CEO Fraud. Business Email Compromise. Spear phishing. Wire Fraud. Pretexting.
This cyberattack goes by a variety of names and may utilize a wide range of tactics, but they all come down to one thing: a malicious outsider pretends to be a legitimate boss in order to trick an unsuspecting employee into doing something they shouldn’t.
Last year the scam cost U.S. businesses $1.7 billion.
The most widespread example of the attack is when an outsider spoofs the sender line and signature of an organization’s CEO and instructs a staffer to wire funds into an account.
Successful attackers do plenty of homework. They’ll research the identities of your CEO and someone from the finance or accounting department—information that’s often available from the “Our Staff” page on your website, or perhaps on LinkedIn. Once they’ve set up an email account in the boss’s name, they send an urgent email with all the necessary banking info (account and ABA numbers, SWIFT codes, etc.).
To seem legit and preempt suspicion, the scammer will often reference information that seems to reflect insider knowledge. This isn’t hard to do. If I read about a new acquisition or program related to your organization on your “In the News” or “Press Releases” page, I can throw that into the email. “Ran into a snag with the Tischler project. Need to wire $68,700 as follows….”
Sometimes the request calls for the transfer of information, not funds. (“We’re talking to a new benefits company. Need you to send W-2 info to Sharon, who’s copied here, ahead of our 2 PM meeting today.”) Sometimes the request comes from an executive other than the president. Sometimes the directive comes via text message rather than an email.
But you defend against all these cyberattacks the same way:
- Build complex, multi-step processes around the transfer of funds or sensitive information.
- Require more than one manager in the approval chain.
- Verify all such directives verbally.
- Utilize multi-factor authentication solutions for all such transactions.
- Partner with a security-minded third party (like I.T. Solutions of South Florida) to raise the cyber awareness of your people. We have educational programs that go to the heart of this vulnerability.
- Finally, if an email surprises you, trust your gut. Hover your mouse over the sender’s name to see whether the request came from within your organization. And even if it seems to, pick up the phone and verify.
It’s an expensive mistake, and it’s awfully hard to undo it.