The FBI calls this type of scam "Business Email Compromise" and defines BEC as “a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”
According to FBI statistics, CEO fraud is now a $26 billion scam. Between May 2018 and July 2019, there was a 100% increase in identified global exposed losses. The scam has been reported in all 50 states and in 150 countries. Victim complaints filed with the IC3 and financial sources indicate fraudulent transfers have been sent to banks from roughly 140 countries.
The FBI reported CEO fraud and other cyber crimes, including ransomware and other online scams, together, were responsible for over $4.1 billion in 2020 alone, with reported cases of cyber crime rising from 467,000 to over 791,000 (a 69% increase), between 2019 and 2020. Clearly, CEO fraud and other forms of cyber crime are not going away and are only getting worse.
Phishing emails are sent to large numbers of users simultaneously in an attempt to “fish” sensitive information by posing as reputable sources—often with legitimate-looking logos attached. Banks, credit card providers, delivery firms, law enforcement, and the IRS are a few of the common ones. A phishing campaign typically shoots out emails to huge numbers of users. Most of them are to people who don’t use that bank, for example, but by sheer weight of numbers, these emails arrive at a certain percentage of likely candidates.
This is a much more focused form of phishing. The cybercriminal has either studied up on the group or has gleaned data from social media sites to con users. A spear phishing email generally goes to one person or a small group of people who use that bank or service. Some form of personalization is included – perhaps the person’s name, or the name of a client.
Here, cybercriminals target top executives and administrators, typically to siphon off money from accounts or steal confidential data. Personalization and detailed knowledge of the executive and the business are the hallmarks of this type of fraud.
Within a security context, social engineering means the use of psychological manipulation to trick people into divulging confidential information or providing access to funds. The art of social engineering might include mining information from social media sites. LinkedIn, Facebook and other venues provide a wealth of information about organizational personnel. This can include their contact information, connections, friends, ongoing business deals and more.
Are you aware that one of the first things hackers try is to see if they can spoof the email address of your CEO? If they are able to commit "CEO Fraud", penetrating your network is like taking candy from a baby.
Now they can launch a "CEO fraud" spear phishing attack on your organization, and that type of attack is very hard to defend against, unless your users are highly ‘security awareness’ trained.
Find out if you can be spoofed. Sign up now for your free Domain Spoof Test!
The CEO isn't always the one in a criminal’s crosshairs. There are four other groups of employees considered valuable targets given their roles and access to funds/information:
The finance department is especially vulnerable in companies that regularly engage in large wire transfers. All too often, sloppy internal policies only demand an email from the CEO or other senior person to initiate the transfer. Cybercriminals usually gain entry via phishing, spend a few months doing recon and formulate a plan. They mirror the usual wire transfer authorization protocols, hijack a relevant email account and send the request to the appropriate person in finance to transmit the funds. As well as the CFO, this might be anyone in accounts that is authorized to transfer funds.
Human Resources represents a wonderfully open highway into the modern enterprise. After all, it has access to every person in the organization, manages the employee database and is in charge of recruitment. As such, a major function is to open résumés from thousands of potential applicants. All the cybercriminals need to do is include spyware inside a résumé and they can surreptitiously begin their early data gathering activities. In addition, W2 and PII scams have become more commonplace. HR receives requests from spoofed emails and ends up sending employee information such as social security numbers and employee email addresses to criminal organizations.
Every member of the executive team can be considered a high-value target. Many possess some kind of financial authority. If their email accounts are hacked, it generally provides cybercriminals access to all kinds of confidential information, not to mention intelligence on the type of deals that may be ongoing. Thus executive accounts must receive particular attention from a security perspective.
The IT manager and IT personnel with authority over access controls, password management and email accounts are further high-value targets. If their credentials can be hacked, they gain entry to every part of the organization.
The events of recent years have highlighted the danger of this viewpoint. With the FBI warning corporations that they are at risk and so many high-profile victims in the news, organizations, led by their CEO, must integrate cyber risk management into day-to-day operations.
