20 September 2016
CEO Fraud: Fraudsters Get Smarter with Simulated Email Correspondence
It is no surprise, cyber scammers are getting smarter. They are no longer sending poorly written emails that appear to be from well know suppliers; their new approach is much more deceitful.
Recently, FACC CEO was sacked following an email scam which cost the company $47M. A hoax email, claiming to come from the CEO, requested an employee to transfer a huge sum of funds – for what turned out to be a fake acquisition.
Another case is Etna Industrie, a French company whose CEO returned to work to find out her accountant had transferred $542,000 to unknown foreign bank accounts – all at the request of a faked email from her.
Business Email Compromise or CEO Fraud initially involves cyber criminals phishing an executive or obtaining access to an individual’s inbox so they can gain insight into the organisation, learn the relationships between staff, customers and suppliers, and establish the language they use when conducting day to day business operations.
Another way is by posing as the company CEO, a supplier, or trusted business executive. Fraudsters use publicly available corporate data to create convincing emails which are sent from a look-alike domain, where perhaps one or two letters are off the company’s true domain name. They can even fake a real email address by creating a duplicate account.
Whichever approach, their ultimate aim is to produce a request which looks like it genuinely came from someone within the organisation, at most times requesting a bank transfer and usually with a sense of urgency in the request.
It is important to know that the requests aren’t always large dollar amounts – smaller businesses are being duped by these ‘bogus boss’ requests.
To protect your organisation we have compiled some simple tips to ensure your team does not fall victim to one of these scams:
- Ensure staff are aware of these types of scams
- Always complete due diligence before processing a payment, even if it has come from someone you trust in your organisation
- Check the senders email address for spelling accuracy, it could be only one character that is different to the real senders email address
- Look at the language used in emails – payment options such as ‘BPAY’, ‘EFT’ or ‘Direct Deposit’ may be expressed using different or uncommon terminology eg. Wire
- Implement policies and procedures that involve cross referencing or a second sign off for payment transfers
- If a supplier has asked you to pay to a new bank account, it is worthwhile calling to verify the new details. (It is important that this verification request isn’t made by email as this could go straight back to the fraudster)
- Ensure you have good processes between accounts payable and executives – don’t always trust that internal requests by email are legitimate
- Ensure your passwords are not common or easily guessed to prevent scammers gaining access to your system