Vigilance is the key to safeguarding against sophisticated CEO scams that can cost your business big time.
By Beverley Head
Electronic communications have long been dogged by a technique called “spear-phishing”, where cybercriminals target an individual using personal information about them. A new variant called “CEO scamming” has quickly turned into a billion-dollar line of fraud.
In this scam, cybercriminals research a CEO or senior executive, then use their insights to craft phone and email scams that trick employees into releasing funds or sensitive information. The FBI believes such scams have cost global businesses more than US$2.3 billion in just three years.
Some Australian businesses have fallen for the scam, with reports of between A$200,000 and A$1.5 million involved. Businesses with overseas partners and operations that routinely send funds overseas are particularly vulnerable, since requests for payments to foreign accounts won’t always raise a red flag.
"This has a real economic impact as it is non-recoverable ... it can lead a company to close their doors." Craig McDonald, MailGuard
Australia’s Computer Emergency Response Team has also recently warned of a new variety of CEO scam where an email purporting to be from the CEO requests the HR director to send names, addresses, wage details, tax file numbers and health care information about employees. It’s grist for identity theft or an income stream, as such data is bought and sold among cybercrime gangs on the dark web.
Craig McDonald, CEO of Australian computer security company MailGuard, says accountants are also targets for scammers. “They get an email from someone purporting to be someone else and then they go in and change things on the procurement accounts so funds are directed to the wrong people,” he says. “In Australia, it is happening on a daily basis.
This has a real economic impact as it is non-recoverable ... it can lead a company to close their doors.”
It’s why McDonald recently signed a deal with a cloud accounting software vendor that will provide accountants access to email security tools. These are being further developed in association with Deakin University to better identify dodgy emails before they snare a victim.
Governance essentials: contributing to board effectiveness – it is important for finance professionals working with boards to understand what makes the board run effectively and what are some key areas where they can assist the board in decision making.
Shutting down an attempted fraud relies on a healthy dose of common sense as soon as something suspicious arises. When a CEO scam was aimed at American computer security software firm Forcepoint, the finance team – already alert to the risks of CEO scams – phoned the CEO to ask if the funds-transfer request was legitimate. It wasn’t.
Bob Hansmann, Forcepoint’s director of security trends, notes that procedures need to be in place to protect a company from such attacks – and not just attacks from outside.
“IT has to partner with HR and the finance department to make sure there are procedures – a process to ensure it is done properly and that the right people authorise it,” he says.
“You also have to deal with intentional theft where there is a malicious insider. We have worked with credit-processing data sites where people have stolen 1000 credit card details and sold them online. You need to be monitoring for behaviour that is out of the norm.”
Guarding against scams
- Educate staff to be sceptical about requests to transfer funds or data coming from the CEO’s email address.
- Remind senior executives to be careful about how much and what they share on social media.
- Pick up the phone and confirm that any CEO request for funds or data is legitimate.
- Don’t use the reply function to an email you believe might not be legitimate – send a fresh one to avoid being routed to an alias address.
- Ensure email security is set up to guard against sender address forgery.
- Consider the implementation of email monitoring technology.
- If the company is scammed, alert the Australian Cybercrime Online Reporting Network and the Australian Federal Police.
Mimicking the CEO
A social media fan, the CEO posted about his upcoming business trip – where he was going and when – generously providing cybercriminals with a well-defined window of opportunity and plenty of time to prepare for a US$100,000 heist.
Alerted to the upcoming opportunity, they scoured LinkedIn and identified the company’s CFO and financial controller. They pored over the company website, learned about the business and the sort of deals it did and the language it used. They built an alias email address that would look as though it came from the CEO. Then they waited.
Once the CEO had flown overseas, the criminals sent an email posing as him, hinting at a project they already knew was underway that might need funds to be transferred. The email also stressed the different time zone and a dying smartphone battery that might make “the CEO” hard to contact.
A second email arrived with the account details for the transfer. Just to be sure, the financial controller replied to the email asking if it really was the CEO. Since the cybercriminals had created an alias address that looked just like the CEO’s, they were able to respond: yes, it really was the CEO and yes, please make that transfer.
Feeling more secure about the request, the financial controller transferred US$100,000 into the account. But a seed of doubt still lurked, so the controller sent a fresh email (not a reply email which would have gone to the alias address) direct to the CEO. The genuine CEO received it and was able to stop the transfer.
“The CEO was able to reverse the transaction with the help of the bank,” says Leon Fouche, risk advisory partner with public accountant BDO, who investigated the incident.
“For foreign transfers, banks put the money into a holding account while they process the payment. In this case, the CEO spoke to the bank while the money was still in this account. If the CEO had contacted the bank a few hours later, it would have been too late.”