Corporate Spear Phishing on the Rise
No longer fooled by emails seeking help from friends stranded overseas or mugged in New York, scammers are looking for new ways to separate you from your money. And this time, they are thinking big—C-Suite big. The FBI estimated that from October 2013 through December 2014, companies lost a total of $1.2 billion to CEO Fraud. The FBI blames internal security measures as the number one reason for these losses.
In one instance, the director of accounting for a company in Texas wired $480,000 to an account in China because he received an email from the “CEO” directing him to do it. However, it was an individual posing as the CEO. The scammer had hacked into the company’s server and spent months learning how the company worked and the relationship between the CEO and the director of accounting. He then emailed the director of accounting and made what appeared to be a normal request in the ordinary course of its business. But for the scammer’s audacious request for $18 million to be wired to the same account a few weeks later, it might have continued unnoticed.
In another case, a magazine publisher lost $1.5 million. The accounting executive of the company sent the wire based on an email from the “CEO,” but prior to sending the second requested transfer, he asked the CEO if he had truly made the request, only to find that he did not.
Because these scams are targeted (known as spear phishing), they appear to come from trusted individuals, contain requests that appear normal, and are often not caught by spam filters because they are not mass-mailed.
In addition to standard internal control features for wire transfers that can and should be implemented, below are three practice pointers to help prevent this from happening to you and mitigating the loss if it does.
Employees need to be trained in the ways in which scammers operate. Typically these scammers will purchase a list of emails from the Dark Web and begin sending phishing emails containing malicious attachments (or links to infected websites) to hundreds of addresses. Once an unsuspecting employee opens the attachment (or clicks on the link) and the malware is installed, the scammer has access to the company’s network (at least as far as that employee’s computer can see into it). Depending on the level of access, the scammer may move on if nothing can be exploited or next if the computer has access to company data/emails/etc. Once the scammer decides to act, he may wait until the CEO/executive is away from the office, or simply alter the email address slightly to trick the non-observant receiver. For instance, firstname.lastname@example.org may become email@example.com.
Proper training to prevent these issues include instructing employees not to open email attachments from a sender the employee does not know or recognize. In addition, employees need to be instructed to look for variations in email addresses when being asked to complete tasks that are critical to the company’s business, such as releasing sensitive data, or giving access to portions of the company server reserved to departments other than the requesting party, and, most importantly, giving out the company’s money!
Many firms provide on-site and online training.
Cyber security in the corporate world has become a yeoman’s task. As it pertains to CEO fraud, there are two primary fixes. The first is to mandate company email accounts use two factor verification. If the CEO’s account is accessed from anywhere that is not a recognized, secure location, as designated by the user, a second verification method would need to be entered (either a code sent via text to the CEO’s phone or a pre-printed verification code). This prevents a scammer from logging in from Starbucks. The second is to institute an internal control to require more than one person’s authorization for money transfers or expenditures. Whether it be a wire transfer, check, debit, or other material financial transaction, the approval process should involve two individuals who are privy to the request, purpose, and related specifications.
Even the most vigilant company will still find itself a victim. Traditional insurance policies contain some coverage for fraud protection, but as recent cases have shown, (AF Global Corp. v. Federal Insurance Company) they do not include this new type of fraud. Some of the policies will only pay a claim if the fraud was the result of a traditional negotiable financial instrument having been fraudulently forged or stolen, such as check fraud. Therefore, it is important to review your policies and work with your insurance company to provide a policy that includes coverage for monetary losses incurred by an electronic breach.
If you do have such coverage, your insurance company will need to follow the evidence to learn how the fraud took place. Therefore, it is important to direct employees not to delete the emails related to the fraud. They emails can be examined forensically to help support your claim.
For more information relating to training, prevention, and investigation, contact the experts at Maragell at firstname.lastname@example.org.