By Todd R. Weiss
First of two parts
It starts out innocuously enough when an important-looking email comes in to a company employee. The sender’s email address is that of the company’s CEO, claiming that a payment needs to be made to a client or vendor immediately.
The email, which contains some sense of urgency, tells the employee to wire transfer an amount of money, perhaps $50,000 or more, to a specific company or bank account. The reasons vary but follow a common theme: A vendor has a new bank account and prior payments to that vendor failed. The company is “late” on its payments and a purchase needs to be made for necessary products or services. Whatever the purpose, the CEO does not have the time to go through normal check-request procedures and requires a quick response.
Often these requests are made when the CEO is out of town (the CEO’s or company’s own social media accounts might have mentioned he or she is at a conference or traveling on business — attackers have a lot of ways to determine when an executive is traveling) and confirmation might be difficult. So, in response to an email that looks like it comes from the CEO, the company employee immediately processes the check request and sends the wire transfer. The underlying concern for the employee is that if they do not process the request, their job could be in danger.
Poof. A relatively untraceable wire payment was just made to cyberthieves who just pulled off a quick scam by playing on the emotions, worries and goodwill of an unsuspecting company employee. The company was just victimized by a CEO fraud email attack, also known in law enforcement circles as a business email compromise (BEC) attack.
It could never happen to us in our business, say many executives. Hogwash.
It can and it does happen every day and it likely will continue to happen inside businesses for as long as cyberthieves play their emotion-throttled games with unsuspecting victims within companies where adequate training, policies, and procedures are lacking.
The FBI has been tracking these kinds of business email fraud attacks since 2013 and reports that companies have been victimized in every state and in more than 100 countries around the world, according to the agency. These crimes have happened to non-profits, Fortune 500 corporations, churches, school systems and other businesses.
The global losses in 2018 alone are expected to exceed $9 billion from these crimes, according to a recent analysis from one cybersecurity vendor. That is up from $5 billion in such losses that were predicted by the FBI for 2017, and nearly triple the estimated $3.1 billion in global losses that were seen in 2016.
So, what is the root of the problem and how can it be curtailed or stopped?
“This is not a technology attack; it’s a psychological attack,” says Lance Spitzner, director of SANS security awareness at the SANS Institute, a security research and education group. The methods for stopping the attacks remain the same as they have since they began, says Spitzner: Start by training employees to view all suspicious emails, especially those with a rushed or emergency tone and unusual requests, as fake emails that are trying to steal money from the company.
Essentially, he says, employees need to be taught about the clues and indicators that point to email fraud attacks and then to always follow established procedures in response, such as verbally check with the CEO or other senior staffer to confirm that they sent the request.
While this type of attack is often called “CEO Fraud,” it could refer to any senior executive who is being impersonated by the attacker in order to get a lower-level staffer to take a specific action. Sometimes the action itself is not sending money; it could be a request to unlock a door that is normally locked (creating a physical breach vulnerability) or perhaps sending employees’ personal information, such as W2 tax documents or pay stubs, to a non-company email address in order to steal employees’ identities.
The employees must be trained carefully not to give in to emotions under stress when the resourceful and convincing thieves try to get them to respond by sending money, no matter what the threats or pleas are from the attackers, says Spitzner. “Their level of commitment to withstand the attacks rivals that of the guys who hold nuclear codes,” he says.