The “business email compromise” (BEC) scam, sometimes called CEO Fraud, is an effective corporate attack where crooks use social engineering to get corporate executives to wire funds to the attackers by pretending to be a corporate executive, such as the CEO. One tech company was recently swindled out of $47 million. Another company was scammed out of $1.8 million. The FBI has reported more than 12,000 victims globally with a loss of over $2 billion in just the past two years. And the numbers continue to grow with a 270 percent increase in complaints to the FBI since the beginning of 2015.
Let me break down how this scam works. A controller or finance type is told via email by the "alleged" CFO or CEO to wire money to such and such account for what appears to be valid business reasons. Being good employees and not wanting to disregard the CEO or CFO, they follow directions to do so – all the while thinking that the CEO is asking them to do it and not realizing that they are sending money to crooks.
We've seen this firsthand. The first attempt against Centrify was in 2014, well before this scam had been widely publicized. Our VP of finance got an email from “Tim” (our CFO), which appeared to be a forward of a request from me, the CEO. An attachment was a PDF of wire instructions for a company called “Indeva Corporation” that actually had a Citibank account in the U.S.
Luckily, Centrify had (and still has) a stringent division of labor and set of policies and approvals for wire transfers. Also, it happened that at this time, the VP of finance was in an office next to the real Tim. So while waiting to hear back from the accounting manager, she happened to bump into Tim in the hallway and mentioned that she vectored my request to the accounting manager, but she still needed proper documentation for the wire. Tim replied “what?,” and asked to see the email. Meanwhile, I strolled into work and Tim sees me walking by his office and asks me about my requesting a wire transfer that morning. I say “huh?,” confirming to us all that a scam was on.
Our policies caught the attack before it did any financial damage. Here are nine steps you can take immediately to defend against this so-called CEO Fraud:
1. The first step is to immediately educate your team about this threat and implement training programs around privacy and security. Employees must be vigilant about responding to requests for money transfers or for any sensitive information.
2. Sit down with your accounting team and make sure that proper documentation and approvals are required for all wire transfers.
• Make sure that any wire transfer is associated with and maps to an actual purchase inside the accounting system (again, proper documentation).
• Determine if a separation of duty exists between the initiator and approver of wire transfers
• For large wire transfers, request that G&A add a phone call to the approval process
3. Register look-a-like domain names that are variations of your company name. For example, if you have an upper case “I” in your name, buy the domain where a lower case “L” is swapped for the “I”, or if you have an “E” in your domain name buy the domain that has a “3” for an “E” and so on.
4. Add multifactor authentication to all key apps (including financial systems) so users can confirm they really are who they claim to be (e.g., when initiating a wire transfer).
5. Layer on additional identity controls such as privileged session monitoring for sensitive systems to guard against crooks that may try to compromise the credentials of key finance employees.
6. The FBI recommends that security teams create system rules that would flag emails with extensions that are similar to the company's. For example, while the email of abc_company.com would be legitimate, the system would flag a similar looking, fraudulent email of abc-company.com.
7. C-level executives tend to expect action on demand. But in some cases, it's better to take a slow-and-steady, cautious approach. Ensure that your finance team is comfortable double-checking directives from the top
8. Trust your instincts. In many cases, victims executed the transfer even though they later reported a “nagging feeling” about the request. If it feels wrong, trust your intuition and take another look.
9. If your company experiences an incident of BEC, report it to your local FBI or U.S. Secret Service field offices immediately.
Want to learn more? Get the go-to guide for defending today's security perimeter.