- Dean Smith
New Fraud Alert: Extremely Sophisticated Business E-mail Compromise
A new, sophisticated fraud scheme is becoming a widespread issue, fueled by the age of social media sharing and smartphones.
In an article by Greg Bell of The CIO Advisor, he asks that we consider the following scenario (taken directly from FBI case files):
“The accountant for a U.S. company recently received an e-mail from her chief executive, who was on vacation out of the country, requesting a transfer of funds on a time-sensitive acquisition that required completion by the end of the day. The CEO said a lawyer would contact the accountant to provide further details.
‘It was not unusual for me to receive e-mails requesting a transfer of funds,’ the accountant later wrote, and when she was contacted by the lawyer via e-mail, she noted the appropriate letter of authorization -including her CEO’s signature over the company’s seal – and followed the instructions to wire more than $737,000 to a bank in China.
The next day, when the CEO happened to call regarding another matter, the accountant mentioned that she had completed the wire transfer the day before. The CEO said he had never sent the e-mail and knew nothing about the alleged acquisition.”
According to the FBI, this company had fallen victim to what is now known as business e-mail compromise or BEC, a financial fraud scam deemed the most sophisticated the bureau has EVER seen.
With the rising number of smartphones, tablets, and other electronic devices given access to connect to company networks, in conjunction with the increase of company executives becoming active on social media, BEC is becoming a very real threat.
Bell notes the FBI’s warning, that this is not another infamous Nigerian lottery spam email set up by a teenage, amateur hacker. These e-mails are coming from highly intelligent organized crime affiliates in “war rooms” in the Middle East, Africa and Eastern Europe. But how do they get the information they need? We’ll give you one guess.
“They mine data from social media and websites, and they use it to create credible fraud schemes,” writes Bell. “So by monitoring Facebook or Twitter, or data from IoT (Internet of Things) devices and wearables such as fitness applications or apps that enable you to control your DVR or close your garage door when you’re not at home, it becomes possible to know when a CEO is on vacation, and where. It also becomes possible to know when the chief financial officer might be on a treadmill and not able to read her email as carefully as she ordinarily might.”
According to data collected by the FBI, since the end of 2013, $740 million in losses had accumulated from over 7,000 companies in the United States who had fallen victim to similar scams. The bureau also noted that small to mid-sized companies are most frequently victimized, with an average loss of $130,000. So, how do we protect ourselves against these scams?
First, we must recognize that scam artists will ALWAYS find a way. Simply creating higher firewalls will not decrease our risk.
Acquire cyber insurance policies (one of ICU’s recent acquisitions!) – specifically ones with wire fraud clauses if that is a concern to you.
Offer social media training to employees and executives regularly (it’s always changing!).
Encourage and provide employees with the utilization of security tools.
Update and strengthen protocols, especially around finance functions.
Check the source below for the full article and even more measures that can be taken to protect you, your employees, and your company!
Let’s not forget, when we adapt, scam artists adapt. The smarter we get, the smarter they get. Always update your security measures and view these as continuous challenges.