Corporate Spear Phishing on the Rise

No longer fooled by emails seeking help from friends stranded overseas or mugged in New York, scammers are looking for new ways to separate you from your money. And this time, they are thinking big—C-Suite big.  The FBI estimated that from October 2013 through December 2014, companies lost a total of $1.2 billion to CEO Fraud. The FBI blames internal security measures as the number one reason for these losses.

In one instance, the director of accounting for a company in Texas wired $480,000 to an account in China because he received an email from the “CEO” directing him to do it.  However, it was an individual posing as the CEO. The scammer had hacked into the company’s server and spent months learning how the company worked and the relationship between the CEO and the director of accounting. He then emailed the director of accounting and made what appeared to be a normal request in the ordinary course of its business. But for the scammer’s audacious request for $18 million to be wired to the same account a few weeks later, it might have continued unnoticed.

In another case, a magazine publisher lost $1.5 million. The accounting executive of the company sent the wire based on an email from the “CEO,” but prior to sending the second requested transfer, he asked the CEO if he had truly made the request, only to find that he did not.

Because these scams are targeted (known as spear phishing), they appear to come from trusted individuals, contain requests that appear normal, and are often not caught by spam filters because they are not mass-mailed.

In addition to standard internal control features for wire transfers that can and should be implemented, below are three practice pointers to help prevent this from happening to you and mitigating the loss if it does.

Training

Employees need to be trained in the ways in which scammers operate. Typically these scammers will purchase a list of emails from the Dark Web and begin sending phishing emails containing malicious attachments (or links to infected websites) to hundreds of addresses.  Once an unsuspecting employee opens the attachment (or clicks on the link) and the malware is installed, the scammer has access to the company’s network (at least as far as that employee’s computer can see into it).  Depending on the level of access, the scammer may move on if nothing can be exploited or next if the computer has access to company data/emails/etc.  Once the scammer decides to act, he may wait until the CEO/executive is away from the office, or simply alter the email address slightly to trick the non-observant receiver. For instance, jsmith@american.com may become jsmith@amer1can.com.

Proper training to prevent these issues include instructing employees not to open email attachments from a sender the employee does not know or recognize.  In addition, employees need to be instructed to look for variations in email addresses when being asked to complete tasks that are critical to the company’s business, such as releasing sensitive data, or giving access to portions of the company server reserved to departments other than the requesting party, and, most importantly, giving out the company’s money!

Many firms provide on-site and online training.

Cyber Security

Cyber security in the corporate world has become a yeoman’s task. As it pertains to CEO fraud, there are two primary fixes.  The first is to mandate company email accounts use two factor verification. If the CEO’s account is accessed from anywhere that is not a recognized, secure location, as designated by the user, a second verification method would need to be entered (either a code sent via text to the CEO’s phone or a pre-printed verification code).  This prevents a scammer from logging in from Starbucks.  The second is to institute an internal control to require more than one person’s authorization for money transfers or expenditures. Whether it be a wire transfer, check, debit, or other material financial transaction, the approval process should involve two individuals who are privy to the request, purpose, and related specifications.

Insurance Protection

Even the most vigilant company will still find itself a victim.  Traditional insurance policies contain some coverage for fraud protection, but as recent cases have shown, (AF Global Corp. v. Federal Insurance Company) they do not include this new type of fraud. Some of the policies will only pay a claim if the fraud was the result of a traditional negotiable financial instrument having been fraudulently forged or stolen, such as check fraud. Therefore, it is important to review your policies and work with your insurance company to provide a policy that includes coverage for monetary losses incurred by an electronic breach.

If you do have such coverage, your insurance company will need to follow the evidence to learn how the fraud took place.  Therefore, it is important to direct employees not to delete the emails related to the fraud. They emails can be examined forensically to help support your claim.

For more information relating to training, prevention, and investigation, contact the experts at Maragell at info@maragell.com.

Effective September 3, 2015, it became unlawful to conduct credit checks on nearly all potential and current employees if your business is located in the City of New York and you have more than four people on staff (including owners). As an employer, it is important to know the exceptions to this new limitation in the field of Human Resource Management.

What is actually prohibited?  According to the New York Commission on Human Rights (“NYCHR”), the governing body for this Ordinance, an employer cannot obtain a consumer credit report and use it in the hiring process unless the position falls within a specific list of exceptions.  According to the NYCHR, a consumer credit report refers to a credit score, credit accounts, bankruptcies, judgments, or liens whether obtained from a third party source or from the prospective employee directly.

