The email from me looked kosher. I said a new supplier needed paying urgently – £25,000 to be paid immediately and I’d sort the paper work out later. I wanted it done as soon as possible because I was on holiday, and we needed this work undertaking immediately.
This rang true to our financial controller because she knew I was on holiday and had seen photos of my holiday posted on Twitter. The sent from email address looked genuine and it included the usual ‘Sent from my IPhone’ at the bottom, that she recognised from all my emails sent to the office when I’m on the move.
But, of course, it wasn’t from me. It was a fraudster who’d done his research and was skilled at psychological manipulation.
Fortunately for us, our financial controller felt something was not quite right so she mentioned it to me when I rang the office to discuss a case. Thank goodness the fraud was avoided and we could pass the information to the security department at the bank being used to receive the payment before we parted with the cash.
Attempts of CEO fraud, as it’s known to law enforcement are becoming far too common.
The BBC recently ran a story where the exact same situation occurred. Unfortunately for that small business their financial director paid out £100K to the ‘new supplier’ and subsequently lost his job as a consequence.
Three words to look out for in email subject headers that should set alarm bells ringing are “urgent”, “payment” and “request”.
The FBI have reported that around 22,000 firms and organisations around the world have lost more than £2.4bn to the same fraud over the last three years. In March, the US Department of Justice arrested a 48-year-old Lithuanian man, Evaldas Rimasauskas, for allegedly stealing more than £80m.
Two-thirds of these attacks use the simple trick of spoofing the email address to make it look like the message came from someone senior within the organisation.
The fraudsters may also include made-up exchanges between senior executives in the email, perhaps discussing the deal or contract that the payment refers to.
It’s an unsophisticated type of fraud from a tech perspective, but the fraudsters do extensive research into the senior directors to make their emails look as plausible as possible. If hackers can gain access to director’s travel plans they can make an email sound even more plausible.
“People are still the weakest link when it comes to cybersecurity,” says Rob Holmes, Proofpoint’s vice-president of products. “More junior people are more likely to do what they’re told without question,” says Mr Holmes.”So if your boss is quite authoritarian you are more prone to this type of attack.”
Knowing that the boss is away also stops staff being able to verify the payment request in person.
The fact that these attacks typically involve just a single email means that they bypass security systems designed to pick up several emails coming from different IP [internet protocol] addresses.
Protect yourselves and be aware
Some IT systems can spot emails pretending to originate from within your company. And verification programs like DMARC [Domain-based Message Authentication. But there some very simple ways to combat CEO fraud.
We have tightened up our payment process so that there is no way any payment is going to be authorised following one email from anyone.
The BBC reported that about 70% the frauds could be prevented with a single phone call.