Are you sure it’s from the CEO? 5 Ways to Protect Your Company from Business Email Compromise (BEC) Crimes
By Asmah Tareen
Last week, a successful Minnesota company fell victim to a crime increasingly being aimed at companies with a global presence and traveling executives. The company’s accountant received an email from the CEO instructing him to send out wire transfers totaling over $100,000. The accountant tried to confirm by phone but was unable to reach the CEO who was traveling overseas. When the accountant responded to the email instructions with a follow-up question, he received an abrupt reply reprimanding him to get it done. Although there were internal checks in place and a controller raised questions, the air of business urgency won out and the wires were ultimately sent out.
Shortly after sending out the wires, the company learned that the emails were, in fact, not sent from the CEO. The wire transfers were directed at legitimate businesses in a different state. These businesses would promptly receive calls from the cyber thieves claiming to be from the Minnesota company, indicating that they had accidentally sent the funds and instructing that the funds be “returned” this time being directed to a third account controlled by the thieves. From there, the funds would likely be wired again until they would become difficult to trace and reach. Given the quick timing of discovering the fraud and cooperation of the wire recipients and the bank, the company will likely recover some, if not all, of its funds. The company is investigating whether its email server or the CEO’s email account was hacked or spoofed and the FBI has also initiated an investigation. However, many companies have not been so lucky.
According to FBI reports, a growing number of businesses, particularly those conducting international business, are defrauded by “business email compromise” (BEC), crimes. See http://www.ic3.gov/media/2015/150122.aspx. The Minnesota company fell victim to the “CEO Fraud,” a version of BEC crimes involving spoofed or hacked accounts of executives with the timing of the fraudulent emails coinciding with business travel of the executives being spoofed. This reflects the creepy reality that cyber thieves are investing in identifying and watching their victims - learning the identities of executives (easy to do) as well as company employees in the finance department (not as easy to do), possibly learning internal processes for funds disbursement and learning executive travel schedules. With this knowledge, they proceed to either spoof executive emails (create a similar looking email address e.g. from a domain that may vary by one letter, or manipulating email headers) or by hacking the company email servers to create similar email addresses or by hacking the account of business executives.
In this case, as in many others, there were red flags. The tone of the email was not typical for the CEO and the purpose of the transfers seemed “off” – although it should be noted, that in many cases, cyber thieves have been sophisticated enough to instruct that funds be sent to accounts appearing to be those of suppliers who frequently receive company wire transfers, or they have sent wire transfer instructions directly to banks.
Here some actions to take to protect your business from falling prey to these types of crimes.
1. Create awareness and be vigilant about red flags, however subtle.
Inform employees about these types of crimes and encourage them to err on the side of validating, even when the request appears to be urgent and under high pressure. Historically, scamming emails have not “looked right.” They may have included misspellings and errors or may have been missing signature blocks or company branding. While these emails are getting more sophisticated, they may still miss something. It is a good practice to look closely at email addresses sending such instructions, and to respond by forwarding the email and typing in the recipient name (rather than hitting reply). Cyber thieves often register domain names with one letter different from a company domain name (e.g. an extra “s” at the end). With a similar domain name, they can create an email that looks almost like that of the CEO. Finally, if the tone of an email is unusual for that person (more formal, more curt), it should raise enough of a red flag to follow-up with a phone call.
2. Create internal checks.
Institute a policy of requiring phone confirmation from the requestor before sending out large or unusual wire payments and contacting intended recipients by phone to inform them that the wire transfer is coming.
3. Maintain system security.
Email is, by nature, insecure. The FBI recommends that companies institute verification processes such as digital signatures and secure messaging. While many businesses find such processes cumbersome for internal emails, businesses should at least build and maintain robust security programs that include employee training about security practices at the individual level (e.g. password security, not clicking on suspicious links or downloading software, not transacting company business through personal email accounts, etc.) as well as systematic processes for checking and managing for malware infections and security breaches. Finally, when in doubt about a suspicious email, call your IT department as they can often help confirm if it is legitimate.
4. Guard your personal privacy online.
The CEO Fraud crimes have often coincided with executive travel – a time when there is less ability to verify and validate. While it may be easy to find out the name and email address of a company executive, it is not as easy to find out the executive’s contacts and travel schedules. For individual security as well as for protecting company information, company websites should be cautious in broadcasting conferences and travel events and employees at all levels should be careful about sharing information online about their work travel schedules, e.g. via social media.
5. File a complaint.
If your business has been the victim of a BEC scam, you can file a complaint with the FBI’s Internet Crime Compliant Center (IC3) at www.IC3.gov. Reporting this type of crime is important and there is no shame in being a victim. Reports help provide better insights into how to fight these sort of attacks and is a good means of trying to reclaim stolen funds.