I am emailed hundreds of articles and blogs every day, and although 80% may not be of particular interest, there is always a nugget or two worth reading. Today was no exception, and I received one that particularly caught my eye. Posted this morning: April 16, 2016 written by Brian Kebs from www.KrebsonSecurity.com was the very eye-catching title –
"FBI: $2.3 Billion Lost to CEO Email Scams."
As a CEO and one that receives at least two to three scam emails that make it past our email defense, this one really hit home. As I read the article, it became eerily apparent that our company had been hit by this scam many times over the past four months. It made me think if our little company has been hit that many times, how many of my other CEO friends have been or may be hit shortly? This is my small attempt to spread the word and hopefully help someone avoid a costly and embarrassing disaster.
Here's how it basically works –
- Staff in your financial department, typically the CFO, controller, etc. receive an email directly from the CEO’s legitimate email account asking to authorize a wire transfer of funds.
- The CEO being very busy and authorizing many transfers to run a business quickly sees the email and answers ‘yes’ assuming it must be legitimate since it came from your inside CFO.
- The CFO then provides the wiring instructions, and the amount is transferred to the bad guys.
In the blink of an eye, your company is out thousands if not millions of dollars. Although you might think a request like this would raise red flags, it is very brief and includes names that are all legitimate within the company. Furthermore, it is very common for CEO's to authorize wires through the course of normal business. I authorize a minimum of two to three a month.
Taking an excerpt from Krebs excellent article –
The U.S. Federal Bureau of Investigation (FBI) this week warned about a “dramatic” increase in so-called “CEO fraud,” e-mail scams in which the attacker spoofs a message from the boss and tricks someone at the organization into wiring funds to the fraudsters. The FBI estimates these scams have cost organizations more than $2.3 billion in losses over the past three years.
In an alert posted to its site, the FBI said that since January 2015, the agency has seen a 270 percent increase in identified victims and exposed losses from CEO scams. The alert noted that law enforcement globally has received complaints from victims in every U.S. state, and in at least 79 countries.
A typical CEO fraud attack. Image: Phishme
The FBI estimates that organizations victimized by CEO fraud attacks lose on average between $25,000 and $75,000. But some CEO fraud incidents over the past year have cost victim companies millions — if not tens of millions — of dollars.
Last month, the Associated Press wrote that toy maker Mattel lost $3 million in 2015 thanks to a CEO fraud phishing scam. In 2015, tech firm Ubiquiti disclosed in a quarterly financial report that it suffered a whopping $46.7 million hit because of a CEO fraud scam. In February 2015, email con artists made off with $17.2 million from The Scoular Co., an employee-owned commodities trader. More recently, I wrote about a slightly more complex CEO fraud scheme that incorporated a phony phone call from a phisher posing as an accountant at KPMG.
The FBI urges businesses to adopt two-step or two-factor authentication for email, where available, and to establish other communication channels — such as telephone calls — to verify significant transactions. Businesses are also advised to exercise restraint when publishing information about employee activities on their Web sites or through social media, as attackers perpetrating these schemes often will try to discover information about when executives at the targeted organization will be traveling or otherwise out of the office.
As you can see in the email image above, it looks very innocuous and legitimate. My accounting team has received this very email from me at least 4 times in the past few months. Thankfully, they know better and we have two-factor authentication, as suggested in the article. Once we request a transfer, there is a second step required that only I can do with information only I would have.
In talking to our in-house security expert, this type of scam is actually not called phishing but whaling because it targets a much smaller number of high profile individuals with access to larger sums of money.
I encourage you to share this information with your accounting team as well as your clients where appropriate. It is deceptively simple to fall for, and I know at least two of my CEO friends that were literally one button click away from transferring over $60,000 before they did the last second double-check and avoided the disaster.
You can read the full article here –