Are You Sure It’s from the CEO? Protect Your Bank and Customers from Business Email Compromise Crimes
By Asmah Tareen
Recently, a successful company (Company) fell victim to a crime that is increasingly targeting companies with a global presence and traveling executives. The Company’s accountant received an email from the CEO instructing him to send out several wire transfers totaling over $100,000. The accountant tried to confirm the instructions by phone but was unable to reach the CEO who was traveling overseas. When the accountant replied to the email with a follow-up question, he received an abrupt reply reprimanding him to get it done. Although there were internal checks in place and a controller raised questions, the air of business urgency won out and the wire transfers were ultimately sent. Shortly afterward, the Company realized that the instructing email was not from the CEO but from cyber thieves.
The wire transfers were directed to legitimate businesses in different states. Typically in such fraud crimes, the recipient businesses would receive calls from the cyber thieves claiming to be from the Company, indicating that they had accidentally sent the funds and instructing that the funds be “returned” – directing the funds to a third account controlled by the thieves. From there, the funds would be wired several times until they became difficult to reach. In this case however, the Company discovered the fraud immediately after dispatching the wire transfers and fortunately, one of the recipient companies promptly called the Company directly. Given the quick timing of discovering the fraud, cooperation of the wire recipients and vigilance of the bank in tracking the money, the Company has recovered most of its funds. However, many companies have not been so lucky.
According to FBI reports, a growing number of companies, particularly those conducting international business, are defrauded by “business email compromise” (BEC) crimes. The Company fell victim to the “CEO Fraud,” a version of BEC crimes involving spoofed or hacked accounts of executives with the timing of the fraudulent emails coinciding with business travel of the executives being spoofed. This reflects the creepy reality that cyber thieves are investing in identifying and watching their victims - learning the identities of executives (easy to do) as well as company employees in the finance department (not as easy to do), possibly learning internal processes for funds disbursement, and learning executive travel schedules. With this knowledge, they proceed to either spoof executive emails (create a similar looking email address) or hack the company email servers or accounts of business executives.
Here are some actions you and your customers can take to protect your customers, as well as your bank, from falling prey to these types of crimes:
1. Create awareness and be vigilant about red flags, however subtle.
Inform employees about these types of crimes and encourage them to err on the side of validating, even when the request appears to be urgent and under high pressure. Historically, scamming emails have not “looked right.” Cyber thieves often register domain names with one letter different from a company domain name (e.g., an extra “s” at the end). With a similar domain name, they can create an email that looks almost like that of the CEO. They may have included misspellings and errors or may have been missing signature blocks or company branding. While these emails are getting more sophisticated, they may still miss something. It is a good practice to look closely at email addresses sending such instructions, and to respond by starting a new email or forwarding the email and typing in the recipient name directly rather than replying to the original email. Finally, if the tone of an email is unusual for that person, it should raise enough of a red flag to follow up with a phone call.
2. Create, comply with and monitor internal checks.
Institute a policy of requiring phone or other confirmation from the requestor before sending out large or unusual wire payments and contacting intended recipients by phone to inform them that the wire transfer is coming. Incorporate internal checks into cash management agreements and allocate liability accordingly.
3. Maintain system security.
Email is, by nature, insecure. The FBI recommends that companies institute verification processes such as digital signatures and secure messaging. While many businesses find such processes cumbersome for internal emails, businesses should at least build and maintain robust security programs that include employee training about security practices at the individual level (e.g., password security, not clicking on suspicious links or downloading software, not transacting company business through personal email accounts), as well as systematic processes for checking and managing for malware infections and security breaches. Finally, when in doubt about a suspicious email, call your IT department as they can often help confirm if it is legitimate. Again, customer education on this point is essential.
4. Guard your personal privacy online.
The CEO Fraud crimes have often coincided with executive travel – a time when there is less ability to verify and validate. While it may be easy to find out the name and email address of a company executive, it is not as easy to find out the executive’s contacts and travel schedules. For individual security as well as for protecting company information, company websites should be cautious about broadcasting conferences and travel events, and employees at all levels should be careful about sharing information online about their work travel schedules, e.g., via social media.
5. File a complaint.
If your customer has been the victim of a BEC scam, they can file a complaint with the FBI’s Internet Crime Compliant Center (IC3) at www.IC3.gov. Reporting this type of crime will initiate an FBI investigation to help reclaim stolen funds. Reports also help provide better insights into how to fight these types of attacks. Your bank should also consider completing a suspicious activity report, contacting your primary regulator, and contacting your insurer, as appropriate.
BEC Crimes are on the rise and can have significant financial impact on your business. Make sure your customers have been educated about behavior that may indicate fraud and that your bank has a robust policy in place to protect your customers and your business.