Understanding CEO Fraud
What is CEO Fraud?
The FBI calls it Business Email Compromise (BEC) and deﬁnes it as “a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”
CEO fraud is another name for this scam and it usually involves tricking someone into making a large wire transfer into what turns out to be a bogus account. On a few occasions, however, checks are used instead of wire transfers. In the 18 months following January 2015, the FBI reported a 1,300% rise in identiﬁed exposed losses. Most victims are in the US (all 50 states), but companies in 100 other countries have also reported incidents. While the fraudulent transfers have been sent to 79 countries, most end up in China and Hong Kong. Unless the fraud is spotted within 24 hours, the chances of recovery are small. That’s why only 4% of the funds are ever retrieved.
Certainly, large enterprises are a lucrative target. But small businesses are just as likely to be the mark. Other than being a business that engages in wire transfers, there is no discernible pattern in terms of a focus on a particular sector or type of business. The bad guys don’t discriminate.
What is known, though, is the methods in which these attacks are initiated.
Phishing: Phishing emails are sent to large numbers of users simultaneously in an attempt to “ﬁsh” sensitive information by posing as reputable sources—often with legitimate-looking logos attached. Banks, credit card providers, delivery ﬁrms, law enforcement, and the IRS are a few of the common ones. A phishing campaign typically shoots out emails to huge numbers of users. Most of them are to people who don’t use that bank, for example, but by sheer weight of numbers, these emails arrive at a certain percentage of likely candidates.
Spear Phishing: This is a much more focused form of phishing. The cybercriminal has either studied up on the group or has gleaned data from social media sites to con users. The email generally goes to one person or a small group of people who use that bank or service. Some form of personalization is included – perhaps the person’s name, or the name of a client.
Executive “Whaling”: Here, the bad guys target top executives and administrators, typically to siphon oﬀ money from accounts or steal conﬁdential data. Personalization and detailed knowledge of the executive and the business are the hallmarks of this type of fraud.
Social Engineering: All of these techniques fall under the broader category of social engineering. This innocuous sounding label originally meant the application of sociological principles to speciﬁc social problems. But within a security context, it has come to signify the use of psychological manipulation to trick people into divulging conﬁdential information or providing access to funds.
The art of social engineering might include mining information from social media sites. LinkedIn, Facebook and other venues provide a wealth of information about organizational personnel. This can include their contact information, connections, friends, ongoing business deals and more.
Unfortunately, these scams have a high rate of success. The Verizon 2016 Data Breach Investigations Report revealed a shocking 30% of recipients open phishing messages and 12% click on attachments. Many of these breaches happen within two minutes of receipt. That means IT has little chance of catching this malicious traﬃc before it hits inboxes.
While phishing emails may not directly lead to CEO fraud, they are the top avenue of entry for malware and spyware into the enterprise. Once inside, cybercriminals can bide their time casing out the ﬁnancial connections and interactions within the company. They eventually learn enough to spring a convincing BEC attack, usually posing as a company executive or accounts personnel. They can sit unobserved for months while they study the key individuals and protocols necessary to perform wire transfers within that business environment.
“This is our world now. The world of the electron and the switch; the beauty of the baud. We exist without nationality, skin color, or religious bias.” – Hackers, 1995
The FBI identiﬁes ﬁve main scenarios by which this scam is perpetrated:
- Business working with a foreign supplier: This scam takes advantage of a long-standing wire-transfer relationship with a supplier, but asks for the funds to be sent to a diﬀerent account.
- Business receiving or initiating a wire transfer request: By compromising the email accounts of top executives, another employee receives a message to transfer funds somewhere, or a ﬁnancial institution receives a request from the company to send funds to another account. These requests appear genuine as they come from the correct email address.
- Business contacts receiving fraudulent correspondence: By taking over an employee’s email account and sending invoices out to company suppliers, money is transferred to bogus accounts.
- Executive and attorney impersonation: The fraudsters pretend to be lawyers or executives dealing with conﬁdential and time-sensitive matters.
- Data theft: Fraudulent e-mails request either all wage or tax statement (W-2) forms or a company list of personally identiﬁable information (PII). These come from compromised and/or spoofed executive email accounts and are sent to the HR department, accounts or auditing departments.
