Executive impersonation scams are on the rise, costing businesses billions of dollars annually. Businesses of all sizes can be targeted and fall victim to these crimes. Providing secUnderstanding how these crimes are committed and the numerous variations and vectors of attack will help reduce the possibility that your organization will fall victim.
Let’s face the facts, executives are a target rich environment for cybercriminals! Company executives and the employees that provide support are frequently targeted in these scams.
In this crime, the scammers go to great lengths to compromise or spoof company email or use social engineering to assume the identity of the CEO, executive, company attorney or a trusted vendor or customer.
The criminals do their homework to develop a good understanding of the victims normal business practices. Statistics indicate that victims in these crimes, provide a wide variety of different goods or services and belong to no specific business sector. The criminals might stumble across a compromised business email system though a phishing scam or specifically target a vulnerable business.
The FBI has included this type of crime as a variation of the “Business E-mail Compromise (BEC)” scam. The FBI has defined BEC as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.1
The FBI’s Internet Crime Complaint Center (IC3) reports several basic scenarios associated to this crime. In many of these cases, the victim businesses used electronic fund transfer EFT; ACH transfers or wire transfers as a method of payment. But businesses that made payments with checks were also targeted.
In this most recent scenario, one or more of the victim companies executives’ email addresses are compromised. Next, an associate employee within the organization responsible for handling W-2’s, payroll or other company employee personal identifiable information (PII) is contacted using the executives email address. Frequently someone in human resources, payroll, finance or audit is targeted. The request by the company executive is often an urgent need for payroll or other PII data. This crime has recently ramped up due to tax season and the associated urgency to get taxes completed.
Executive Wire Transfer Request
The next scenario also involves what appears to be the executive as the initiator of the request. The email account of the executive is compromised. The request could be through a hacked or spoofed email address. The criminals often have hacked into the email system and determined the normal business process for EFT transfer. The criminals send the fraudulent executive email to the company employee that normally handles the EFT process requesting the EFT to a customer, vendor or financial institution.
In a variation of the executive wire transfer scam, the executive is targeted with an email that appears to be from a trusted vendor, customer or foreign supplier. The email generally matches prior successful EFT’s that have completed in the past. In many cases, faxes or phone calls corresponding to past legitimate request are also involved.
Executive and Attorney Impersonation
In this scenario the victim business can be contacted via a hacked or spoofed email account, phone call, fax or text message. The email proports to be from an company executive or attorney claiming to be handling a confidential or time-sensitive transaction. The criminal impersonator will concoct a story that the company is in the process of acquiring another company and the issue is time sensitive and confidential.
In some instances the company executive is contacted from a known suppler, vendor or customer requesting the EFT to be initiated with a sense of urgency.
Ways to protect your company
- Every business needs strong internal prevention processes and procedures when dealing with all EFT request. In many cases, a simple direct confirmation phone call would prevent these crimes from occurring.
- All EFT request should be held for a period of time with strict external verification procedures. Any request for sensitive data or EFT transfers that involve secrecy or quick action should be viewed as suspect.
- Use the “forward” option on suspect email messages instead of “reply” or “reply all”. By forwarding the message to the sender you increase the likelihood that you will use the legitimate email address from your address book and not a spoofed address from the original email.
- Review and restrict information on company websites and social media that provide information on job duties and the hierarchy of the company.
- Beware of supplier account changes and arrange a backup method of authentication early in the relationship away from email to avoid interception by the hacker.
- Always utilize a backup alternative method to authenticate the request and verify prior to sending funds or data.
- Educate employees and provide ongoing security awareness training.
The value of security awareness training
This is another crime, where security awareness training can help to reduce risk. Insuring that all employees are aware of these crimes will help to stop this crime from happening. Being aware of new crimes and scams in the news is a fundamental part of security awareness training. Insuring that employees, are aware of this scam will greatly reduce the likelihood that your company will be victimized.
The Center for Information Security Awareness, www.CFISA.org has been providing online and in-person security awareness training since 2007. The CFISA security awareness training stresses the importance of educating employees to help reduce company risk and protect against these types of crimes.