The following was originally published on April 17, 2016 on Seacoastonline.com.
A relatively recent form of e-mail scam, known as CEO fraud or BEC (Business E-mail Compromise) has been so successful, it’s amounted to over 2.3 billion dollars in financial losses.
Companies of all sizes have been victimized, from large corporations to small businesses and non-profits. This scam is remarkably unremarkable in its form. An e-mail arrives to finance employee who regularly moves money around for the company. This e-mail comes from the company CEO and asks this person to wire transfer funds to an overseas bank. The e-mail contains a signature that looks identical to the CEO’s e-mail signature and uses language and structure that is familiar in the CEO’s communication style. Would you transfer money after receiving a request like this? Numerous people have, to the tune of 2.3 billion dollars and climbing.
On the surface, this may seem hard to believe but the evidence is irrefutable. Just this week, I assisted a long term client with evading this very type of threat. Here’s a story I can personally vouch for, that indicates how real this threat is and some key lessons learned. This particular story involves a client that runs a very sophisticated organization with excellent controls in place to secure the business, physically and virtually. It underscores just how easy these scams are to fall victim to.
The controller received an e-mail from the CEO asking if the controller was in a position to make a wire transfer for them. The controller replied to the e-mail saying yes. The CEO then responded with an attachment requesting that sixty thousand dollars be transferred using the wire transfer instructions in the attachment. The controller responding asking with account to transfer from, using account nicknames like operating, holding or trust. The CEO replied holding and the controller initiated the transfer. The CEO just happened to call in to talk to the controller within moments of the wire being initiated. The controller informed the CEO the requested wire transfer was in process at which point it become immediately clear the controller had been tricked. Fortunately, the controller was able to contact their bank, stop the transfer and with my assistance, log the threat and near financial loss with the FBI cybercrimes division. This is scary stuff.
The lessons learned here are clear, especially in hindsight for this company. The CEO had never asked for a wire transfer via e-mail so this was a first. The controller responded to the e-mail and engaged with the criminal initiating the scam instead of calling the CEO to verbally confirm the request. The controller also opened an attachment without verbally authenticating that the CEO had sent it. Two missed opportunities for verbal confirmation of a request to electronically wire funds. Finally, the controller was tricked into asking which account to effect the transfer from as opposed to asking the CEO to tell the controller which account to use. This entire process started with an e-mail that was socially engineered at a new level not previously seen.
Social engineering like this is quite sophisticated. It looks at e-mail flow to determine where intended victims may be, what their communication style is and more. Combing Internet traffic, social media sites and public records about the target company and individuals, these hackers craft a custom e-mail attack that looks and feels like the real people involved and in so doing, defrauds its victims of significant sums of money.
The answer to this threat? There are many, but chief among them is education and strong controls on the movement of money, especially electronically. A verbal confirmation before taking action is required. It’s simply far too easy to impersonate and authorized party electronically.
You should consider testing programs that periodically send phishing e-mail campaigns to your users, especially those that have access to sensitive information that could put the company at risk. You want to test to see who responds and who does not. Don’t punish people for making the wrong choice, rather use it to further education employees on just how careful they must be with their e-mail communication, especially in terms of what attachments to open or not and what type of information may be shared electronically and not.
The FBI has issued warnings of a dramatic increase in these types of e-mail scams. In issuing some of their latest warnings, the FBI went on to say: “The schemers go to great lengths to spoof company email or use social engineering to assume the identity of the CEO, a company attorney, or trusted vendor. They research employees who manage money and use language specific to the company they are targeting, then they request a wire fraud transfer using dollar amounts that lend legitimacy.”
Stay safe online!