By Stu Sjouwerman, CEO, KnowBe4
Your CEO is emailing you, the finance director for your organisation, asking you to transfer funds from one account to another one. This is standard stuff so you make the transfer and get on with your day. No problem.
Except there is a problem. Your CEO is still tucked away in meetings and hasn’t made the request at all. You realise you’ve been had. A bad guy, hiding behind the guise of your chief executive officer, just tricked you into transferring corporate funds into his personal bank account. Big problem.
Turns out the problem is much bigger than most of us are aware. CEO fraud, also known as Business Email Compromise (BEC), is growing with alarming quickness. By spoofing emails and impersonating executives or suppliers, these criminals trick people into sharing data or making a large wire transfer. The most recent U.S. Federal Bureau of Investigation (FBI) public service announcement on the subject notes that over the past three years, more than 40,000 BEC incidents have cost organisations around the globe more than $5 billion (£3.69 billion).
Businesses think it won’t happen to them, but it does. Aerospace company FACC lost around $54 million to CEO fraud in January 2016; SS&C Technologies Holdings, a financial services software firm, was fleeced for $5.9 million; and hard drive manufacturer Seagate inadvertently shared the personal information of 10,000 existing and former employees that was used to file fraudulent tax returns. Just last Summer, MacEwan University in Edmonton, Canada transferred more than £8 million to what it thought was an existing construction partner.
How it Happens
A day that involves CEO fraud happens like every other day. Staff does their normal tasks and works with the people they usually work with. In fact, the MacEwan University example above involved local contractors that the accounts payable staff members worked with very regularly.
Most CEO fraud begins with a phishing email. A typical scam looks legitimate, using the correct email address and the proper logo or other asset to pose as a trusted bank, supplier, IRS official or C-suite leader. Social media often spills secrets, giving criminals enough information for them to demonstrate detailed knowledge of the company workings. And, sometimes, an especially shrewd bad guy might even access the network months beforehand, observing habits and protocols to more accurately impersonate the right executive or authority. Taking the needed steps to appear as legitimate as possible, these phishing emails often convince even savvy employees to transfer a large sum of money or share sensitive data.
The question is: Does phishing really work anymore? Yes. Very well. The Verizon 2018 Data Breach Investigations Reportmakes it clear: phishing represented 98 percent of social engineering attacks in 2017, and was involved in 93 percent of breaches.
The targets range from HR and IT teams to C-level leaders and anyone with finance approval. The actual techniques vary. Sometimes an email will mimic a long-standing wire-transfer relationship with a supplier, but ask for the funds to be sent to a different account (as with the MacEwan University example). Or they might hack an employee’s email account to invoice company suppliers, with payments transferred to bogus accounts. Accountants and HR staff might be asked to send employee information or W-2 forms to a new email address.
Because the requests look legitimate and justified, the fraud is rarely discovered soon enough to be stopped. And it’s not just the money stolen that impacts the company. Several lawsuits have been filed on behalf of employees angry that their workplace did not protect their data with stronger security, most notably by Seagate employees in 2016.
While there is always a chance of an employee or leader falling for a convincing email, investing in your users and making them your last line of defence can go a long way toward deflecting these attempts.
- Step 1. Who are your high-risk users? Usually you’ll find that senior leaders, HR staff or financial personnel are the ones who have access or responsibility for money or data. Review social networks and aggregator sites like Crunchbase to see how much information is available about them online, especially job duties and contacts from other teams and companies. Then evaluate how easy it would be to impersonate them by email using this information.
- Step 2. Implement security controls like email filtering, two-factor authentication, access and identity controls, and permission levels. Even though they are not foolproof, they are important parts of a defence in depth strategy. Also, adopt whitelists or blacklists for external traffic. These won’t completely block phishing emails, but they’ll eliminate quite a few.
- Step 3. Create policies and procedures that can catch hasty mistakes. A strict wire transfer policy requiring multiple authorisations, time delays and identity verification can all go a long way toward preventing disaster and loss. Register as many domains as you can that are just slightly different from the actual company domain. Implement domain spoof protection and create detection system rules that flag any emails using extensions similar to company email.
- Step 4. Provide security awareness training that actually works – not the gather-in-the-lunchroom-once-a-year kind – so your staff knows how to look for red flags. While most phishing emails are well-architected, grammatical errors and odd wording are usually present and noticeable. Often the company name will be altered slightly: LinkedIn, for example, might show as LlinkedIn. Another warning sign: the request for an expedited turnaround. Criminals want your staff to act quickly, before they can realise something is wrong. If an email repeatedly mentions an “urgent wire transfer” or an “urgent invoice payment” and includes “new account information” or other “new” accounts and changes, it’s a sign of a scam.
What to Do
In most cases, only four percent of funds are ever recovered. Usually the fraud isn’t detected in time for recoupment, with most transfers successfully reaching criminal hands in China and Hong Kong. If you do experience a CEO fraud attack, whether it’s a fraudulent transfer of funds or data, you want to act quickly and follow these steps:
- Contact your bank. Provide as many details as possible to see if they can stop or even recall the transfer.
- Contact law enforcement, starting with the police who may work with Action Fraud, the UK’s national fraud and cybercrime reporting centre, to recover the funds.
- Contact your insurance company to see if your policy covers this kind of attack.
Get with your IT team to investigate and do damage control. That means closing off the attack vector, recovering hacked email accounts, and eradicating malware. Don’t hesitate to bring in outside security specialists; they likely have experience in these kinds of attacks and can suggest new techniques for strengthening your security controls.
Since it works and is often low cost for bad guys, CEO fraud isn’t going away any time soon. Criminals will continue to phish for your data and financial assets as long as technology exists. But by anticipating this type of threat and preparing for it, you can make strides in heading off a would-be attack. One of the most important steps is to educate your workforce and leadership so you can boost awareness and your general security and not become today’s catch.