From: [email protected]
Subject: Wire Transfer
Hey Jane,
I’m traveling today. We are expanding operations in Mexico and things are moving rapidly. I need you to send a wire transfer ASAP. Wire instructions are below.
Thanks for jumping on this!
Rob
Jane reviews the rest of the email from the company’s CEO and dutifully wires $365,000 in company funds to the account listed in the email. When he returns to the office the next day, Jane is pleased to report that the wire transfer was successful. Rob immediately looks puzzled and concerned.
“What are you talking about, Jane?”
“The email you sent yesterday? You asked me to transfer $365,000 to our vendor so we can expand our Mexico operations. Look, here’s the email.” Jane hands Rob a printed copy of the email. He reads it and turns pale.
“Jane, I don’t understand. I didn’t send that email.”
“Well if you didn’t send it, who did?”
“I don’t know,” says Rob, “but there are two ‘n’s in Hannigan – and I think we’ve been taken for $365,000.”
CEO Fraud
The anecdote above is an example of “spear phishing,” a type of business email compromise (BEC) scheme in which criminals impersonate a high-level executive and attempt to trick employees into sending money to an overseas account they control. In the fictional example of CEO fraud above, attackers have spoofed Robert Hannigan’s email address (note the spelling of his name in the email is off by one letter) and assumed his identity. From Jane’s point of view, the email appears as real as the countless others she has received from her boss over the years, although the urgent request to wire such a large amount of money from Rob, she would later admit, was unusual. However, actual cases like this one happen every single day.
The FBI has been tracking BEC crime since 2013, and has found that international crime groups have targeted companies of all sizes in every state in the United States and more than 100 countries, resulting in losses of more than $3 billion to U.S.-based victims alone. Sophisticated criminal enterprises employ hackers, social engineers, linguists and lawyers. They have become increasingly adept at the art of deceiving and exploiting unsuspecting victims to perpetrate these schemes. The attacks are often targeted and planned far in advance before sending the attack email. Oftentimes, they use malware to spy on the organization’s employees—learning the internal facets of the organization including the email and communication styles of executives, vendor payment processes, and billing systems. Using this information, they are able to credibly impersonate the executive and send a money-transfer request to the carefully targeted employee with access to company finances. They then attempt to deceive them into wiring funds to bank accounts thought to be trusted, but are actually offshore accounts controlled by the criminals.
Phony Invoices
The phony invoice scheme is not new. Criminals have long sent bogus invoices to companies knowing that some percentage of them will be paid without question. A more sophisticated BEC version of the fraud involves criminals posing as a vendor with whom the targeted business has a longstanding business relationship. The attacker will send the company what appears to be a genuine invoice with a message that the vendor has changed banks, including instructions to wire payment to the new account. Processing what appears to be a genuine invoice, the accounts payable person has no reason to suspect that he is an unwitting victim of a BEC crime. It is not until the vendor contacts the company inquiring about the lack of any payment that the fraud is discovered.
A member of Western Growers was recently duped by this scheme. A partner in Mexico would typically invoice the company for growing costs. When the company received an $80,000 invoice from this partner, no alarm bells went off. Neither did the message on the invoice asking that payment be made via wire instead of the company’s historic practice of paying by check. The accounts payable person wired the funds as requested, only to learn later that the funds were actually wired to a bank in Slovakia, and the funds swept out soon after. While the member reported the crime to their local FBI office, the funds have not been located or recovered after several months of investigation.
What Companies Should Do Now
In light of the growing BEC threat, management has to be more vigilant than ever to safeguard the company’s finances and privacy. Cyber security experts recommend a number of steps companies should have in place to protect themselves from BEC attacks.
• Don’t trust. Verify. The best way to avoid being exploited is to verify the authenticity of requests to send money. Walk into the executive’s office, speak to him or her on the phone. Don’t rely on email communication or the contact information included in the email. Limit telephone conversations to company directory phone numbers.
• It’s a scam until proven otherwise. Train the accounting staff that if they receive a wire-transfer request, especially from the CEO or other senior executive, to assume the email has been compromised. Scrutinize the email requesting a transfer of funds carefully, especially if the request is out of the ordinary. Pick up the phone, or better yet, walk down the hall, and ask the requestor to confirm the request.
• Leverage technology. Intrusion detection system rules can be put in place to flag emails that have extensions that try to replicate the appearance of the company’s email. Also, email rules can be created that flag emails where the “reply” email address is different from the “from” email shown to the recipient. Two-factor authentication (2FA) is a tool that can be used to protect email and can be used for payment verification. With 2FA, in addition to entering a password when logging in, the user is given a one-time code from a software or hardware token.
• Cyber Insurance. Consider purchasing a cyber insurance policy that can reimburse the company in the event of a cyber attack, including a BEC scam. The cyber insurance market is evolving rapidly, and policies vary greatly, so work with your insurance broker to understand the terms of a prospective policy and the policy triggers that will result in the policy paying in the event of a BEC claim.
Cyber Weapons
Spear-phishing. Fake e-mails believed to be from a trusted sender prompt victims to reveal confidential information to the BEC attackers.
Spoofing. Slight variations on legitimate addresses ([email protected] vs. [email protected]) are used to fool victims into thinking fake accounts are authentic. The criminals then use a spoofing tool to direct e-mail responses to a different account that they control. The victim thinks he is corresponding with the company’s executive, but that is not the case.
Malware. Software code used to infiltrate company networks and gain access to legitimate e-mail threads about billing and invoices. The criminals use this information to ensure that fraudulent wire transfer request don’t look suspicious to accounting staff. Malware also allows criminals to gain access to a victim’s data undetected, including passwords and financial account information.]
WHAT TO DO IF YOU ARE A VICTIM
• If funds are transferred to a fraudulent account, it is important to act quickly:
• Contact your financial institution immediately upon discovering the fraudulent transfer
• Request that your financial institution contact the corresponding financial institution where the fraudulent transfer was sent
• Contact your local Federal Bureau of Investigation (FBI) office if the wire is recent. The FBI, working with the United States Department of Treasury Financial Crimes Enforcement Network, might be able to help return or freeze the funds
• File a complaint, regardless of dollar loss, with the FBI’s Internet Crime Complaint Center (IC3) at www.IC3.gov