CEO Fraud: Lessons From an AttackWhy Employees Are the Best Lines of Defense
CEO fraud email campaigns are becoming far more common. And because these scams hinge on well-crafted social engineering, employee education is the best way to mitigate risk and avoid fraud losses.
The scams, also known as business email compromise attacks, are designed to fool accounting staff into scheduling and approving fraudulent wire transfers.
"It's easy to see how these scams often trick otherwise diligent employees into bypassing basic security measures."
In recent weeks, my employer, Information Security Media Group, was targeted by one of these scams, but we dodged any fraud losses thanks to the alertness of my ISMG colleague who received the request.
Most of the bankers I've spoken to about these schemes, which continue to plague their small business customers, say they're increasingly dedicating time and resources to customer education - either by going out to visit clients, hosting educational events at their branches or posting information to their websites about the common types of CEO fraud they see.
CEO Fraud Losses Exploding
The FBI warned in August 2015 that losses linked to business email compromise attacks worldwide totaled more than $1.2 billion from October 2013 through August 2015.
But David Pollino, deputy chief security officer at Bank of the West, says losses in 2015 alone likely exceeded $1 billion.
According to the 2016 Association for Financial Professionals' Payments Fraud and Control Survey, 64 percent of organizations in 2015 were exposed to business email compromise scams, a leading cause of wire fraud today. As a result, 48 percent of organizations were exposed to wire fraud, up from 27 percent in 2014, the AFP notes.
"Each year, payments and cyber fraud schemes grow in sophistication, and knowing how to recognize and manage these threats is critical to protecting your organization," notes Nancy McDonnell, managing director and treasury executive for JPMorgan Chase, the underwriter for the AFP's annual survey. "Investing in the appropriate data-protection tools, infrastructure controls and employee education is essential for all businesses."
Simple Attacks Have Big Payout Potential
CEO fraud attacks are relatively unsophisticated, but nevertheless, often successful. They're typically waged with a spoofed email address that mimics that of a CEO, with the email demanding that an accounting staff member schedule an urgent wire transfer. The more sophisticated versions of these scams are well-researched and well-written, using company details that make the message appear legitimate.
Because of the success these types of attacks have seen in recent years, I'm not surprised ISMG was targeted.
The spoofed request we received, which went to an employee on our marketing team, immediately raised red flags. The reply-to email address feigning to be from our CEO was nothing close to the legitimate address we use for email. Further investigation of the email header showed that even the sender email address was different from the "reply-to and from" email addresses. What's more, the first name of our CEO was misspelled in the reply-to line as well as the body of the message.
The fraudster sent multiple requests asking our employee to transfer nearly $18,000 to an account at a top-tier bank in Texas. When we didn't comply, the requests eventually stopped.
Why Employees Are Fooled
Of course, some CEO fraud campaigns are far more sophisticated than the one that hit us at ISMG. So it can be relatively easy to trick someone not suspicious of the signs of danger to simply push payments through as a result of what appears to be urgent, persistent requests from the CEO.
Even in the campaign that hit one of our marketing employees, you can see the urgency the fraudster keeps stressing. In one of the requests, the fraudster notes that the wire must be scheduled immediately.
It's easy to see how these scams often trick otherwise diligent employees into bypassing basic security measures designed to authenticate wire transfers, especially those going to unknown accounts.
Mitigating the Risks
Email authentication can help mitigate the risks, but nothing beats good old-fashioned employee education.
What should businesses do first if they fall victim to a CEO fraud scam? Fraud-fighting experts advise them to contact the fraud department at their banking institution, explain what happened and ask the bank to contact the fraud department at the recipient bank. After that, contact law enforcement.
After ISMG was targeted by a scam, we were advised by a U.S. attorney's office to file a complaint with the FBI's Internet Crime Complaint Center.
We did quite a bit of outreach to see if we could help law enforcement catch the fraudster. But so far, we haven't made much headway.
We're thankful that we didn't fall for the scam and glad we could share some of our experience with you.
And next week, at our New York Fraud and Breach Prevention Summit, we'll offer an important opportunity for banking institutions to learn more about what they should be doing to keep their business customers informed about emerging CEO fraud schemes - as well as the steps they should take when a scam is identified.
John Wilson, chief technology officer at online security firm Agari, will review some of the latest trends in email fraud schemes and describe what businesses can do to reduce their risks and what banks should be doing to educate their customers. I hope you'll join us.