Who Is at Risk?
Such attacks are anything but rare. In fact, they are so successful that billions are being plundered out of corporate accounts. Here are some examples of recent attacks:
Ubiquiti Networks, $46.7 million: This Silicon Valley computer networking company had employee emails impersonated and money transferred to overseas accounts held by third parties. The company recouped about $15 million.
The City of EL PASO, Texas: El Paso lost $3.1 million intended for a streetcar project to a person pretending to be a legitimate vendor. The city made two payments before discovering the scam. The city recovered half of the money.
Xoom: This Internet money-transfer service lost $30.8 million via employee impersonation and fraudulent requests to the ﬁnance department. The CFO resigned.
SS&C Technologies Holdings: A lawsuit by Tillage Commodities Fund alleges that ﬁnancial services software ﬁrm SS&C fell for an email scam that led to Chinese hackers stealing $5.9 million. Staﬀers inadvertently aided the criminals by helping them ﬁx the transfer orders so the money could be transferred. The scam emails added an extra “L” to Tillage as in Tilllage and contained unusual syntax and grammatical errors. The lawsuit seeks $10 million in damages, plus punitive damages and legal fees. A spoofed email, claiming to come from the CEO, requested that accounting transfer money to a foreign account for a fake acquisition. Although the company recovered some of the funds, the CEO lost his job.
Leoni AG: This cable manufacturer lost $44 million to a CEO fraud attack using emails crafted to appear like legitimate payment requests from the head oﬃce in Germany, asking for the money to be sent from a subsidiary in Romania. The CFO of the Romanian operation was the victim of the scam. She was taken in by the realistic looking emails and by the fact that the scammers had extensive knowledge about the internal procedures for approving and processing transfers at Leoni. This indicates that they had penetrated the network earlier, probably through phishing emails and had been snooping for months.
Mattel: The toy manufacturer Mattel transferred $3 million to an account in China after receiving a spoofed email supposedly from the CEO. Fortunately, the ﬁnance executive who transferred the money bumped into her boss a short time later and mentioned the deal. As little time had elapsed, the bank in China still had the funds and returned them to Mattel.
Pomeroy Investment Corp: Not so lucky was this ﬁrm in Troy, Michigan after it transferred almost $500,000 to a Hong Kong bank. This followed the email account of a company executive being hacked. The error was noticed eight days after it took place, and the money was long gone.
Unnamed U.S. company: Nearly $100 million was transmitted by multiple wire transfers after receiving spoofed emails that claimed to be from a legitimate vendor. The bank ﬂagged the transfers and managed to recover $74 million. The rest was laundered through accounts in Cyprus, Latvia, Hungary, Estonia, Lithuania, Slovakia, and Hong Kong.
In many of the publicly disclosed cases, funds are recovered. But this may give a false impression. The FBI cites a recovery rate of 4% and the overall losses in the billions. But beyond the immediate funds looted, the damage caused by CEO fraud is substantial. C-level executives are ﬁred, reputations are damaged and stocks can take a hammering.
Risk or Reputation – Who Is a Target?
The label of this category of cybercrime may be CEO fraud. But that doesn’t mean the CEO is the only one in the criminal’s crosshairs. In addition, the HR team, IT manager, C-level, and other senior executives and anyone with ﬁnance approval are likely to be on the receiving end of one of these attacks.
From the perspective of the individual executive, the risk of losing one’s job should be enough incentive to pay attention to the potential for fraudulent email. CEOs and CFOs have lost their job over a breach. Ignorance of the techniques and surprise at the outcome are no excuse. It is up to C-level executives to inform themselves on the subject and take the necessary steps to minimize risk.
Board members, too, have a ﬁduciary responsibility with regard to cybersecurity risk. With the number of incidents very much on the rise, the record should reﬂect strong interest by the board and a speciﬁc address to risk mitigation. Steps should be taken to identify threat vectors, ascertain what information is most in need of protection, and institution of preventive measures and protocols put in place in the event of a breach. It may also be prudent to bring in outside bodies to audit cybersecurity safeguards.
