Bogus emails promising ways to make a quick buck have been around for years (i.e. Nigerian email scam), but now the criminals’ tactics are improving. We have recently seen a dramatic rise in electronic payment fraud and financial losses as a result of tricking the CFO or Controller to set up a fraudulent wire payment. See Wall Street Journal article.
A common method hackers are using is to send an email to the Controller, appearing to be from the CEO, with a request to send a wire transfer. This message is typically sent while the CEO is traveling for business or on vacation.
For this example, let’s say the CEO is Jennifer Johansson from Acme Company. The incoming email comes from what looks to be a personal email address (firstname.lastname@example.org) or an address that looks substantially similar to the CEO’s business email address (email@example.com). In both instances, the email is coming from an actual email address, just one that does not belong to Jennifer.
The request is followed with specific wire transfer instructions to pay a vendor, who in some cases is a current vendor of the company. To the Controller, the email and wire instructions look legit so the payment is made. It may be several days or weeks until it is discovered that either the vendor didn’t exist or that payment was made to an account that was not your vendors. When it is discovered, it becomes a very expensive lesson in cybersecurity.
So what can businesses do to avoid this type of an attack?
Train your employees – Conduct formal cybersecurity training for your employees on how to protect themselves and your business. See Stay Safe Online for ideas.
Don’t broadcast your travel schedule – Executives, and especially CEO’s, should not use an automatic “out of office” reply for messages coming from outside the company. Hackers can use a broadcast initial SPAM email as a reconnaissance tool to find people who are out of office to target for an attack. Also, travel information should not be shared on social media channels.
Authenticate payment requests – Set up policies and procedures internally that prohibit making payments without a secondary authentication made through a different communication method, or “out-of-band”. In this case, the Controller should have either spoken with the CEO or used a text message to authenticate that request. Because the request was sent via email, an email response to authenticate would not be acceptable.
Talk to your bank about enhanced security features – Your bank should be able to recommend options to reduce risk. One common method is to set up dual controls so that one person can set up the payment request, but another needs to approve it before it is processed.
Spear-phishing attacks like this are targeted at specific individuals and have knowledge of the organization (e.g. CEO’s vacation schedule and vendors) making it more effective than the traditional “smash and grab” phishing schemes. I have spoken with businesses in a variety of vertical markets ranging from manufacturing to non-profits that have experienced this type of an attack.
All businesses should be on high alert and consider the preventative methods suggested above, especially employee training. This would also be a good time to have a conversation with your business insurance agent about the cybersecurity coverage for first party and third party damages.
Jeff Olejnik will present at Venture Bank's seminar Are You Protected? What You Need to Know About Cyber Security, on Thursday, September 24, 2015. For more information, or to register, click here.
About the Authors
Jeff Olejnik and Paul Johnson are both highly experienced IT security services professionals with extensive experience in the industry. They work with clients to assess, improve, and test the security of their information systems. For more information about improving security or to schedule your cybersecurity assessment or HIPAA/HITRUST assessment, please Jeff at 952.230.6488 or firstname.lastname@example.org or Paul at 651.766.2895 or email@example.com.
About Wipfli LLP
With associates and offices across the United States, Wipfli ranks among the top accounting and consulting firms in the nation. The firm’s associates have the expertise, skills, and experience to advise in areas from assurance and accounting to tax and consulting services. In addition, through the firm’s membership in PKF North America, Wipfli can draw upon the resources of firms in over 100 countries from around the world. For more information, visit www.wipfli.com.