December 12, 2018
By: Jerry Horton, Technology Director
I recently read an article about a company that lost $21 million to cybercriminals. This headline may make you envision a basement filled with bad guys in hoodies hammering away at keyboards; or perhaps Tom Cruise descending on a bungee cord to extract records from a high security mainframe. However, the truth is far less glamorous and much more frightening. The theft of these funds was committed in increments with the willing, but unknowing, participation of the company’s CFO and a Managing Director – simply because they were completely fooled by a cybercriminal posing as the CEO.
Anatomy of a Business Email Compromise
In his Nov. 10 blogpost, Stu Sjouwermann of KnowBe4, Inc. (Networks Plus’ partner for security awareness and training), gave the following synopsis of the cybercrime:
“Thursday, Mar. 8, the [Managing Director] of a Dutch movie chain gets an email from the CEO of their holding company: "Did KPMG already call you?" The email was sent from a smartphone. The MD forwards the email to their CFO, but both are puzzled. They decide to email back and ask what the issue is.
The answer is a classic CEO Fraud tactic: "We are in a confidential M&A process with a foreign company in Dubai, and any communications can only be done using the personal email address of the CEO. Please transfer the first 900K and this money will be transferred back to you at the end of the month."
An email thread ensues where the MD wants to make sure that the transaction is legit. "No worries", confirms the holding company CEO. Please transfer the first 10% of the acquisition.
Tuesday, Mar. 13 the second transfer gets made: $2.5 million. The two execs wonder what is going on, but decide to comply with the CEO's orders. More transfer requests follow, for higher amounts. Tuesday, Mar. 27 the "last payment" gets made. A total of $21 million dollars has been transferred over two weeks, and they get assured: "Yes, we'll now transfer this money back right away". That was the last thing they heard.
Finally, the HQ wakes up, grabs the phone, and asks about the transfers: "What is going on? What was the money used for?" The penny drops. The two execs have fallen for a CEO Fraud scam…”[i]
Business email compromise or ‘BEC’ is absolutely rampant. The FBI reports that BEC scams have cost businesses $5.3 billion from 2013-16. Trend Micro predicts losses will exceed $9 billion by the end of 2018. How can you avoid being a victim?
BEC – Avoiding the disaster
BEC is a simple tactic using social engineering and phishing to draw out the potential victim. Email addresses are, by their nature, somewhat exposed. Clearly, the CFO and Managing Director in the story above made an error and then further compounded their mistake by not following the two most basic rules of cybersecurity:
STOP. LOOK. THINK.
TRUST NOTHING. VERIFY EVERYTHING.
What do you need to look for?
Here are a few dead giveaways:
- The domain doesn’t match. It is an old cybercriminal trick to use domains that look correct at first glance but are fake. Examples: email@example.com instead of firstname.lastname@example.org.
- The “Reply To” address doesn’t match the “From” address. It is even common for the “From” address to be incorrect – the cybercriminal only changed the displayed name.
- The message contains an urgent or confidential call to action. If you read the content of the message closely, the urgency contains little to no justification for the request being made.
- Payments requested for unusual amounts to routing numbers or accounts that are unfamiliar, or even wire transfers to foreign accounts.
- Requests for payment at the end of the day, before weekends or holidays.
- The email contains an unrequested attachment. Never open an attachment without verifying first!
If you looked, but are not still not certain, verification is of the utmost importance. If you suspect BEC, you don’t want to reply to the email, so speaking directly to the requestor is the best method to verify the request. If that is not possible, verify the request via a valid email address.
It has been said that building a good offense yields the best defense. While a traditional offensive against cybercriminals is impractical, there are some practices that you can proactively adopt to minimize or prevent BEC.
- Implement a company-wide security education program. The value of this cannot be understated! Most BEC attacks do not use any technical exploits – just old-fashioned human hacking through social engineering. Education is key to identification, detection, and prevention of BEC and other social engineering attacks.
- Implement an identity management platform with multifactor authentication.
- Create or tighten policies for payments or wire transfers, including a standard time delay, verification by voice, and two-person controls (also known as the two-man rule).
In the modern internet marketplace, cybercriminals are pickpockets preying upon the unsuspecting; however, with education, practical measures, and vigilance, you can help your company avoid becoming a victim.
If you’re interested in a company-wide security education program, contact me. I’d be happy to educate you and your staff on this very important issue.