Finance: The ﬁnance department is especially vulnerable in companies that regularly engage in large wire transfers. All too often, sloppy internal policies only demand an email from the CEO or another senior person to initiate the transfer. Cybercriminals usually gain entry via phishing, spend a few months doing recon and formulate a plan. They mirror the usual wire transfer authorization protocols, hijack a relevant email account and send the request to the appropriate person in ﬁnance to transmit the funds. As well as the CFO, this might be anyone in accounts that are authorized to transfer funds.
HR: Human Resources represents a wonderfully open highway into the modern enterprise. After all, it has access to every person in the organization, manages the employee database and is in charge of recruitment. As such, a major function is to open résumés from thousands of potential applicants. All the cybercriminals need to do is include spyware inside a résumé and they can surreptitiously begin their early data gathering activities. In addition, W2 and PII scams have become more commonplace. HR receives requests from spoofed emails and ends up sending employee information such as social security numbers and employee email addresses to criminal organizations.
Executive Team: Every member of the executive team can be considered a high-value target. Many possess some kind of ﬁnancial authority. If their email accounts are hacked, it generally provides cybercriminals access to all kinds of conﬁdential information, not to mention intelligence on the type of deals that may be ongoing. Thus executive accounts must receive particular attention from a security perspective.
IT: The IT manager and IT personnel with authority over access controls, password management, and email accounts are further high-value targets. If their credentials can be hacked, they gain entry to every part of the organization.
Board Oversight and Fiduciary Duty
Virus and malware defense has long been viewed as a purely IT problem. Even though some organizations appoint Chief Information Security Oﬃcers (CISO), the fact remains that information security is often viewed as a challenge that lies well below the board or C-level attention.
However, the events of recent years have highlighted the danger of this viewpoint. With the FBI warning corporations that they are at risk and so many high-proﬁle victims in the news, organizations, led by their CEO, must integrate cyber risk management into day-to-day operations. Additionally, companies must take reasonable measures to prevent cyber-incidents and mitigate the impact of inevitable breaches.
The concept of acting “reasonably” is used in many state and federal laws in the United States, Australia, and other countries. Blaming something on IT or a member of staﬀ is no defense. CEOs are responsible to restore normal operations after a data breach and ensure that company assets and the company’s reputation are protected. Failure to do so can open the door to legal action.
Let’s put it in these terms. A cyber breach could potentially cause the loss of a bid on a large contract, could compromise intellectual property (IP) and loss of revenue, to name just a few of the repercussions. That places cybersecurity ﬁrmly at the top of the organizational chart, similar to all other forms of corporate risk.
“People are used to having a technology solution [but] social engineering bypasses all technologies, including firewalls. Technology is critical, but we have to look at people and processes. Social engineering is a form of hacking that uses influence tactics.” – Kevin Mitnick
Technology vs. The Human Firewall
Most eﬀorts towards risk mitigation concentrate on technology. Certainly, antivirus, antimalware, intrusion detection/protection, ﬁrewalls, email ﬁlters, two-factor authentication, and other technology solutions are vital. Similarly, appropriate backup and disaster recovery (DR) processes must be in place. For example, a 3-2-1 backup strategy (three copies of the data, on two diﬀerent types of media, with one oﬀ site) is a recommended best practice along with testing of the restore function on a regular basis.
However, these technology safeguards must be supported by what is known as the human ﬁrewall – an internal staﬀ that is educated on cyber-threats, can spot a phishing email a mile away and won’t fall prey to CEO fraud.
Regardless of how well the defense perimeter is designed the bad guys will always ﬁnd a way in. They know that employees are the weakest link in any IT system. The Verizon 2016 Data Breach Investigations Report (DBIR) found human error to be the weakest link based on a study of 100,000 security incidents and 2,260 conﬁrmed data breaches across 82 countries. Thus, cybercriminals continue to rely on phishing and other tricks from the social engineering playbook.
The way to manage this problem is new-school security awareness training. Thousands of organizations are doing this with great results. Stepping users through this training proofs them up against falling for social engineering attacks. Establishing a human ﬁrewall won’t eliminate breaches entirely, but will reduce them.