It should be no surprise that CFOs — the keepers of the purse strings — are the primary target for many types of cybercriminals. In fact, about 40 percent of all Business Email Compromise (BEC) scammers address their emails directly to CFOs. With increasingly sophisticated approaches, they can masquerade as the CEO or some other highly placed individual and request a transfer of funds into their own accounts. Even if the success rate isn’t very high, the profit on each successful one could be huge, since the CFO typically has such a high monetary signature authority. Any business should know more about this risk and strategies that can be used to prevent BEC losses.
The two basic approaches to BEC are spoofing an executive’s email or actually hacking into the account and sending a message directly from there. Spoofing may be easier to spot if something in the address or format isn’t quite perfect. For the hacking scenario, you have to know how the sender typically writes such an email to spot a fake. Either way, it is most often a high-level executive that the bogus email comes from, with studies showing that 63 percent of BECs use the email of the CEO, president or managing director to convince a CFO or other person in the Accounting department to transfer funds.
The BEC scammers may or may not need to use malware to pull off these crimes. Sometimes an employee can be convinced to transfer funds to an unauthorized account based only on the email content. It can work better in some scenarios, though, when malware such as a keylogger is used to capture specific content, including account numbers, passwords and transaction details to facilitate the transfer. A BEC scammer could even capture some specific details of the account history to relay in the message, thus raising the credibility. They sometimes even follow up with a phone call to the victim to help convince the person to do something he or she shouldn’t.
It should be noted that foreign suppliers are often used in these schemes, because it might be harder to spot something wrong in a message or account description when it is related to a foreign bank. A foreign company might also not be as knowledgeable on the other end in dealing with fraudulent wire transfer issues.
So how do companies protect against BECs? Employees can be reminded to scrutinize emails more closely, but a company could also have training specifically on this type of scam. Showing an example — especially if it involves their company or someone they know — will help get the employees’ attention. It can also work for a company’s IT department to run a test by sending out bogus emails and seeing what response it gets. An alert to the team saying what the outcome was will definitely heighten awareness. No one wants to be the employee who gets caught in that trap! Along with training, a company can also implement additional security measures for fund transfers, such as requiring a secondary sign-off or verification step for any changes in a vendor payment.
CITOC is the trusted choice when it comes to staying ahead of the latest information technology tips, tricks and news on email scams or any other IT topic. Contact us at (713) 490-5000 or send us an email at firstname.lastname@example.org for more information.