Protect your organisation from CEO Fraud

Business Email Compromise (BEC) or “CEO Fraud” is becoming a growing problem across the world.

In the US, more than 7,000 companies have been reported to have lost $750m between October 2013 and August 2015, according to the FBI. However, the real figure may be much higher. Companies tend not to report this kind of issue. US security company PhishMe co-founder Aaron Higbee has said that he thinks the real cost in the US has been closers to $2bn between 2013 and 2015.  In France, the figure is €465m since 2010. Household names like Michelin, KPMG and Nestle have lost significant funds to it.

Now, BH Consulting have noted that the problem has spread to Ireland, with the Central Bank among those effected. In November 2015, IRISSCERT, an Irish Computer Emergency Response Team, said that they had witnessed a large number of these types of attacks.

But what is it?

Put simply, it is a form of email fraud in which someone in a company receives an email from someone higher up, requesting the transfer of funds to a bank account, usually in a foreign country. Between 2005 and 2006, Gilbert Chikli, a French-Isreali man scammed more than 30 banks and companies out of €7.9m by pretending to be company heads, or secret service agents. He is now living in Isreal, avoiding extradition to France.

This trend has continued on in the cybercrime world, and has even grown in the success of the application. It is estimated that cybercrime in general costs around 1% of global income per annum. CEO Fraud is becoming a key component of this world.

How do they do it?

First, scammers will establish a connection. They may do this by phishing an executive to gain access to their emails. If they cannot do this, there are ways around it. Dummy domains can be set up, with very similar domain names (for example, domaiin.ie instead of domain.ie). There are also web-based apps that allow you to change what address appears in the “From” field on an email; it will also let you cloak the “Reply-to” address, so that the scammer (and not the actual owner of the email address) will receive any replies.

Once they are into the email address, they will identify the relevant recipient. This could be an accountant, or anyone with access to the company’s finances. Usually, they will begin with an email. This email will look as though it is from the CEO or executive. It will stress both the urgency of the request, and the importance of secrecy. In many cases, this will be followed by another person, claiming to be a lawyer or interested party, phoning the accountant and emailing instructions for transferring money to a foreign bank account.

There will usually be pressure to bypass the normal procedures for the transfer of large sums of money.

The volume with which scam-artists can send out these fraudulent emails is alarming, and it only takes a small percentage of successful communication to be effective, and to make money. The success of this scam, according to Higbee, is that it is low-tech. It doesn’t require employees to open unknown attachments. It simply relies on human nature – people are eager to obey those in higher positions of power; people tend to respond less critically when they are put under time pressure. It is, for all intents and purposes, a psychological scam, done through digital means.

Frauds may also pretend to be from a bank’s IT department, and request that a test transfer be made. In other cases, they have posed as suppliers who wish any outstanding invoices be paid into a new bank account.

Examples of this psychological scam

Between 21 May and 27 May 2014, AFGlobal Corp. in the USA were defrauded $480,000 when an email, supposedly from the CEO Gean Stalcup, was sent to the company accountant. This was followed up very quickly by a phone call and further emails from a lawyer, apparently from the KPMG group. It was only once the “CEO” asked for another, much larger transfer, that the accountant realised something strange was going on and reported the incident to the officers of the company. The fraudsters, according to the company, seemed to know the normal procedures, and that the CEO had a close relationship with the accountant. Medidata Solutions Inc. also fell prey to this scheme in February of the same year. They transferred $4.8m before flags were raised.

In France, Etna Industrie was defrauded of €500,000 in the space of one hour when the accountant was subjected to a blast of phone calls and emails. Under time pressure, she skipped the usual procedure and authorised the transfer.

How to avoid it

There are a number of things your organisation can do to avoid falling prey to this type of scam.

• Ensure passwords are kept personal and secure. They should also be changed regularly.
• Where possible, implement two-factor verification for emails.
• Be strict with financial procedures and be sure everyone knows the chain of command for requests. Even a request must be kept reasonable secretive, there should be people within the organisation that these requests can be run past. Establish this communication by phone, or in person. Always use contact details that you have stored personally, and not ones that were given in the suspicious email.
• Always treat emails requesting large transfers of money. It’s better to be safe than sorry.
• Make sure everyone in your organisation knows about this kind of scam, and stays vigilant.
• Keep your spam filters and your anti-virus, as well as all of your software, as up-to-date as possible; outdated software is far more vulnerable to malware.

If your organisation does encounter a problem like this, you should first contact your bank or financial institution. This should be done immediately as there are some first-instance remedies they can employ, such as recalling pending payments. After you have contacted them, you should contact An Garda Síochána. The Bureau of Fraud Investigations has a cybercrime unit which deals explicitly with this issue.