It starts out innocuously enough when an important-looking email comes in to a company employee. The sender’s email address is that of the company’s CEO, claiming that a payment needs to be made to a client or vendor immediately.
The email, which contains some sense of urgency, tells the employee to wire transfer an amount of money, perhaps $50,000 or more, to a specific company or bank account. The reasons vary but follow a common theme: A vendor has a new bank account and prior payments to that vendor failed. The company is “late” on its payments and a purchase needs to be made for necessary products or services. Whatever the purpose, the CEO does not have the time to go through normal check-request procedures and requires a quick response.
Often these requests are made when the CEO is out of town (the CEO’s or company’s own social media accounts might have mentioned he or she is at a conference or traveling on business — attackers have a lot of ways to determine when an executive is traveling) and confirmation might be difficult. So, in response to an email that looks like it comes from the CEO, the company employee immediately processes the check request and sends the wire transfer. The underlying concern for the employee is that if they do not process the request, their job could be in danger.
Poof. A relatively untraceable wire payment was just made to cyberthieves who just pulled off a quick scam by playing on the emotions, worries and goodwill of an unsuspecting company employee. The company was just victimized by a CEO fraud email attack, also known in law enforcement circles as a business email compromise (BEC) attack.
It could never happen to us in our business, say many executives. Hogwash.
It can and it does happen every day and it likely will continue to happen inside businesses for as long as cyberthieves play their emotion-throttled games with unsuspecting victims within companies where adequate training, policies, and procedures are lacking.
The FBI has been tracking these kinds of business email fraud attacks since 2013 and reports that companies have been victimized in every state and in more than 100 countries around the world, according to the agency. These crimes have happened to non-profits, Fortune 500 corporations, churches, school systems and other businesses.
The global losses in 2018 alone are expected to exceed $9 billion from these crimes, according to a recent analysis from one cybersecurity vendor. That is up from $5 billion in such losses that were predicted by the FBI for 2017, and nearly triple the estimated $3.1 billion in global losses that were seen in 2016.
So, what is the root of the problem and how can it be curtailed or stopped?
“This is not a technology attack; it’s a psychological attack,” says Lance Spitzner, director of SANS security awareness at the SANS Institute, a security research and education group. The methods for stopping the attacks remain the same as they have since they began, says Spitzner: Start by training employees to view all suspicious emails, especially those with a rushed or emergency tone and unusual requests, as fake emails that are trying to steal money from the company.
Essentially, he says, employees need to be taught about the clues and indicators that point to email fraud attacks and then to always follow established procedures in response, such as verbally check with the CEO or other senior staffer to confirm that they sent the request.
While this type of attack is often called “CEO Fraud,” it could refer to any senior executive who is being impersonated by the attacker in order to get a lower-level staffer to take a specific action. Sometimes the action itself is not sending money; it could be a request to unlock a door that is normally locked (creating a physical breach vulnerability) or perhaps sending employees’ personal information, such as W2 tax documents or pay stubs, to a non-company email address in order to steal employees’ identities.
The employees must be trained carefully not to give in to emotions under stress when the resourceful and convincing thieves try to get them to respond by sending money, no matter what the threats or pleas are from the attackers, says Spitzner. “Their level of commitment to withstand the attacks rivals that of the guys who hold nuclear codes,” he says.
Clear policies and procedures are necessary for employees to use in order to confirm a request that seems unusual or perhaps sets off pre-determined policy alarms, experts agree. However, for these policies and procedures to be effective, it is essential that the senior executives who might be spoofed in the malicious emails — the CEO, president, CFO or other senior executives — agree to respond if an employee is doing their due diligence and requesting that the executive confirm a request made by email or text message, says Joseph Blankenship, principal analyst, at Cambridge, Mass-based Forrester Research. Companies must foster a work environment where no worker will be criticized, hassled or challenged when they inquire about such messages.
“People are often scared to challenge the CEO” by making such direct inquiries, which is what the cybercriminals hope will occur, he says.
One way to battle attackers is to establish clear and concise code words or phrases that can be used by the real CEO or other senior executive to authenticate his or her identity in an emergency. If the established code words are not known and repeated exactly by the attackers, then the employee can have a strong indication the email request is fake and they can reject it without concern about being fired for not following orders, says Christian Christiansen, an IT security analyst with Hurwitz & Associates of Needham, Mass.
“It seems like CEO fraud is just the phishing attack that keeps on taking via wire fraud,” says Christiansen. “There are many solutions, even some that are tech-free, but people seem to mistakenly continue trusting email.”
That is where using secret codes, such as a few words in a pattern or specific statements about any topics that are known only to the real CEO and their employees, can be particularly effective to authenticate an email sender, he says. Also important are creating and maintaining financial transaction procedures that say that no wire transfers can be initiated solely by one person, regardless of who that single individual is. Instead, controls should be added so that all such transfers require a second or third person to authorize them over a certain amount, or if the money is being sent outside the United States, says Christiansen.
Similar controls should also be placed on corporate credit cards to prevent employees from having to be placed in these situations where they must make judgement calls during such attacks, he says.
In our next installment we will look at more ways companies can protect their data and defend against the notorious BEC attacks.