While the Ordinance is being promoted by the City as the most stringent of its kind in the U.S., it does have its exceptions.   The onus is upon the employer to document the exception used to obtain a credit check.  The exceptions include:

• Positions in which federal or state law requires credit background reports, such as FINRA licensed companies;
• Police Officers, peace officers, or positions with a law enforcement or investigative function at the Department of Investigation (“DOI”);
• Any positon subject to a DOI Background Investigation;
• Positions requiring bonding under federal, state, or city law or regulation;
• Positions requiring security clearance under federal or state law;
• Non-clerical positions having regular access to trade secrets, intelligence information, or national security information;
• Positions requiring responsibility for funds or assets worth $10,000 or more; and
• Positions involving digital security systems.

It is important to consult an attorney or HR Specialist when making hiring decisions to determine whether or not you are complying with this, and other local, state and federal laws.  Before you do so, here are few practice points to get you started:

• Research each position to determine if it fits within one of the exemptions—it may require you to develop a list of what is a trade secret or business intelligence that warrants extra HR security for that position and therefore, based on the assessment reached, exempts that hire from the Ordinance’s limitation;
• Research your industry online to determine if there are federal or state guidelines that require credit history verifications for your industry;
• Use Google and LinkedIn and other social media platforms when making your hiring decisions to the extent your state does not ban such research or prevent you from using protected activity found on these sites against the candidate (i.e. cannot use evidence of a person’s gender preference, marital status, age, etc. against them).
• Create a log to document the exemptions used and the factual basis for each exemption claimed; and

The NYCHR has issued an official Guidance about the application of the Ordinance (see https://www1.nyc.gov/assets/cchr/downloads/pdf/CreditHistory-InterpretiveGuide-LegalGuidance.pdf) and it is expected it will continue to update the public on this topic via its FAQ page (see https://www1.nyc.gov/site/cchr/media/credit-check-law-frequently-asked-questions.page)

Despite pressure from business leaders and private detectives, the latest version of the New Jersey Senate Budget and Appropriations Committee’s “Opportunity to Compete Act” [SENATE, No. 2124] continues to impose restrictions upon New Jersey employers when advertising for, and interviewing, prospective employees as it applies to criminal records.

According to the Committee, it determined that “[r]emoving obstacles to employment for people with criminal records provides economic and social opportunities to a large group of people living in New Jersey, increasing the productivity, health and safety of New Jersey communities.” It also asserted “[c]riminal background checks by employers have increased dramatically in recent years, with estimates of 90 percent of large employers in the United States now conducting background checks as part of the hiring process…. and that [b]arriers to employment based on criminal records stand to affect an estimated 65 million adults in the United States with criminal records.”

Concerned by employment advertisements in New Jersey that include language regarding criminal records that either explicitly preclude or strongly dissuade people from applying, the Committee advanced its bill to the entire Senate to tackle these obstacles to employment.

If passed, the bill will preclude an employer (of 15 or more people) from requiring a job applicant to complete any employment application that makes any inquiries regarding the applicant’s criminal record during the “initial employment application” process. It will also preclude the employer from making any oral or written inquiry regarding an applicant’s criminal record during the initial employment application process. The term “initial employment application” means the period from advertisement through completion of initial interview.

If an applicant discloses any information regarding the applicant’s criminal record, by voluntary oral or written disclosure, during the initial employment application process, the employer may make inquiries regarding the applicant’s criminal record during the initial employment application process.

Notwithstanding the foregoing, employers should be aware that if the employment is for a position where a criminal history record background check is required by law, rule or regulation, or where an arrest or conviction by the person for one or more crimes or offenses would or may preclude the person from holding such employment as required by any law, rule or regulation, or where any law, rule, or regulation restricts an employer’s ability to engage in specified business activities based on the criminal records of its employees, the restrictions of the bill do not apply.

This last exception is key for many of our clients. For our non-regulated clients that send employees into regulated entities like banks, hospitals, and mortgage lenders, their contracts routinely contain clauses that require all employees to be screened and failure to produce proof of a background check can void the contract.

Hence, when advertising for a position, consider all job assignments the candidate may be obligated to fulfill. If a potential assignment is in a regulated industry where a background check will be needed, the bill’s restrictions on advertising and interviewing may not apply.