CEO Fraud or Business Email Compromise (BEC) has been widely reported with several recent high profile incidents. It is a global threat to corporates, large and small, and is on the face of it a simple and highly effective way of ‘attacking’ an ill prepared and uninformed company. Before you say, that can never happen at my company take a read of the Krebs on Security review of various swindles including a $46 million loss at networking firm, Ubiquiti. The FBI reports that victims of CEO fraud or Business Email Compromise have increased by 270% since the start of 2015, with cases in almost 80 countries around the world. In short, this is a big problem.
In this post, I will provide an overview of how the CEO fraud or business email compromise scam works.
How does the CEO Fraud Email work?
Ok, suppose you are an accountant, part of the treasury team or senior member of the accounts payable team who frequently deals with senior management (CEO, managing director) to handle sensitive and / or urgent payments. You receive an email from senior management in a familiar format using familiar language asking you to make an urgent wire payment stating the bank account details.
The details of the payment (amount, bank details) would typically be on a letter bearing the company logo, and a signature from either the CEO or someone from senior management. Alternatively the email may reference unpaid supplier invoice(s) and ask for immediate payment.
The problem, obviously, is that the email is not from the CEO or senior management – it is from fraudsters targeting your company.
Key CEO Fraud Email Details:
- The email is typically sent from a look-a-like domain – for example if SEPA for Corporates was a huge company with a legitimate email address of ceo@sepaforcorporates.com – the scammer would buy a phony domain and set up a fake email address that looks very similar to the unsuspecting eye – such as ceo@sepaforc0rporates.com – you may not have noticed, but in this fake email address I have inserted a zero in place of one of the ‘o’s
- Speed is of the essence, as soon as the fake domain is activated the email is sent on the same day
- As mentioned above, the email would typically look and feel like a legitimate email from your CEO or supplier
- The details of the payment would typically be for a known supplier highlighting unpaid invoices, or linked to an upcoming acquisition — again, giving the appearance of legitimacy
- The bank details reflect the bank details of the scammers
- The authenticity of the email is enabled by infiltrating company emails through malware
- The fraudsters will also monitor and be familiar with your company, scanning job postings, supplier profiles, employee social media accounts, executive travel plans — basically, anything and everything that will enable them to construct an authentic sounding email
- The amount can vary:
- If it is a supplier invoice related scam, the amount will reflect a typical supplier invoice or multiple invoices
- Otherwise, the amount is a large sum. Typical payment request (or losses), according to PwC exceed £500,000
- The requested payment method is wire – enabling a quick payment
Don’t be a CEO Fraud Mail Victim:
As simple as it is, the CEO fraud email scam is serious. So much so that the FBI is calling business email compromise “an emerging global threat“.
- Ensure that ALL payments follow a strict verification process, no matter who sends the email
- All bank details should be independently verified with the supplier by phone and confirmed by email
- Anybody involved in payments should be made aware of this type of CEO fraud email or business email compromise
- Be cautious about any one-off payment requests sent by email
- ‘Pay’ particular attention to the email address – does it look right? Does the email address appear in your company address book?
- Beware of any urgent wire payment emails requests that call for secrecy and ask you to act quickly
- The FBI suggest implementing additional technology and financial controls, and a 2 step verification process, including:
- Implementing additional, in addition to email, checks such as phone calls to verify large transactions
- Using signed or encrypted emails
- Deleting any spam emails
- Not replying to emails, instead forwarding them and either typing the valid email address or selecting it from the company address book
- Share this blog post with your finance teams!! 😉