CEO Fraud and Business Email Compromises

On April 4, 2016, the Federal Bureau of Investigation issued a warning of a “dramatic rise” in business email compromises (BECs) and CEO frauds. The following summarizes Berkeley Research Group’s Global Investigations + Strategic Intelligence practice’s view of this growing fraud and provides actionable intelligence for alerting employees and practical tips to avoid becoming a victim.

How the BEC and CEO Frauds Work

The BEC and CEO frauds are a targeted phishing scheme in which a recipient receives what appears to be a legitimate request for payment or money transfer in an email from a colleague, vendor, or other trusted third party. These email requests generally appear as either (a) originated by the CEO or someone else in a trusted position seeking a wire transfer to consummate a deal, or for some other business purpose, and the employee—without verification—wires the money as instructed (to the cybercriminal’s account); or (b) originated by a legitimate company vendor with an attached invoice seeking payment, which is then sent (to the cybercriminal’s account).

These types of frauds are unique for a number of reasons. Foremost, they are directed, as opposed to blasted, so organizations’ spam filters generally will not catch them. Cybercriminals scour the Internet for email addresses of key employees, the identities of vendors, and other posted information to assist them with these targeted frauds. In addition, the perpetrators frequently follow social engineering-type emails disguised as real business emails with attachments posing as invoices, purchase orders, or other “business attachments,” which are actually executable files that may grab the recipient’s cached browser information, log the user’s keystrokes, or run other nefarious code.

The Dramatic Rise in the Fraud

In a prior release, the FBI had warned of the increased prevalence of these types of frauds. In January 2015, it had reported that between October 2013 and December 2014, 1,198 companies lost approximately $1.8 million due to the CEO fraud. Today, the FBI reports that between October 2013 and February 2016, there were 17,642 reports from victims of one form or another of the CEO fraud. The financial losses experienced by the victims during that time period were in excess of $2.3 billion. The FBI’s data also indicates a 270 percent increase in the incidence of this fraud since January 2015. The average dollar loss per BEC or CEO fraud compromise is $130,000. In short, the various frauds have been proven successful, and organizations need to train their employees to spot and thwart these frauds.

Avoid Becoming a Statistic

BRG’s Global Investigations + Strategic Intelligence practice offers the following suggestions on to how safeguard your organization and avoid becoming part of 2016’s victim statistics.

  • Spot the Fraudulent Emails
    • Scrutinize the emails. Many contain misspelled words or missing punctuation and appear to be hastily written.
    • Study the return email addresses in the email’s header. Cybercriminals frequently register domain names that are nearly but not exactly identical to their intended target’s domain. For example, an executive at a company whose email address is Joe@ABCcom may be spoofed by the fraudster as Joe@ABGDE.com, switching the “C” for the “G” in the return or “reply-to” address.
    • Highlight the return address with your cursor and right-click to see the exact return email address.
  • Authenticate the Request
    • Instead of hitting “reply,” forward the email to the colleague who appears to have sent you the request to verify the contents and the request.
    • Confirm the business transaction using an alternative, but previously verified, form of communication, such as a text or telephone call.
    • With regard to vendors’ requests for payment, always confirm by telephone any changes to payment or wiring instructions received by email.

Minimizing Loss

If you believe your organization has been a victim of this type of fraud, you should:

  • Contact your financial institutions immediately and provide them with all of the salient information
  • Ask your financial institution(s) to quickly reach out to the financial institution(s) to which the fraudulent payment was sent
  • File a formal complaint with the Internet Crime Complaint Center (IC3)

Educate Your Organization

It is critically important to keep your organization up to date on these and other evolving scams. A number of online resources provide information on new cyber fraud methodologies, including the “press room” at IC3. Educate your employees on the tactics by providing training on spotting and defeating these frauds, and continuously remind employees by email, messages on the company intranet, and periodic testing of employees with simulated phishing attempts. Reinforcing the seriousness of the potential frauds and the expectations that employees carefully scrutinize Internet requests for payment or wires will go a long way to avoiding the FBI’s 2016 list of financial loss.

BRG Contacts

Please reach out to us with any questions or to discuss a potential matter:

Allen D. Applbaum
Global Leader
Global Investigations + Strategic Intelligence
aapplbaum@thinkbrg.com
646.205.9398

Thomas Brown
Global Leader
Cyber Security & Investigations
tbrown@thinkbrg.com
646.862.0979

Adam Cohen
Managing Director
Global Investigations + Strategic Intelligence
acohen@thinkbrg.com
646.369.0431

David Holley
Managing Director
Global Investigations + Strategic Intelligence
dholley@thinkbrg.com
617.925.4003

The views and opinions expressed in this article are those of the authors and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s