Additionally, companies must take reasonable measures to prevent cyber-incidents and mitigate the impact of inevitable breaches. The concept of acting “reasonably” is used in many state and federal laws in the United States, Australia, and other countries. Blaming something on IT or a member of staff is no defense. CEOs are responsible to restore normal operations after a data breach and ensure that company assets and the company's reputation are protected. Failure to do so can open the door to legal action.
Let’s put it in these terms: a cyber breach could potentially cause the loss of a bid on a large contract, could compromise intellectual property (IP) and loss of revenue, to name just a few of the repercussions. That places cybersecurity firmly at the top of the organizational chart, similar to all other forms of corporate risk.
Xoom - Internet money transfer service, San Francisco, CA
LOST:
$30.8 million
RECOVERED:
$0
RESULT:
The CFO resigned
Ubiquiti Networks - Computer networking company, Silicon Valley
LOST:
$46.7 million
RECOVERED:
$15.0 million
RESULT:
Unknown
FACC AG - Aerospace company, Austria
LOST:
$50.0 million
RECOVERED:
$10.9 million
RESULT:
CEO and CFO were fired
Unknown US Company
LOST:
$100.0 million
RECOVERED:
$74.0 million
RESULT:
Scam surfaced when the US government filed a lawsuit to recover $25 million
Schletter Group - Worldwide manufacturer, North American division
LOST:
W-2 information of all 200 employees
RECOVERED:
Nothing
RESULT:
Employees filed class-action lawsuit, the court allowed the employees to seek treble damages from Schletter. Schletter since filed for bankruptcy.
Mattel - Toy manufacturing company, El Segundo, CA
LOST:
$3.0 million
RECOVERED:
$3.0 million
RESULT:
Luckily they caught the scam right away and were able to recover all of their money
Crelan Bank - Belgium
LOST:
$70.0 million
RECOVERED:
$0
RESULT:
The CEO claims they are still viable and operating at a profit
Pomeroy Investment Corp - Troy, MI
LOST:
$495,000
RECOVERED:
$0
RESULT:
The error wasn't noticed for 8 days, by then the money was long gone
Leoni AG - Cable manufacturer, Germany
LOST:
$44.0 million
RECOVERED:
$0
RESULT:
Unknown
SS&C Technologies Holdings - Financial services software firm, Windsor, CT
LOST:
$5.9 million
RECOVERED:
Unknown
RESULT:
The CEO was ousted and the company is now facing a $10 million lawsuit by Tillage Commodities Fund, the firm whose money was lost
City of El Paso, Texas
LOST:
$3.1 million
RECOVERED:
$1.9 million
RESULT:
Unknown
Sedgwick County, Kansas
LOST:
$566,000
RECOVERED:
Unknown
RESULT:
Unknown
Campbell County Health, Wyoming
LOST:
1,457 Employee Social Security Numbers
RECOVERED:
Nothing
RESULT:
Unknown
Facebook and Google
LOST:
$100 Million
RECOVERED:
‘The Bulk’
RESULT:
Unknown
Save The Children
LOST:
$997,400
RECOVERED:
$885,784
RESULT:
The scam was undiscovered for a month, so cybercriminals got away with all the money. The funds were recovered via the organization's insurance carriers.
Southern Oregon University
LOST:
$1.9 mil
RECOVERED:
0
RESULT:
Unknown
Gorbel - US manufacturing company
LOST:
$82,000
RECOVERED:
None
RESULT:
Unknown
MacEwan University, Edmonton, Canada
LOST:
$1.8 mil
RECOVERED:
Unknown
RESULT:
Unknown
Japan Airlines
LOST:
$3.39 mil
RECOVERED:
0
RESULT:
Unknown
O’Neill, Bragg & Staffin - Pennsylvania law firm
LOST:
$580,000
RECOVERED:
None
RESULT:
Lost lawsuit filed against Bank of America, claiming the bank was responsible for not stopping the transaction. The firm is now permanently closed.
