practices:

  • Do not open attachments included in unsolicited e-mails.
  • If you have to download free software, always verify the website’s reputation before downloading.
  • Block pop-ups on your browser to prevent fake update ads.
  • Use virtual browsing sessions whenever possible. The virtual session is deleted including any malware when the browsing is closed.
  • Make sure User Account Control (UAC) is on and users are aware of its functions.

Dridex Update: Malware Disrupted

Recently, an international investigation has led to the disruption of the infamous financial malware – Dridex.

Dridex is a malware string designed to steal online banking credentials. Developed by a group of cybercriminals in Eastern Europe, the basic gameplan is to infect computers, steal credentials, and obtain money from the victims’ accounts. The criminals have come away with $40 million thus far using the malware. US-CERT released a threat alert warning about Dridex.

Malware Disrupted

The investigation that’s working to take down the Dridex malware is led by the FBI and Britain’s National Crime Agency. They have taken control of the command-and-control servers used to facilitate the attacks and communicate throughout the botnet. They’ve also created a sinkhole and are pushing all activity to the sinkhole, preventing the infected computers from communicating with the cybercriminals.

The investigation also resulted in one of the group’s members being arrested. Andrey Ghinkul – a.k.a. Andrei Ghincul and Smilex – from Moldova was arrested in Cyprus and the U.S. is currently seeking extradition.

The charges against the group include criminal conspiracy, unauthorized computer access with intent to defraud, wire fraud, and bank fraud. Recently, the group tried to initiate a wire transfer for $1 million from Pennsylvania’s Sharon City School District’s bank account. This is after the group was linked to large wire transfers of $2.2 million and $1.3 million from Penneco Oil.

What’s Next?

The common belief is that the group behind Dridex will adapt their malware to go around the sinkhole and resume their attacks. The situation is similar to the 2014 disruption of the Gameover Zeus botnet, where the malware had been updated and subsequently used in more attacks. Sinkholing is only a temporary solution, and it’s believed that thousands of Dridex infected systems still exist in Britain alone.

Information Sharing

One key component to the malware disruption was a very high level of collaboration among financial services firms. More than 10 banks provided intelligence relating to the botnet – including phishing emails and data from the compromised systems. It’s refreshing to see the new trend of information sharing pick up as well as related success stories. Organizations in the same industry or sector are being targeted with similar attacks, and sharing any threat information can help stop the attacks. The Department of Homeland Security has more information regarding Information Sharing and Analysis Organizations (ISAOs).

Organizations shouldn’t be afraid to get law enforcement involved when dealing with a potential data security incident. The FBI has created a webpage for more information about the investigation, as well as a webpage to help users remove the Dridex malware.

FBI Alert: DDoS Extortions Continue

The Internet Crime Complaint Center (IC3) recently received an increasing number of complaints from businesses reporting extortion campaigns via e-mail. In a typical complaint, the victim business receives an e-mail threatening a Distributed Denial of Service (DDoS) attack to its Website unless it pays a ransom. Ransoms vary in price and are usually demanded in Bitcoin.

Victims that do not pay the ransom receive a subsequent threatening e-mail claiming that the ransom will significantly increase if the victim fails to pay within the time frame given. Some businesses reported implementing DDoS mitigation services as a precaution.

Businesses that experienced a DDoS attack reported the attacks consisted primarily of Simple Discovery Protocol (SSDP) and Network Time Protocol (NTP) reflection/amplification attacks, with an occasional SYN-flood and, more recently, WordPress XML-RPC reflection/amplification attack. The attacks typically lasted one to two hours, with 30 to 35 gigabytes as the physical limit.

Based on information received at the IC3, the FBI suspects multiple individuals are involved in these extortion campaigns. The attacks are likely to expand to online industries and other targeted sectors, especially those susceptible to suffering financial losses if taken offline.

If you believe you have been a victim of this scam, you should reach out to your local FBI field office, and file a complaint with the IC3 at www.IC3.gov.

Tips to protect yourself:

  • React: Take the threat seriously, and “spin up” an incident response team to deal with any such attacks or threats.
  • Defend: Review DDoS defenses to ensure they can handle attackers’ threatened load, and if necessary contract with, subscribe to or buy an anti-DDoS service or tool that can help.
  • Alert: Warn the organization’s data centers and ISPs about the threatened attack, which they may also be able to help mitigate.
  • Report: Tell law enforcement agencies about the threat – even if attackers do not follow through – so they can amass better intelligence to pursue the culprits.
  • Plan: Continually review business continuity plans to prepare for any disruption, if it does occur, to avoid excessive disruptions to the business.

Leverage FBI Resources Before and During a Breach

FBI logoDuring ePlace Solutions’ June 2015 webinar, Special Agent Alexander E. Murray and Computer Scientist Darren Bennett of the FBI encouraged organizations to involve the Bureau both before and during a data breach.  Each field office has a link on the FBI’s website and a phone number listed – this is the recommended approach to starting a relationship with your FBI office.


Benefits the FBI brings before a data breach:

  • Information Sharing. The FBI sees and hears a lot of what is going on the cyber security community, and facilitates threat information sharing across organizations. You can reach out to the FBI to share threat indicators you’re seeing, and the FBI can relay back information from their internal database on other indicators to be aware of reported by other organizations.
  • InfraGard and Flash Alerts. Another information sharing avenue is through InfraGard and flash alerts. Organizations can publish and share information and request to be notified of urgent attack indicators that might be relevant. This kind of information sharing helps all organizations as common attacks and vulnerabilities can be noticed and seen trending, allowing the FBI to relay the information across all organizations.

Benefits during a breach:

  • Added Skills and Experience. Bringing in an organization such as the FBI adds to the technical expertise on hand during a critical time and potentially disastrous situation. Some organizations have technical expertise in place for incidents like data breaches, but having more skills at your disposal never hurts.
  • Proactive Approach. In the event the incident goes to trial, an organization working and cooperating with FBI assistance might have an advantage. Bringing in the FBI shows more due diligence and intention to investigate and mitigate the situation and any harm that might have occurred. It shows a proactive manner of addressing the problem rather than sticking your head in the sand.