The Summer of 2015 was a memorable one for California-based-company, Ubiquiti Networks; though not for a very happy reason. This is when a single reply to a cyber scam lost their company over $40 million. The scam they fell victim to was CEO Fraud, also known as Business Email Compromise (BEC). The scam started a few months before, when a Ubiquiti accountant took a phishing email’s intended action. After this, the hacker installed malware onto the accountant’s computer, allowing him to monitor the employee’s email for months. When the hackers thought the moment was right, they sent another email to the accountant, but this time they impersonated the CEO. As the CEO, the hacker told the employee to make a wire transfer of $47 million to a particular bank. Immediately after the accountant agreed to send the money, the hackers took the money out. In the end, Ubiquiti was only able to get $8.1 million of their loss back.
Before you send that wire transfer your CEO told you to make, you should understand the signs of BEC, and ways you can protect against CEO Fraud.
How to Detect CEO Fraud
Unlike other email scams, CEO Fraud requires a particular type of victim. Most hackers will choose small to medium-sized businesses that frequently use wire transfers. Also, hackers try to target financial executives because they have knowledge about the company’s financial situation and have the ability to send money.
This type of email scam is also highly deceptive because the hackers get to know the organization before they make a decision about how they will proceed. Usually, a hacker will send out phishing emails to several employees on the finance team, hoping one will download the document or click on the link attached to the email. However, sometimes the scam is not that easy to detect. They may even send you an Excel document that passes your email’s security test, but when you open the file, nothing is there. If the file asks you to upload the content on a blank document, do not press okay to access them.
Phishing emails, such as the Excel example, are an easy way for scammers to get the user to download malware. This malware allows the hacker to monitor everything, from the victim behind the computer to the information they share through email.
Months will go by, and the hacker will have gained knowledge about how the company discusses finances over email, including wire transfer procedures. The hackers may even know when your CEO is out of town for a business trip, making your company more vulnerable to a scam. This information gives the hacker the opportunity to create the most realistic, CEO impersonated email, to trick the employee to take action. To top it off, hackers will even add the industry’s jargon and typical dollar amounts so that nothing in the email looks suspicious.
Ways to Protect Against CEO Fraud
With how realistic BEC can be, it is best to know a few ways to protect yourself from this ever-growing scam.
- As always, educating your employees is the best way to avoid scams. However, for CEO Fraud, you want to discuss this with your finance team, so they are aware of its popularity. The best way to do this is by signing up for a security training program, in which your employees receive fake malicious emails to test their security knowledge.
- Employees should never make a wire transfer without confirming the details with the CEO. To fully protect your organization, you should document all wire transfer approvals. Every company will have a different documentation process, but for larger wire transfers an old school verbal confirmation will work best.
- You should also use a Multi-Factor Authentication (MFA) when making wire transfers. In other words, you should use several types of authentication tools, such as fingerprint scanning, one-time passwords, and push notifications so you can verify the person receiving the transfer.
- Lastly, and most importantly, there should be constant and cautious communication between the CEO and the Finance Department. Many victims of CEO Fraud take on a relaxed attitude when it comes to communicating about financial matters; therefore, you must take precaution when emailing confidential information. Talking in person is sometimes the better choice.
With technology continually advancing, savvier versions of scams are becoming harder to decipher. For optimum cybersecurity, your organization needs to be on top of the latest scams. If you have more questions about detecting or protecting yourself from CEO Fraud contact, Total Computer Solutions at 336.632.0860. TCS can help you with a consultation.