This kind of fraud is hitting people across the country, with millions of dollars in losses.
Your boss is out traveling. You get an e-mail from him or her, asking you to make sure an account gets paid. So you do, following the instructions in the email.
That is the kernel of CEO fraud, a scam that has hit more than 7,000 companies in the U.S., and may have just taken down the chief financial officer of a multimillion-dollar airplane parts company.
The e-mails are fake, and the money goes off to criminals who have set up fake accounts for this very purpose.
The FB’s Internet Crime Complaint Center, or IC3, reported a 270% increase in this kind of attack since January 2015. The total losses—more than $750 million.
Why is this attack so successful, again and again? You would know a fake payment e-mail if you saw one, right?
That is part of the problem, cybersecurity experts say.
“Some folks still believe scam e-mails are easy to spot,” Slade Griffin of Contextual Security told Archer News. “Current attackers are well-spoken, research their targets, and send very legitimate-looking communications.”
CFO gets fired
It is a giant in the industry. FACC in Austria makes airplane parts for Boeing and Airbus, among others. Last month, it announced the unfortunate news. Missing from its accounts—more than $50 million.
“Today, it became evident that FACC AG has become a victim of a crime act using communication and information technologies,” the announcement said, directing further inquiries to CFO Minfen Gu.
Though company said little more about the crime than that it involved a fake identity, many in the cybersecurity world have connected it to CEO fraud, also known as business email compromise.
Now the CFO, Minfen Gu, has been fired, and the company is reorganizing its financial department and going after damages and insurance claims, reported Reuters.
“In some earlier business email compromise scams reported in more detail, it looked like the scammers exploited questionable financial practices to enable the exceptionally large wire payments made,” said Patrick Coyle with Chemical Facility Security News.
Coyle said corporate owners would expect financial managers to have procedures in place to keep financial scams smaller.
“With the reported $54.57 million reported in this case, it appears that fraud protections were not in place,” he said.
Big fish
Small business are targets, too. But the scammers have caught some big fish on their lines.
Nestle, Michelin and KPMG have all been victims, reported the BBC.
Ubiquiti Networks in California announced it lost more than $40 million to CEO Fraud, according to Fortune.
And now Crelan Bank in Belgium said it lost more than $75 million to cyber criminals in what some believe is also a CEO fraud attack.
Stalking you
The IC3 says the criminals “monitor and study” their victims before striking.
They can figure out who is in charge of which departments through LinkedIn and information on company websites. They can use social media to learn how best to approach. They may send phishing e-mails to get more details about a person, their travel schedule, and how the company operates. They may wait until the CEO is out of town. Then, they are ready.
You receive that e-mail from your CEO. It can be directly from your CEO’s e-mail account, which the criminals have taken over, or from an account with a very similar address, according to Symantec.
Symantec calls it “typo-squatting,” where the bad guys register a site very similar to yours, such as myydomain.com, instead of mydomain.com. They often register it the very same day they send the attack e-mail, a day they know your boss is traveling and harder to reach.
The hook
The e-mail from your CEO may start like this, said Symantec.
“I have just been informed by our attorney that we have had an offer to complete an acquisition that we have been negotiating privately for the last few months.”
The e-mail says company lawyers are working on the offer and the company is getting ready to make an announcement, but until then, this needs to stay very quiet, so don’t talk about it with anyone in the office.
“So, in line with the terms agreed, we will need to make the first deposit payment as soon as possible,” it continues.
“Any questions you have you can email me or speak directly with the lawyer, as I am going to be extremely busy myself for the next few days.”
The “CEO” gives you the name of the lawyer working on this acquisition, and says the lawyer will contact you soon.
So successful
IC3 says the e-mails are very well-worded and look very legitimate. They may copy the same language your CEO uses, and use names and amounts you are familiar with. After all, the bad guys have been watching you to see what makes you tick.
And there is something more at work.
“Desire to help—or fear of losing their job—by the targeted employee,” said Griffin.
You may not want to second-guess your boss, especially if it is a sensitive matter.
“Staff are less likely to question instructions purporting to come from on high, and it’s this psychological manipulation – often accompanied by a sense of urgency – that is a major factor in the fraud’s success, reported the BBC.
How to stay safe
Security experts agree that companies can do more to help.
“Have your employees, including executives, attend social engineering awareness training,” said Griffin.
“Training, training, and did I mention training already?” asked Andrew Mazurek, a cybersecurity professional based in Toronto, adding that overworked employees tend to pull the trigger in error more. “Policies, procedures, technology will only take you so far. At the end of the chain is The End User.”
Griffin suggested having multi-step verification for financial transfers, as well as waiting periods, so transfers can be verified.
“For example, one financial company I tested utilized code words and also ensured that anyone capable of making large transactions could readily identify their clients with secondary or tertiary information,” Griffin said.
IC3 also recommended having a another step for verification, like a phone call to an established number, rather than an e-mail or phone call to the person or number listed in the e-mail. And if you set up this verification system by e-mail, rather than by phone or in person, you risk giving the criminals a window into how you make payments, IC3 said.
More help
Do not reply directly to an e-mail about a payment, IC3 said. Instead, forward the e-mail to an established e-mail address.
Avoid free web-based e-mail.
Use digital signatures for e-mail.
Create an intrusion detection system that spots e-mails with extensions similar to yours. For example, IC3 said, if you legitimate e-mail is abc_company.com, the system would detect abc-company.com.
Register all domains slightly different from your company domain.
If you want to test yourself?
“Engage a reputable firm to conduct social engineering attacks like this against your personnel to understand their susceptibility,” suggested Griffin.
And figure out ways to deal with it if someone at your company clicks on phishing e-mail.
“Practice incident response instead of striving for the ‘0 clicks’ metric,” Griffin said.