Safer to Respond to or Simply Ignore an Email from the CEO?
Closing the loop on corporate account takeover or business email fraud
Let’s say you work in Corporate Finance/Accounting and you get an email from your CEO with a directive to execute a wire payment. The email has all the hallmarks of your CEO’s email – corporate logo, signature block, and proper email address. It looks like every other email you receive from your CEO. Nothing looks amiss or raises doubts. So, what do you do? Ignore it, or reply?
To date, standard operation procedures allow for email requests from the CEO seeking payment for company-related expenses to serve as the ‘call to action’ and authorization to execute the payment – by wire transfer. On the other hand, maybe this is the first email request. In either case, as an ever-diligent employee do you feel obliged to follow the instructions or the standard procedures? Without requesting confirmation, you initiate the wire transfer. The payment goes out, never returned unless you immediately reverse the transfer by calling the receiving bank to freeze it. If you are lucky and stop the transfer, the receiving bank returns the wire in a few days.
Can this happen? The answer according to Joseph Loomis, CTO of CyberSponse, is “yes, more frequently than people may realize. I, personally, have talked with companies that were recently targeted. Some fell victim while others had checks and balances in place that prevented such fraud to occur.”
Corporate account takeover
So, let’s take a deeper look at what is known as ‘corporate account takeover’ or ‘business email fraud.’
Cybercriminals, ever on the hunt to find new ways to defraud, have found ways to exploit publicly available information and weaknesses in corporate email systems. For example, corporate account takeover is a type of business identity theft where cybercriminals gain control of or access to a company’s finances to make unauthorized transactions, such as transferring funds from the company, creating and adding new fake employees to payroll, and stealing sensitive customer information. They may steal employee passwords and other valid credentials to gain access to bank accounts. The criminals then initiate fraudulent wire transfers to accounts managed by themselves.
Now, the scams are evolving to include business email fraud, where criminals gain access to corporate email accounts or systems. Once a business email account is compromised, cybercriminals then hijack or spoof senior executive email accounts. Next, they send emails with directives for wire transfer payments that often go to banks – both international and US-based ones.
The frequency of this type of payment fraud is on the rise.
The United States Computer Emergency Readiness Team (US-CERT) issued a Fraud Alert related to business email compromise (BEC). “The Financial Service Information Sharing and Analysis Center (FS-ISAC) and federal law enforcement agencies released joint alert warning companies of a sophisticated wire payment scam” where cybercriminals “use fraudulent information to trick companies into directing financial transactions into accounts scammers control.”
While most of the incidents involve the compromise of email accounts belonging to CEOs and CFOs, other incidents, known as ‘vendor fraud’ involves compromising vendor/supplier email accounts and efforts to a change of the bank and account number associated with that vendor/supplier to redirect future payments.
How cybercriminals execute phishing schemes
So, how do cybercriminals execute these phishing schemes?
- Compromise legitimate business email accounts through social engineering or malware
- Conduct reconnaissance to review the business’s legitimate e-mail communications and travel schedules
- Capture auto-forwarded e-mails received by the victim to an e-mail account under their control
- Send wire transfer instructions using the victim’s e-mail or a spoofed e-mail account controlled by the cybercriminal
- To avoid detection, they may send communications associated with their actions to the victim’s trash or hidden folder
- Often email scams occur when the CEO/CFO is on official travel, (more likely the individual would use email for official business)
For information on how to manage Risk Mitigation and undertake Incident Reporting refer to https://www.fsisac.com/sites/default/files/news/BEC_Joint_Product_Final.pdf.
For information on social engineering and phishing attacks – such as what they are, how to avoid being a victim, and what to do if you become a victim – refer to the US-CERT “Security Tip (ST04-014): Avoiding Social Engineering and Phishing Attacks,” https://www.us-cert.gov/ncas/tips/ST04-014
“Best Practices for Banks: Reducing the Risks of Corporate Account Takeovers,” developed by the Texas Bankers Electronic Crimes Task Force, supported by Conference of State Bank Supervisors (CSBS) www.csbs.org, Financial Services – Information Sharing and Analysis Center (FS-ISAC) www.fsisac.com, United States Secret Service (US Secret Service) www.secretservice.gov and Texas Department of Banking www.dob.texas.gov.
Wall Street Journal, “Hackers Trick Email Systems into Wiring them Large Sums,” http://on.wsj.com/1Ir6SJv