We were Targeted Twice with this Fiendish Scam

scamThe CEO is in a meeting with staff, one of whom is the company Controller. In the middle of a discussion the Controller apologizes for interrupting the speaker, turns to the CEO and says "Should I make this wire transfer now or wait until the meeting is over?" That was our introduction to the BEC scam.

The CEO had not sent the email to the Controller requesting an immediate wire transfer of funds.

You may have heard of the Business Email Compromise scam. It has netted over 3.1 BILLION dollars in reported losses by companies in all 50 states, and over 100 countries. Victims are companies large and small, from numerous sectors, and number around 23,000. They have been hit for amounts ranging from thousands to $46.7 million in the case of Ubiquity.

The scam takes many forms. Frequently someone in the company with the necessary authority, gets an email from the boss telling them to make a transfer of funds. For example, the CFO gets an email from what appears to be the CEO but is actually a spoofed email account.

Other criminals pose as a foreign supplier with whom the business has a legitimate relationship. The "supplier" requests payment for outstanding invoices to be paid to a new bank account. 

The scam, in whatever scenario, works because the scammers use personal, social, or insider information to lend credibility to the requests. Trolling LinkedIn looking for people in finance roles who just started at a new company returns a bounty of prospective victims. Knowing when C level execs are travelling out of the country garners best success opportunities.

More sophisticated criminals hack email accounts of high level execs. Reading through the emails provides account numbers, names of people who normally perform the tasks, protocols, and more. It is common to use urgency and confidentiality when making requests. Pressured by the "President" to transfer money immediately, an accountant is given no opportunity to sit back and think if the events were extraordinary. Being told not to discuss the matter with anyone else ensures the criminals can take receipt of the money and close the account before the employee reconsiders his actions.

As the scam evolves we are seeing a new twist - one that targets PII. In this version the fraudulent email request goes to HR or bookkeeping. The criminals ask for copies of all W-2s or other forms of Personally Identifiable Information. When the employee hands it over the identity theft begins. What will the penalties be for this sort of data breach?

Whatever the form the scam takes, success relies on a human being duped. It's not high tech, and it's not something to be prevented by installing software. There is no Anti-Human-Duping app.

Implement two factor authentication, and best of all require face to face or phone communication, in order to initiate funds transfers - NEVER rely only on an email. Educate employees and train them to follow protocols, and be wary of any requests involving money that stress secrecy or urgency.  And do it right away - this scam often targets newly hired personnel. Don't focus only on the financial department since the theft of PII is another successful use of the scam. Read more about variations on the scam, and learn how to protect against it here

Would we have fallen victim if our CEO was travelling in Japan rather than sitting in the meeting with the Controller when the fraudulent email arrived? We like to think not, but who knows. Many months later the original Controller moved, and mere days after the new one started, SHE got fraudulent instructions to transfer funds.

The scammers never rest.