City of Alamogordo, New Mexico
LOST:
$250,000
RECOVERED:
None
RESULT:
Unknown
Unnamed Finnish Investment Firm
LOST:
$3 million euro
RECOVERED:
$3 million euro
RESULT:
Unknown
Lake Ridge Schools - Lake County, Indiana
LOST:
$120,000
RECOVERED:
None
RESULT:
Unknown
Pathé - French cinema chain, film production and distribution company
LOST:
$21 Million
RECOVERED:
Unknown
RESULT:
Managing Director and CFO fired
These include C-level executives, HR, Accounting and IT staff. Impose more controls and safeguards in these areas including:
Every organization should set security policy, review it regularly for gaps, publish it, and make sure employees follow it. It should include such things as:
Have a solid wire transfer policy: It should never be possible for a cybercriminal to hijack a corporate email account and convince someone to transfer a large sum immediately. Policy should limit such transactions to relatively small amounts. Anything beyond that threshold must require further authorizations.
Confidential information: When it comes to IP or employee records, policy should determine a chain of approval before such information is released.
IT should have measures in place to:
Recommended company procedures include:
*Note: Normally human error like CEO fraud is NOT covered by cyber security insurance.
No matter how good your prevention steps are, breaches are inevitable. User education plays a big part in minimizing the danger so start here:
The best training programs baseline click rates on phishing emails and harness user education to bring that number down. Don't expect a 0% click rate though. Good employee education can reduce phishing success significantly, but there is always someone who doesn’t pay attention, is in a hurry that day, or is simply outsmarted by a very clever cybercriminal.
Security awareness training should include teaching people to watch out for red flags. Here are the most common things to watch out for:
Speak with their cybersecurity department: Brief them on the incident and ask for their intervention. They can contact their counterparts in the foreign bank to have them prevent the funds from being withdrawn or transferred elsewhere.
Inform them off all the facts related to the incident as soon as possible
In the U.S., the local FBI office is the place to start. The FBI, working with the U.S. Department of Treasury Financial Crimes Enforcement Network may be able to return or freeze the funds. When contacting law enforcement, identify your incident as “BEC”, provide a brief description of the incident, and consider providing the following financial information:
Visit the FBI’s Internet Crime Complaint Center (IC3) at www.IC3.gov to file your complaint. Victims should always file a complaint regardless of dollar loss or timing of incident and in addition to the financial information above, provide the following:
Call an emergency meeting to brief the board and senior management on the incident, steps taken and further actions to be carried out.
Have IT investigate the breach to find the attack vector. If an executive’s email has been hacked, take immediate action to recover control of that account such as changing the password.
But don’t stop there, the likelihood is that the organization has been further infiltrated and other accounts have been compromised. Have them run the gamut of detection technologies to find any and all malware that may be lurking to strike again.
If the organization was breached, it highlights deficiencies in existing technology safeguards. These will prove harder for IT to spot. So bring in outside help to detect any area of intrusion that IT may have missed.
The goal is to eliminate any and all malware that may be buried in existing systems. Cybercriminals are inside. The organization isn’t safe until the attack vector is isolated and all traces of the attack have been eradicated. This is no easy task.
Make sure your cybersecurity insurance covers CEO Fraud: Less than 4% of fraudulently transferred funds are recovered, so it's a good idea to make sure you have the proper insurance in place. While many organizations have taken out cyber-insurance, not all are specifically covered in the event of CEO fraud. This is a grey area in insurance and many refuse to pay up. Despite the presence of a specific cyber insurance policy, the unfortunate fact is that no hardware or software was hacked. It was the human that was hacked instead.
Difference between financial instruments and email fraud: Insurance companies distinguish between these two and that's where gray areas come in. Financial instruments can be defined as monetary contracts between parties such as cash (currency), evidence of an ownership interest in an entity (share), or a contractual right to receive or deliver cash (bond). However, CEO fraud is often categorized as being purely an email fraud and not a financial instrument fraud. In other words, it is being regarded in many cases as a matter of internal negligence or email impersonation as opposed to being a financial instrument matter.
That said, there are dozens of carriers in the market providing up to $300 million in limits. Coverage extensions have developed to include both the third-party liability and first-party cost and expenses associated with a data breach or cyber-attack.
