In this scam, cyber-criminals research a CEO or senior executive, then use their insights to craft phone and email scams that trick employees into releasing funds or sensitive information.
Some Australian businesses have already fallen for the scam, with reports of between A$200,000 and A$1.5 million involved. Businesses with overseas partners and operations that routinely send funds overseas are particularly vulnerable, since requests for payments to foreign accounts won’t always raise a red flag.
As recently as last week, an international trading company we work with received what appeared to be a legitimate request to transfer USD $137,850 to a bank account in Hong Kong. This was another case of CEO scamming, so it is happening close to home.
Australia’s Computer Emergency Response Team has also recently warned of a new variety of CEO scam where an email purporting to be from the CEO requests the HR director to send names, addresses, wage details, tax file numbers and health care information about employees – leading to identity theft or a financial fraud, as data is shopped among cyber-crime gangs.
Shutting down an attempted fraud heavily relies on common sense as soon as something suspicious arises. When a CEO scam was aimed at American computer security software firm Forcepoint, the finance team – already alert to the risks of CEO scams – phoned the CEO to ask if the funds transfer request was legitimate. It wasn’t.
Bob Hansmann, Forcepoint’s director of security trends, notes that procedures need to be in place to protect a company from such attacks – and not just attacks from outside.
“IT has to partner with HR and the finance department to make sure there are procedures – a process to ensure it is done properly and that the right people authorise it,” he says.
Vigilance is the key to safeguarding against sophisticated identity scams that can cost your business big dollars.
“You also have to deal with intentional theft where there is a malicious insider. We have worked with credit-processing data sites where people have stolen 1,000 credit card details and sold them online. You need to be monitoring for behaviour that is out of the norm.”
GUARDING AGAINST CEO-TYPE SCAMS
- Educate staff to be sceptical about requests to transfer funds or data coming from the CEO’s email address.
- Remind senior staff to be careful about how much and what they share on social media.
- Pick up the phone and confirm that any CEO (or other senior staff) request for funds or data is legitimate.
- Don’t use the reply function to an email you believe might not be legitimate – send a fresh one to avoid being routed to an alias or fictitious address.
- Ensure email security is set up to guard against sender address forgery.
- Consider implementing email monitoring technology.
- If the company is scammed, alert the Australian Cyber-crime Online Reporting Network and the Australian Federal Police.
A STUDY IN TECH-CRIME. MIMICKING THE CEO
A social media fan, the CEO posted about his upcoming business trip – where he was going and when – generously providing cyber-criminals with a well-defined window of opportunity and plenty of time to prepare for a $100,000 heist.
Alerted to the upcoming opportunity, they scoured LinkedIn and identified the company’s CFO and Financial Controller. They analysed the company website, learned about the business and the sort of deals it did and the language it used. They built an alias email address that would look as though it came from the CEO. Then they waited.
Once the CEO had flown overseas, the criminals sent an email posing as him, hinting at a project they already knew was underway that might need funds to be transferred. The email also stressed the different time zone and a dying phone battery that might make “the CEO” hard to contact.
A second email arrived with the account details for the transfer. Just to be sure, the Financial Controller replied to the email asking if it really was the CEO. Since the cyber-criminals had created an alias address that looked just like the CEO’s, they were able to respond: YES, it really was the CEO and YES, please make that $100,000 transfer.
Feeling more secure about the request, the Financial Controller transferred $100,000 into the account. But a seed of doubt still lurked, so the he sent a fresh email (not a reply email which would have gone to the alias address) direct to the CEO. The genuine CEO received the follow-up email and was able to stop the transfer from going through to an overseas destination.
A few hours later, it would have been a case of “missed it by that much”.