FBI Says Over $2 Billion Lost To CEO Email Fraud
Wow. That is an impressive number. As I have talked about before, what the insurance industry calls business email compromise or BEC and what the FBI is calling CEO email fraud is a very lucrative business at $2.3 billion since January 2015.
The way it works is the attacker does a little research on the “mark” – and this is a classic con job, hence the term mark is appropriate – and then sends the mark an email. Could be the head of finance, someone in the wire room, something like that, pretending to be the CEO or CFO and needing a wire. With a little social engineering they get their money from the mark.
And, unlike a check or credit card, it is very difficult to get that money back. Usually, it is transferred out of the target account almost instantly.
Insurance copies, as I have written about, are also starting to push back saying that this is not a cyber breach. The employee willingly wired the money. They will cover it, but it is different policy.
There are many variations on exactly how this works, but the result is the same – someone voluntarily wires money to the bad guy.
There are also well known ways to curb this. In almost all cases, they add some overhead to the process. If your employee is asked to wire money to someone that they do not wire to normally, ask a question. Shouldn’t there be a PO? Or a contract? Walk down the hall and ask the CEO. Require two people to approve the wire. Stuff like that.
Brian reports on a couple of well known phishes – Mattel toys, $3 million, Ubiquiti, $46 million and Scoular, $17 million, among many others. None of these companies will go out of business but it is both embarrassing and expensive.
The best one though, is when the company Phish Me, who makes anti-phishing management software, was attempted to be phished. They, as you might expect, did not fall for the con, but did decide to play with the attacker. That is all documented in the Phish Me article below, so I am not going to repeat it. The article is a wonderful tool to use in training, however.
At this point, organizations need to fortify the payments process. As the bank robber Willy Sutton is reported to have said – that is where the money is.
To do that is pretty simple – one part training, one part process and one part sheer will. There should be a well documented process on how to get money out of your company and based on the particular business model, you should figure out where the soft underbelly is and armor it up.
For those of you who are interested in the details of how these attackers pull these attacks off, I recommend reading the Phish Me article.
For everyone else, this would be a good time to look at your accounting process.
Information for this post came from Krebs On Security and Phish Me.